a) include recommendations for the procurement of ICT products, ICT services, and ICT processes referring to cybersecurity specifications, covering at least:
(i) the background verification checks of the staff of the supplier involved in the supply chain and dealing with sensitive information or with access to the high-impact or critical-impact assets of the entity. Background verification check may include a verification of the identity and background of staff or contractors of an entity in accordance with national law and procedures and relevant and applicable Union law, including REGULATION (EU) 2016/679 and Directive (EU) 2016/680 of the European Parliament and of the Council Article 18. Background checks shall be proportionate and strictly limited to what is necessary. They shall be carried out for the sole purpose of evaluating a potential security risk to the entity concerned. They need to be proportional to business requirements, the classification of the information to be accessed and the perceived risks, and may be performed by the entity itself, by an external company performing a screening, or through a government clearing;
(ii) the processes for secure and controlled design, development and production of ICT products, ICT services and ICT processes, promoting the design and development of ICT products, ICT services, and ICT processes, which include appropriate technical measures to ensure cybersecurity;
(iii) design of network and information systems in which devices are not trusted even when they are within a secure perimeter, require verification of all requests they receive and apply the least privilege principle;
(iv) the access of the supplier to the assets of the entity;
(v) the contractual obligations on the supplier to protect and restrict access to the entity’s sensitive information;
(vi) the underpinning cybersecurity procurement specifications to subcontractors of the supplier;
(vii) the traceability of the application of the cybersecurity specifications from the development through production until delivery of ICT products, ICT services or ICT processes;
(viii) the support for security updates throughout the entire lifetime of ICT products, ICT services or ICT processes;
(ix) the right to audit cybersecurity in the design, development and production processes of the supplier; and
(x) the assessment of the risk profile of the supplier;
b) require such entities to take into account the procurement recommendations referred to in subparagraph (a) when concluding contracts with suppliers, collaboration partners and other parties in the supply chain, covering ordinary deliveries of ICT products, ICT services and ICT processes as well as unsolicited events and circumstances like termination and transition of contracts in cases of negligence of the contractual partner;
c) require such entities to take into account the results of relevant coordinated security risk assessments of critical supply chains carried out in accordance with Article 22(1) of DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL;
d) include criteria to select and contract suppliers that can meet the cybersecurity specifications as stated in paragraph (a) and that possess a level of cybersecurity appropriate to the cybersecurity risks of the ICT product, ICT service, or ICT processes that the supplier delivers;
e) include criteria to diversify sources of supply for ICT products, ICT services and ICT processes and reduce the risk of a vendor lock-in;
f) include criteria to monitor, review or audit the cybersecurity specifications for supplier internal operational processes throughout the entire lifecycle of each ICT product, ICT service and ICT process on a regular basis.
The advanced supply chain controls include the following, as outlined in NCCS Article 33 Paragraph 4:
During procurement, advanced cybersecurity controls in the supply chain encompass those controls applicable to critical impact organizations, ensuring that ICT products, ICT services, and ICT processes used as critical assets comply with cybersecurity requirements. The ICT product, ICT service, or ICT process must be certified through the European cybersecurity certification scheme mentioned in NCCS Article 36 or verified through an audit procedure selected and conducted by the entity.
The level of detail and scope of verification activities ensure that the ICT product, ICT service, or ICT process can be used to mitigate risks identified in the entity’s risk assessment. The critical impact entity documents include the steps taken to reduce the identified risks.