LibTracker Logo

LibTracker

NIS2 Ready

NIS2 Directive: Secure your software supply chain

Supplier security, vulnerability management, fines up to 10 million euros

The European NIS2 directive requires essential and important entities to secure their software supply chain, including third-party components.

NIS2 Directive Timeline

December 14, 2022

NIS2 Adoption

Publication in the EU Official Journal (2022/2555)

January 16, 2023

Entry into Force

The directive officially enters into force

October 17, 2024

National Transposition

Deadline for transposition into Member States' law

2025 and beyond

Enforcement and Sanctions

Progressive enforcement by national authorities

Who is affected by NIS2?

18 essential and important sectors

Essential entities

  • shieldEnergy (electricity, oil, gas, hydrogen)
  • shieldTransport (air, rail, maritime, road)
  • shieldBanking and financial market infrastructures
  • shieldHealth (hospitals, laboratories, medical device manufacturers)
  • shieldDrinking water and wastewater
  • shieldDigital infrastructure (DNS, cloud, data centers)
  • shieldPublic administration
  • shieldSpace

Important entities

  • businessPostal and courier services
  • businessWaste management
  • businessChemical industry
  • businessFood industry
  • businessManufacturing (medical devices, electronics, machinery)
  • businessDigital services (marketplaces, search engines, social networks)
  • businessResearch

NIS2 Requirements for Software Supply Chain

What the directive mandates

inventory_2

Component Inventory

Know and document third-party software components

  • checkComplete mapping of direct and transitive dependencies
  • checkDocumentation of versions in use
  • checkTraceability of component origins
bug_report

Vulnerability Management

Detect and fix security flaws

  • checkContinuous monitoring of known vulnerabilities (CVE)
  • checkFast remediation process for critical flaws
  • checkDocumentation of measures taken
handshake

Supplier Security

Evaluate and monitor your providers

  • checkDue diligence on critical suppliers
  • checkContractual security requirements
  • checkRegular review of security practices
notifications_active

Incident Reporting

Notify authorities in case of incident

  • checkEarly warning within 24 hours
  • checkFull notification within 72 hours
  • checkFinal report within one month of the incident

How LibTracker Helps You with NIS2

Your technical building block for supply chain compliance

What LibTracker covers

  • check_circleAutomatic inventory of all your dependencies (SBOM)
  • check_circleReal-time CVE monitoring with alerts
  • check_circleAudit history for your certifications
  • check_circleSBOM export in standard formats (SPDX, CycloneDX)
  • check_circleDocumentation of your software supply chain

What LibTracker does not cover

NIS2 is an organizational directive. LibTracker is a technical tool that does not replace:

  • infoOverall governance and risk analysis
  • infoOrganizational incident management
  • infoBusiness continuity and recovery plans
  • infoStaff training and awareness
  • infoNon-software supplier audits

Risks of NIS2 Non-Compliance

Significant sanctions for organizations

euro

Financial Sanctions

Up to €10M or 2% of revenue

for essential entities

Up to €7M or 1.4% of revenue

for important entities

person_off

Management Liability

  • Personal liability of executives
  • Temporary ban from management positions
  • Mandatory cybersecurity training
warning

Operational Risks

  • Activity suspension for serious breaches
  • Publication of sanctions by authorities
  • Loss of trust from customers and partners
security

Security Risks

  • Undetected vulnerabilities in your dependencies
  • Increased exposure to cyberattacks
  • Supply chain compromise
CRA + NIS2

NIS2 + CRA: Complementary Compliance

If you are a software publisher, the Cyber Resilience Act (CRA 2027) also applies to you. LibTracker helps you prepare for both compliance requirements simultaneously.

Frequently Asked Questions about NIS2

What is the NIS2 compliance deadline?

expand_more

How do I know if my organization is affected?

expand_more

Is SBOM mandatory for NIS2?

expand_more

What's the difference between NIS2 and CRA?

expand_more

How much does supply chain compliance cost?

expand_more

Who enforces NIS2 compliance?

expand_more

Scan your dependencies

First CVE detected in under 10 minutes. You might be surprised.