---
title: "Do you supply EU customers in vital sectors?"
language: en

proposition: advisory

audience:
  - msp

channels:
  - linkedin
linkedin-account: personal

content-type:
  - post

status: draft

notetype: publication
isotags: []
tags: []
---

**Do you supply EU customers in vital sectors? They will send you this checklist.**

The EU Cybersecurity Act (NIS2) is now being implemented across member states of the European Union. One of its core requirements: supply chain responsibility. Organizations that fall under the law are legally obligated to assess the security posture of their suppliers — and to contractually enforce minimum standards.

That means if you supply to organizations in sectors that have been marked 'essential' or 'important' — like energy, healthcare, manufacturing, food, B2B IT services and cloud computing —, your customers will be asking you to demonstrate that your information security is in order. Not as a choice, but because the law requires them to. (full list of sectors [here](../../../../Corpus/Standards/NIS%202%20Cbw/NIS%202%20Scope.md))

They will check for the minimum measures listed in Art. 21(2):

- risk analysis, incident response procedures, and business continuity plans, covering cyber scenarios;
- management of effectiveness of cybersecurity measures;
- supply chain security and security in network and information systems acquisition;
- training of personnel and HR security;
- access control policies and asset management;
- cryptography, encryption, and the use of multi-factor authentication.

You don't need to be certified. But you do need to be able to answer these questions — on paper, not just in your head. Have your answers ready!

You can find an interactive checklist [on our site](https://iso27diy.com/assets/nis2-checklist.html). If the checklist raises any questions on how to continue, I'm happy to spend an hour with you.