<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=2233467260228916&amp;ev=PageView&amp;noscript=1">

NIS2: IT contracts and continuity plans

Daniel Andersson Senior Information Security Consultant, Cegal Sweden. Daniel has extensive experience in information security and is a Certified Information Security Manager (CISM) as well as a certified Cybersecurity Practitioner (CSX-P). With a background in both technology and leadership, Daniel has a broad view of today's challenges and their various solutions.
05/15/2024 |

Many companies depend on their suppliers to keep their operations running smoothly. Any interruptions in supplier deliveries can have a profound impact on your business. It is crucial for your suppliers to offer immediate assistance during such critical moments.

Many critical IT systems for businesses are now outsourced entirely or partially to external parties, either through traditional outsourcing or cloud services. Considering this aspect is crucial in developing continuity plans.

NIS2 Directive - Supplier requirements?

The NIS2 Directive (2022/2555) outlines the requirements for continuity management in Article 21, addressing aspects such as operational continuity in point 2c and security in the supply chain in point 2d.

"2c) operational continuity, such as managing backups and disaster recovery, and crisis management, 

2d) security in the supply chain, including security aspects related to the connections between each entity and its direct suppliers or service providers,"

Meeting the requirements of NIS2 emphasizes the importance of supplier management, including the handling of continuity plans and crisis management. As a provider of essential services, it is crucial for you to establish the right standards with your suppliers to secure the entire supply chain necessary to deliver the critical service.

Is your IT provider supporting you during a crisis?

It might not seem like a question that needs to be asked, but understanding that your IT provider serves multiple clients beyond just your company is crucial to grasp their business model. In the event of a significant disruption affecting multiple clients, the provider may need to prioritize accordingly.

It is also essential for the provider to comprehend the responsibilities outlined in NIS2 to ensure the right prioritization for your operations.

Agree on disaster recovery 

An essential component to include in IT agreements is the technical recovery capability that the provider should deliver. This encompasses both the recovery time objective (RTO) and recovery point objective (RPO), as well as incorporating how collaboration and communication will function during a crisis.

An agreement cannot cover all possible scenarios, as there will always be risks of unexpected events that are of such nature that they could not have been predicted, making it challenging to work out technical requirements to recover. This could include major natural disasters affecting both primary and secondary operational facilities.

Prioritize together with your supplier 

Your IT provider often lacks insight into your most critical business processes and the necessary technical capabilities to support them. Therefore, it is crucial to establish alignment on prioritization when a recovery needs to be executed. This alignment should be done well in advance of any crisis and documented thoroughly by both parties. It is also essential to update priorities based on changes in business processes and/or IT environment.

Who determines when a crisis has occurred?

It is also crucial to have a clear understanding of what constitutes a crisis, with explicitly defined definitions. Otherwise, there is a risk that a crisis for your company may be perceived as a manageable incident by your supplier, leading to the improper activation of processes for a controlled and effective return to normal operations.

Can you handle a crisis without your IT provider?

When establishing your business continuity plan (BCP), it is advisable to identify alternative recovery plans for the most critical processes that can be executed independently of your IT provider, either as a temporary or permanent solution. Such plans may sometimes require the inclusion of provisions in the agreement with your IT provider. This effort may reveal that there are no alternative options available, which should be duly noted as a risk in your company's risk register and addressed if necessary.

Confirm that the continuity plan is effective

It is crucial to make sure that your supplier conducts relevant tests and exercises in line with the agreed-upon recovery protocols. Your crisis drills and continuity plans should ideally involve your critical IT providers to some degree, whether through full integration in drills or consultation before and during the exercises.

Cegal offers expertise in BCP and DR solutions

Cegal offers consultants with extensive experience in continuity planning who can assist in various stages, whether supporting the creation of plans, reviewing existing plans, or conducting crisis drills.

Additionally, Cegal provides database services and restore testing outside of your IT environment. Specializing in hybrid cloud solutions, setting up and managing critical business solutions, and monitoring databases, Cegal has a wealth of experience in high-availability environments. Whether for small or large clients, Cegal helps find the right solution at the right price.


Would you like to talk to us about NIS2? We are ready to help you!

Related articles

Database and Data Capital Managed Services
Editorial staff Cegal want to build a stellar nextgen...
NIS2 - Are you ready to survive a crisis?
Daniel Andersson Senior Information Security Consultant,...
Cloud Digitalization
How to succeed with your cloud strategy
Ommund Øvrelid Principal Solution architect at Cegal.