NIS2 Supply Chain Security: Why Email Encryption Also Affects Your Suppliers
NIS2 requires secure communication in the supply chain. Learn why email encryption also affects suppliers and how the message portal closes the gap.
2 minNIS2 & Compliance
NIS2 Supply Chain Security: Why Email Encryption Also Affects Your Suppliers
The supply chain is cybersecurity's open flank. NIS2 addresses this directly: §30 para. 2 No. 5 BSIG requires supply chain security – including communication. This has far-reaching consequences for email communication with partners, suppliers, and service providers.
§30 No. 5 BSIG: What Does the Law Say?
Security in the supply chain including security-related aspects of the relationships between individual entities and their direct suppliers or service providers.
Specifically, this means:
- The security of communication channels to partners must be guaranteed
- Suppliers must be evaluated from a security perspective
- Email communication in the supply chain must be encrypted and traceable
Why Email Is the Weakest Link in the Supply Chain
In a typical supply chain, sensitive data flows via email:
- Quotes and contracts with confidential terms
- Technical specifications and engineering drawings
- Invoices and payment data (target of BEC attacks)
- Access credentials for systems and portals
- Personal data (GDPR-relevant)
The problem: Many suppliers – especially SMEs – have no encryption infrastructure of their own. Emails are sent unencrypted and can be intercepted in transit.
Non-NIS2 Companies Are Also Indirectly Affected
A common misconception: "We have fewer than 50 employees, NIS2 doesn't apply to us."
Wrong. NIS2-affected companies are required to assess their supply chain security. This means:
- Customers may require security evidence for email communication
- Contracts may contain encryption obligations
- In the event of an incident at the supplier, the NIS2-affected company is still liable
Bottom line: If your customers fall under NIS2, you as a supplier are de facto co-regulated.
The Core Problem: Encryption Requires Infrastructure on Both Sides
Classic email encryption with S/MIME or PGP only works when both sides have the infrastructure:
- The sender needs a certificate or key
- The recipient also needs a certificate or key
- Keys must be exchanged and kept up to date
In practice, this fails for most supplier relationships. The result: Emails are sent unencrypted despite NIS2 obligations.
Weitere Artikel
Die neuesten Beiträge aus unserem Blog.
2 minIT-Sicherheit / Best Practices
Secure Email Gateway: 10 Best Practices für die Einrichtung
Die richtige Konfiguration eines Secure Email Gateways entscheidet über Sicherheit und Nutzererfahrung. Diese 10 Best Practices helfen IT-Teams bei der optimalen Einrichtung.
2 minIT-Sicherheit / Vergleich
Email Security Gateway Vergleich 2026: Worauf es wirklich ankommt
Die Auswahl des richtigen Email Security Gateways ist entscheidend für die Sicherheit der Unternehmenskommunikation. Dieser Vergleich zeigt die wichtigsten Kriterien und typische Fallstricke.
