Supply Chain Security
LEGAL BASIS
§30(2) No. 4 BSIG – Supply chain security including security-related aspects of the relationships between entities and their direct suppliers or service providers
Vendor Overview
| Category | Examples | Risk Assessment |
|---|---|---|
| Infrastructure | Hetzner, Netcup (hosting, servers) | High – availability |
| Cloud services | Object storage, DNS | High – confidentiality |
| Software suppliers | Third-party libraries, SaaS | Medium – supply chain risk |
| Support partners | Maintenance, consulting | Low – limited access |
Assessment Criteria
| Criterion | Description |
|---|---|
| Security certifications | ISO 27001, SOC 2, BSI C5 or equivalent |
| Location / jurisdiction | EU jurisdiction preferred, third-country transfers only with guarantees |
| Incident response capability | Documented process, reporting timelines compatible with §32 BSIG |
| Contract design | Security requirements, audit rights, termination clauses |
| Subcontractors | Transparency regarding further subcontractors |
Contractual Security Requirements
Contracts with service providers include:
- Minimum information security requirements
- Obligation to immediately report security incidents
- Audit and inspection rights
- Data retention and deletion provisions
- Exit strategy and data repatriation
Review Cycle
| Activity | Interval |
|---|---|
| Re-assessment of critical providers | Annually |
| Contract review | On renewal / change |
| Event-driven review | On security incident or material change |
CRA Synergy
Software supply chain management (SBOM, signing, dependency policy) is described in the CRA Supply Chain Documentation. NIS2 supplements this with IT service provider and infrastructure vendor assessment.