// INDUSTRY INSIGHT //
market and holding individual businesses accountable for the security of their partners and suppliers.
NIS2 applies to large businesses and organisations regulators deem to be critical to the functioning of European society – such as those involved in critical infrastructure or digital services – which it labels‘ essential entities’. The regulation makes plain that these organisations – and those organisations’ executives – will be held legally liable for the subpar security practices of their vendors, partners and suppliers and states that compliant organisations should incorporate that into SLAs and contracts.
DORA focuses on financial organisations. However, given that the European financial sector is involved in and relies on a wide array of sectors and partners, particular emphasis is put on the security stance of software suppliers and IT service providers. Like NIS2, it demands that these be incorporated into SLAs and contracts.
The EU AI act does largely the same for companies building AI products in which they must ensure the security of the models and components they use – and that their partners have undergone the correct audits, or risk penalties, investigations or being completely barred from selling AI products.
Compliance by contract
This regulatory revolution might focus on‘ essential entities’ and large firms but, given the interconnection of these large hubs, their suppliers, vendors and partners are all required to comply whether explicitly beholden to it or not. This is sometimes known as‘ cascading compliance’.
36 Intelligent SME. tech