Supplier Risk Management Guide

According to §17 NIS-Law (BGBL I Nr. 111/2018), operators of essential services must also ensure that their suppliers take appropriate technical and organizational security precautions. In the future, this will also apply to many other companies (so-called "operators of important services") with more than 50 employees based on the Europe-wide NIS 2 directive approved in May 2022.

The Austrian NIS authority (Cyber Security Authority) expects several thousand companies to be affected from the sectors (excerpt):

  • Energy
  • Banking & Financial Market Infrastructures
  • Healthcare
  • Digital infrastructure
  • IT Services & Management
  • Public administration
  • Road and rail transport
  • Postal and courier services
  • Aerospace
  • Water Management
  • Waste management
  • Manufacturing, production and distribution of chemicals
  • Production, processing and distribution of food
  • Manufacturing (medical equipment, computers, electronic and optical products, electrical equipment, machinery, automobiles, trailers and other transportation equipment)
  • Digital providers (marketplaces, search engines, social networking platforms)
  • Research Organization

This regulation extends far into the SME sector and affects many companies that have not yet implemented structured supplier risk management. To support these businesses, Cyber Trust Services has partnered with the KSV1870 to put together a comprehensive package for operators of essential and important services to make it as easy as possible for them to get started with supplier (risk) management.

The KSV1870 provides all OeS (and future OiS) with free access to its proven supplier management platform, which provides the following functions:

  • Upload of all suppliers to the platform
  • Creation of a web risk rating for all uploaded suppliers
  • Display which of the suppliers already have a Cyber Trust Quality Seal
  • Display which of the suppliers have ISO 27001 certification
  • Option for suppliers without a seal of approval or certification to request a (paid) KSV1870 Cyber Risk Rating
  • Use of the platform for any number of users in the company (e.g. procurement department, security department, etc.)

    You can find more information about the free use of the KSV1870 supplier management platform here.

    In addition to the technical implementation of supplier management, it is also essential to set up an efficient process for supplier risk management, because not every supplier is equally critical and not every supplier requires the same cyber security requirements. Here you can find a blueprint, according to which key points you can design and set up such a supplier risk management process: