NIS2 makes managing your suppliers’ cyber risk a legal duty, and it flows downhill. Article 21(2)(d) requires in-scope organisations to secure the relationships with their direct suppliers and service providers, and in practice that pulls even out-of-scope SMEs into the same standards through contracts. The workable way to operationalise third-party access is identity-centric Zero Trust Network Access with clientless posture checks and agentless isolation for OT, all logged centrally. Because that inspection touches sensitive data, the provider’s jurisdiction matters too, which is where a sovereign single-platform like Jimber is the strongest fit. Technology only covers half of it though; contracts and policy carry the rest.
Key takeaways
- Belgium’s NIS2 law (26 April 2024, in force 18 October 2024) makes supplier security a baseline obligation, focused on direct, tier-one suppliers.
- The “flow-down” effect means unregulated suppliers must still prove NIS2-equivalent security, typically CyFun Basic or Important, to keep contracts with regulated customers.
- Recent incidents, including the Collins Aerospace attack that cancelled around 60 flights at Brussels Airport, show how a single third-party VPN can propagate ransomware across a continent.
- Legacy SSL VPNs are the wrong tool for third-party access: they grant network-level trust, and legacy VPNs were the entry point in 73% of verified ransomware attacks in 2025.
- ZTNA with clientless posture checks secures unmanaged contractor devices without installing software, and the NIAC extends that to OT that cannot run an agent.
What the law actually requires
Article 21(2)(d) of the NIS2 Directive sets supply chain security as a statutory minimum: the measures must include “supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.” Belgium transposed this through Artikel 30, §1, 4° of its NIS2 law, requiring organisations to govern the cyber risks in their direct supplier relationships. The CCB’s own FAQ clarifies that the obligation focuses on direct, tier-one suppliers, while the operational reality is that primary entities then require those tier-one suppliers to enforce equivalent controls down their own subcontracting chains.
The flow-down effect: why “we are too small” is not an exemption
A common assumption among smaller Belgian firms is that fewer than 50 employees or under €10 million in turnover puts them out of scope. Direct regulatory oversight, yes; market reality, no. Because essential and important entities must manage the cyber risks in their supply chains, they have to audit, catalogue and enforce security compliance on any direct supplier that connects to their systems or touches their operational data. An unregulated SME therefore becomes contractually obligated to meet NIS2-equivalent standards to keep its business relationships.
You can see it working in Belgian sectors. The Port of Antwerp-Bruges, a highly critical operator, requires external logistics subcontractors, customs agents and transport providers that connect to terminal scheduling APIs to demonstrate verified maturity, typically CyFun Basic, to retain access credentials. Food processing plants require their external OT maintenance partners to adopt strict access controls so a remote-support session cannot become a ransomware vector into a production line. And MSPs, directly regulated regardless of headcount, are being asked for CyFun Important or ISO 27001 because their administrative privileges across client networks make them a high-value target.
CyFun 2025 is the benchmark auditors use
To turn the legal text into verifiable controls, the CCB uses the CyberFundamentals (CyFun) framework, which Belgium co-owns with Ireland and Romania. CyFun 2025 aligns to NIST CSF 2.0 and adds “Govern” as a sixth core function, which pins accountability for supplier management and risk strategy on the board.
| Assurance level | Controls (key measures) | Protection rate | Verification path |
|---|---|---|---|
| Small | 7 rules of thumb (0 key) | Foundational hygiene | Voluntary self-assessment |
| Basic | 34 controls (13 key) | Stops 82% of common threats | Verification under EN ISO/IEC 17029 |
| Important | 133 controls (22 key) | Stops 94% of targeted attacks | Verification under EN ISO/IEC 17029 |
| Essential | 218 controls (29 key) | Stops 100% of theoretical threats | Full certification (ISO/IEC 17021-1 or ISO 27001) |
On timing: audits can run against CyFun 2023 or 2025 until 18 April 2027, existing 2023 certificates stay valid until 18 April 2028, and from 19 April 2028 only CyFun 2025 is recognised. Our NIS2 compliance checklist covers what a verification audit expects.
Why this is urgent: supply-chain attacks in 2024–2026
The systemic risk is not theoretical. On the evening of 19 September 2025, ransomware hit Collins Aerospace’s MUSE platform, a shared passenger-processing system used across airport terminals. The endpoints connect back to the vendor’s hosting environment over a dedicated VPN known as ARINC AviNet, and attackers compromised the central vendor environment and used those trusted VPN tunnels to push ransomware to terminals across Europe. Brussels Airport was hit hard: automated kiosks, bag-drop and boarding systems went down, and on Monday 22 September it cancelled around 60 flights, over 10% of its schedule, only restoring automated operations on 29 September. Heathrow saw long queues affecting roughly 90% of flights, and Berlin and Dublin fell back to manual check-in. ENISA confirmed a ransomware attack, the Everest group claimed it, and a single point of failure at a third-party provider disrupted travel across a continent.
Others reinforce the pattern. The Synnovis pathology attack in June 2024 cancelled more than 800 surgeries and 700 appointments across South-East London. A 2025 attack on an automotive component supplier halted Jaguar Land Rover assembly lines across four countries with over $250 million in losses. And the Hafnium campaign in 2025 exploited an Ivanti Pulse Connect VPN zero-day (CVE-2025-0282) to break into an MSP’s boundary network, then pivoted downstream into customer environments, resetting admin accounts and exfiltrating data. The common thread is trusted vendor access over legacy VPN.
The technical answer: identity-centric, not network-centric
Traditional SSL VPNs run on location-based trust: once a contractor authenticates, their device gets a local IP directly inside the corporate network. That creates unchecked lateral movement if the endpoint or credentials are compromised, keeps the exposed edge gateway as a prime target, and validates the user only at login. ZTNA replaces broad network access with granular, per-application permissions through an application-aware reverse proxy, so the external user is never placed on the network, and stolen credentials reach only the one authorised application.
The harder mid-market problem is that contractors and third parties refuse to install your MDM or EDR agents. A clientless ZTNA architecture solves this using the browser as a secure, isolated boundary:
- Cryptographic identity via mTLS. The browser presents a unique certificate that identifies both the user and the authorised device, which blunts credential theft and session hijacking.
- Dynamic browser-based posture checks. Before a session opens, the platform reads security signals such as OS patch level, disk encryption, local firewall and endpoint protection status.
- Continuous session scoring. Those signals are watched throughout the session, and if the device’s state degrades, the session is downgraded or terminated.
For OT and legacy machines that cannot run any client, a physical or virtual Network Isolation Access Controller sits in front of the asset and restricts all communication to explicitly permitted, isolated protocol flows, so unpatched machinery cannot be used as a pivot. Our BYOD security guide and device posture checks for NIS2 go deeper on the unmanaged-device side.
The supply-chain obligations checklist
This is the evidence a CyFun 2025 or ISO 27001 audit expects for third-party access, and how a ZTNA platform supplies it.
| Audit domain | Evidence | Technical step | CyFun 2025 |
|---|---|---|---|
| Supplier inventory | Live inventory of direct suppliers, systems accessed, criticality | Export real-time identity and asset reports from the ZTNA directory | GV.ID-01 |
| Risk profiling | Formal security evaluation per supplier against CyFun or ISO | Run a regular third-party risk-assessment programme | GV.RA-02 |
| Contractual compliance | Signed contracts with security clauses, SLAs, reporting windows, audit rights | Add a standard NIS2 vendor security addendum to agreements | PR.AT-04 |
| Least-privilege | Policies enforcing application-specific access for third parties | Configure ZTNA to limit vendor sessions to permitted destinations | PR.AC-01 |
| Posture verification | Rules requiring endpoint checks before session authorisation | Configure clientless, browser-based posture checks at the gateway | PR.AC-03 |
| Centralised logging | Immutable logs of all third-party access events | Forward SASE session logs to a secure SIEM or tamper-resistant store | DE.AE-01 |
Be honest about the boundary: technology plus contracts
ZTNA is strong, but it does not do everything. It blocks lateral movement, enforces least-privilege and posture, and gives you immutable logs and instant token revocation. It does not set the legal and financial liability framework for a breach, oblige a supplier to follow secure-development practices, or force a supplier to report incidents within the window that supports your own 24-hour notification duty. Those belong in contracts, SLAs and a maintained risk register. Read the mapping as “the technical control is covered,” never as “the obligation is closed by a product.”
Why the sovereign platform choice matters here
A SASE platform routing your access policies, configurations and web logs is itself a supplier, and a sensitive one. Under the US CLOUD Act and FISA Section 702, a US-headquartered provider can be compelled to hand US agencies access to that data even when it sits on EU servers, which is a documented GDPR and NIS2 supply-chain risk. Choosing a strictly European provider removes it. Jimber is headquartered in Belgium with no foreign parent, processes all logs, configurations and traffic inside the EU, and combines ZTNA, network isolation, SWG and FWaaS in one console built for mid-market teams. That combination, sovereign data plus one platform that covers managed users, unmanaged contractors and agentless OT, is the most efficient way to operationalise the supply-chain mandate. See our European SASE alternatives piece and the way these controls map to the wider directive in NIS2 measures to SASE controls.
Frequently asked questions
If we are out of scope for NIS2 by size, do we still face supply-chain obligations?
Usually yes, through the flow-down effect. You may be out of direct regulatory supervision, but regulated customers must manage risk across their value chains, so they will contractually require you to meet a defined standard, such as verified CyFun Basic or Important, as a condition for keeping or winning business.
What minimum cybersecurity requirements belong in supplier contracts?
Contracts should use precise, operational clauses: the supplier aligns to a defined standard (CyFun Basic/Important or ISO 27001), reports incidents within timelines that support your 24-hour notification duty, enforces equivalent controls down its own subcontracting chain, and grants explicit verification and audit rights.
Does a supplier need full CyFun or ISO 27001 certification to satisfy us?
Not necessarily. Formal certification is the cleanest route, but you may also accept a formal verification statement, a completed CyFun self-assessment backed by independent audit evidence, or equivalent documentation. The requirement is that you actively verify the supplier’s posture and record that analysis in your risk register.
How can we verify suppliers without on-site audits?
Use a structured workflow: request verified CyFun statements or ISO 27001 certificates from an accredited body, use security-rating platforms to monitor the supplier’s external attack surface continuously, and use clientless ZTNA to verify the supplier’s device posture at the moment of connection rather than relying only on paper compliance.
Why are traditional SSL VPNs a liability under the NIS2 supply-chain rules?
They use perimeter-based trust: once an external technician authenticates, their endpoint reaches the internal network segment, which enables lateral movement if the device or credentials are compromised. Legacy edge VPN gateways also carry heavily exploited pre-authentication vulnerabilities. ZTNA decouples application access from the network, so users connect only to the specific applications they are authorised to use.
How does clientless ZTNA secure third-party access without installing software?
It uses browser sandboxing and secure APIs to create an isolated gateway. The user’s identity is verified, the browser reads basic security signals from the device, and an application-level reverse proxy keeps the user off the enterprise network, so a compromised contractor machine cannot cross into internal infrastructure.
Operationalise the mandate, do not just document it
Audit your active remote-access channels, retire persistent third-party VPN configurations in favour of identity-centric ZTNA, and pair the technical controls with contract clauses and a live risk register. Book a Jimber demo to see clientless posture checks and the NIAC secure managed users, unmanaged contractors and OT from one EU-sovereign console.