Supply Chain Protection Is No Longer a Recommendation – It Is a Legal Obligation

We have entered a new era in which cybersecurity is no longer seen as a technical challenge that belongs exclusively to the IT department. It is becoming increasingly clear that this is a business and then strategic issue – a question of continuity, trust, and, more recently, legal responsibility.

The Cybersecurity Act and the related Regulation, which are in force, have introduced significant changes to the way in which essential and important entities must manage the security of their digital systems. Among the most important and at the same time the most demanding novelties is the obligation to establish measures for the security of the supply chain. In other words, organizations no longer look only at themselves. They are also obliged by law to look at all those who provide them with services: software providers, cloud providers, development partners, outsourcing companies, managed services, telecom services, and the infrastructure they share with others... in a word, all those who have contact with information, network and data infrastructure.

However, if we look at current practice, the impression is that many organizations are not yet ready for this change. Supply chains continue to be treated as "someone else's reality". At best, security is checked once when concluding a contract, if at all. Many contracts with key digital vendors do not even have basic clauses on incident notification, audit rights, or service interruption liabilities. Even more often, there is no clear internal policy on who manages these relationships at all – the legal department, IT, procurement, or someone else?

In reality, attacks through suppliers are becoming more sophisticated and frequent. Global incidents such as SolarWinds, Kaseya, Log4J, or ZX have shown how much damage can be caused if just one external entity becomes a source of vulnerability. In such cases, organizations that have entrusted key parts of their business to third parties are often left without information, without control, and without legal support.

That is why the legislator no longer leaves the security of the supply chain to the goodwill of organizations. Croatian law – harmonized with the European NIS2 directive – prescribes clear obligations. Key and important entities must keep a register of ICT suppliers, categorize them according to the level of criticality, conduct security risk assessments during contracting but also during the use of services, enter security requirements and mechanisms into contracts, establish supervision and regular assessments, ensure security during system development, all under the supervision of the management.

What is perhaps most changing in this law is not the technical aspect, but the management. The responsibility is explicitly placed on the governing bodies – members of the management board, directors, and heads of organizational units. There is no more room for downward delegation. Words like "I didn't know" or "that was done by computer science" are no longer a defense – but a sign of a failure to fulfill a legal obligation.

However, the law does not require administrations to know all the technical details of security protocols. What it requires is that they set up a clear system–policy, responsible persons, assessment, and monitoring procedures – and that they regularly monitor their implementation. Security in the supply chain must be part of regular reports, strategies, and decisions at the highest level and with security issues a regular topic at least once every six months at board meetings.

It's not just about avoiding penalties. It is about the ability of an organization to respond to increasingly complex threats while maintaining stability, customer trust, and operational efficiency. At a time when more and more businesses rely on external partners, the security of these relationships is becoming a key point of resilience.

So, how do we respond concretely to the requirements of the law?

The first step is to identify who are all your suppliers of key digital services are for your business? Which of them has access to data, systems, and key functions? The second step is categorization – which of them are business-critical or security-critical for you? The following is an assessment – do you have tools and questionnaires that you can use to request insight into their security controls? After that comes contracting – do your contracts contain the clauses required by law: the obligation to notify incidents, audit, treatment of subcontractors? And finally, management, do you have a clear process, responsible persons, and a plan for monitoring these suppliers? Finally, the key part is the implementation of the above requirements, i.e., how and in what way and how regularly you actually do assessments and assessments with your suppliers, because otherwise, everything comes down to a dead letter on paper.

If any of these steps sound unfamiliar or partially resolved to you, you are not alone. Many organizations are just at the beginning of this process. But it is important to know – this is no longer a matter of goodwill, but a legal obligation.

The role of individuals within organizations is just as important as the organization itself. Heads of the legal department need to identify the missing clauses. CIOs need to have a clear understanding of exactly what systems and data vendors have access to. Development managers must incorporate security controls into their processes. And risk managers need to know which suppliers need to be monitored daily and which ones need to be monitored periodically.

The issue of supply chain security is no longer a question of whether something can happen. Can. And it's already happening. The real question is: will your organization have control, legal protection, and a willingness to respond – or will it be exposed, without shelter and without support?

The law offers a framework, but also an obligation. And like any law that comes from the regulation of high-risk areas – its purpose is not only to protect the system but to protect trust. The trust of customers, the market, and society as a whole. And this is a responsibility that starts with each individual who makes decisions.

If all of this is new to you, that's fine. The important thing is that it is not unknown even in six months.