NIS2 Supply Chain Security: Why Email Encryption Also Affects Your Suppliers
NIS2 requires secure communication in the supply chain. Learn why email encryption also affects suppliers and how the message portal closes the gap.
4 minNIS2 & Compliance
NIS2 Supply Chain Security: Why Email Encryption Also Affects Your Suppliers
The supply chain is cybersecurity's open flank. NIS2 addresses this directly: §30 para. 2 No. 5 BSIG requires supply chain security – including communication. This has far-reaching consequences for email communication with partners, suppliers, and service providers.
§30 No. 5 BSIG: What Does the Law Say?
Security in the supply chain including security-related aspects of the relationships between individual entities and their direct suppliers or service providers.
Specifically, this means:
- The security of communication channels to partners must be guaranteed
- Suppliers must be evaluated from a security perspective
- Email communication in the supply chain must be encrypted and traceable
Why Email Is the Weakest Link in the Supply Chain
In a typical supply chain, sensitive data flows via email:
- Quotes and contracts with confidential terms
- Technical specifications and engineering drawings
- Invoices and payment data (target of BEC attacks)
- Access credentials for systems and portals
- Personal data (GDPR-relevant)
The problem: Many suppliers – especially SMEs – have no encryption infrastructure of their own. Emails are sent unencrypted and can be intercepted in transit.
Non-NIS2 Companies Are Also Indirectly Affected
A common misconception: "We have fewer than 50 employees, NIS2 doesn't apply to us."
Wrong. NIS2-affected companies are required to assess their supply chain security. This means:
- Customers may require security evidence for email communication
- Contracts may contain encryption obligations
- In the event of an incident at the supplier, the NIS2-affected company is still liable
Bottom line: If your customers fall under NIS2, you as a supplier are de facto co-regulated.
The Core Problem: Encryption Requires Infrastructure on Both Sides
Classic email encryption with S/MIME or PGP only works when both sides have the infrastructure:
- The sender needs a certificate or key
- The recipient also needs a certificate or key
- Keys must be exchanged and kept up to date
In practice, this fails for most supplier relationships. The result: Emails are sent unencrypted despite NIS2 obligations.
More articles
The latest posts from our blog.
5 minIT Security / Email
Email Security Gateway: The Complete Guide for Businesses 2026
An Email Security Gateway is the central line of defense for business email communication. This guide explains how it works, what threats it blocks, and why it is essential for NIS2 and GDPR…
3 minIT Security / Comparison
Email Security Gateway Comparison 2026: What Really Matters
Choosing the right Email Security Gateway is critical for business communication security. This comparison shows the most important criteria and typical pitfalls.
