How to protect your supply chain - practical insights from NIS2 and DORA

building-and-skyline
Written by
Clara Westman
Reading time
5 min

How can you strengthen the security of your supply chain? EU legislation in the form of NIS2 and DORA brings this question to the fore. For answers, we turn to Stratsys GRC expert Max Kollberg and cybersecurity expert Mina Nadjafi, founder of Intil. They propose a holistic approach where work is automated.


The issue of cybersecurity is higher on the agenda than ever before in both the public sector and among companies of all sizes. The tightening of EU legislation in the form of NIS2 and DORA is proof of this. It is a response to the challenges and threats facing large parts of society.

NIS2 - Network and Information Security Directive

NIS2 is the new EU legislation on cybersecurity. It is an update and expansion of the previous NIS Directive from 2016. The purpose of NIS2 is to raise the level of cybersecurity within the EU and protect essential societal infrastructure against digital threats.

A key difference compared to the first NIS Directive is that more sectors and businesses are covered - mainly medium and large enterprises. Covered businesses must take technical and organizational measures and a 24-hour time limit is introduced for initial reporting of IT incidents. In addition, an incident report must be submitted within 72 hours and a final report after one month. In addition, sanctions, including heavy fines, are introduced for those who fail to comply. Management is explicitly responsible for NIS2 compliance, making cybersecurity a strategic and legal issue at the highest level.

In Sweden, the new Cybersecurity Act is expected to enter into force in 2025 at the earliest. During the transition period, the current NIS Act applies, but it should be interpreted in light of the NIS2 Directive. This means that companies should prepare for the new requirements, even if they are not yet fully implemented.

DORA - Digital Operational Resilience Act

DORA is an EU regulation that aims to strengthen digital resilience in the financial sector. It entered into force on January 16, 2023 and will apply from January 17, 2025.

The introduction of DORA aims to ensure that financial actors are able to manage, resist and recover from IT incidents. This applies regardless of whether they are outright cyberattacks, technical failures or third-party issues. Almost all financial actors are covered by DORA - including banks, payment institutions, fintech companies, insurance companies, pension funds, and other financial actors.

DORA requirements include robust systems and processes, reporting, regular digital resilience testing, clear governance and risk management, and crisis and recovery plans.

NIS2 and DORA Fill a Clear Need

There is a reason why cybersecurity is such a political priority. Cybercrime is increasing dramatically against all sizes and types of organizations. This is particularly true of cyber attacks via suppliers. The consequences are all the more serious if we consider how dependent all parts of society have become on digital systems.

Max Kollberg is GRC Lead at Stratsys. According to him, legislation like NIS2 fills a clear need:

- In the last decade, we can see that cybercrime is increasing dramatically. It exposes vulnerabilities in companies and organizations of all sizes. Many lack the resources or framework to actually address the growing threats. And this is where NIS2 fills a clear gap by introducing a uniform standard.

Max points to a number of reasons for turning the spotlight on the issue of cybersecurity:

  • Digital supply chains account for nearly two-thirds of organizations' revenue.
  • 45% of all organizations worldwide have suffered attacks against digital supply chains in 2025.
  • Less than a third of organizations prioritize investments in secure, connected supply chain ecosystems.

Max Kollberg 3_konverterad
Max Kollberg, GRC Lead, Stratsys

Three Types of Supply Chain Attacks

So what are the most common supply chain attack methods and how has the threat landscape changed? What are the threats that legislations like NIS2 and DORA aim to address?

Mina Nadjafi is one of the founders of the risk and cybersecurity company Intil, which specializes in external threats. In collaboration with Stratsys, the company has carried out a project commissioned by MSB, the Swedish Civil Contingencies Agency. Using a holistic approach, both internal and external threats have been assessed.

- We are seeing a wide range of cyber threats and attack methods. These include everything from malware and DDoS attacks to phishing, with supply chains also being exploited. A worrying trend is that attackers deliberately gain access to the primary target through interconnected and more vulnerable suppliers — they use the 'bathroom window' instead of the front door to establish long-term access and avoid detection, says Mina.

Cybersecurity threats come from states, cybercriminals, and hacktivists. According to Mina, the attacks can be divided into three main types:

  1. Attacks on software. Attacks on the source code of a vendor's software, where the attacker inserts malicious code into a trusted application. It can also occur when an update server is compromised, where the attacker replaces a legitimate library with their own.
  2. Attacks on hardware. Compromising physical devices such as USB sticks, phones, tablets and even keyboards, in order to create backdoors in the hardware. The intention is to infect the devices at an early stage and then create a gateway to a larger network system.
  3. Firmware attacks. Malicious code in the boot code, where the malware runs after the computer has started up, putting the entire system at risk. These attacks are often fast, dangerous, and frequently go undetected.

Mina Nadjafi
Mina Nadjafi, Co-founder, Intil

Taking on Supply Chain Security

As an operator, you hopefully already have a basic understanding of the regulations you are subject to, whether it is NIS2 or DORA. Either way, it's a good starting point for working on supply chain security:

  1. Map the legislation. Which legislation(s) are you affected by?
  2. Conduct a gap analysis. What processes and resources are in place and what is missing?
  3. Create an action plan. What needs to be done and what should be prioritized?
  4. Collaboration needs. Ensure how the departments within the organization will work together to achieve the objectives.

Stricter Requirements Linked to NIS2 and DORA

The consequences for organizations that lack transparency and control can be significant. The new legislation, in the form of NIS2 and DORA, increases the requirements for cybersecurity, risk management and accountability throughout the supply chain. This is particularly true for issues related to accountability, risk assessment and compliance.

So, how should you think as an information security, risk, compliance or supplier management professional? Is supplier self-assessment sufficient to create secure supply chains?

The short answer is that it takes more, according to Max:

- It requires a holistic approach where both external vulnerabilities and risks are independently assessed, while internal processes and structures are reviewed and monitored through targeted questions.

The approach involves several different elements. Max describes three elements that all work together to address the issues more proactively:

- These are an overview of actual risks in the supply chain, benchmarking and analysis, and effective and time-saving solutions. In this way, self-assessment submitted by the supplier can be combined with an analysis of vulnerabilities. The aim is to enable proactive management of cybersecurity risks.

The Key to an Effective Due Diligence Process

An effective due diligence process helps create continuity and consistency in the work. By combining various tools, it is possible to scale up efforts, according to Mina:

- By working with both measurements and self-assessments, it is possible to handle a larger number of suppliers. This makes it possible to prioritize resources and follow up on suppliers who get too low a score. It becomes a way to plan work more effectively in the organization.

The process can be likened to a funnel, with initial screening and risk analysis enabling further action to be taken when non-conformities are identified - both self-assessment and inspections. One key is the ability to automate the work, Max says:

- To be able to work proactively with cyber risks while ensuring compliance with NIS2 and DORA, it makes sense to automate the processes, especially vendor due diligence. This applies to new suppliers, but for continuity, it is something that should be done throughout the contract period. After all, we all live in a digital ecosystem that is constantly changing and evolving.

Want to learn more about how Stratsys can help your organization meet the requirements?
Our regulatory page on NIS2
Our regulatory page on DORA