Abstract

The NIS2 Directive provides for substantial changes in the area of network and information security in the European Union. Its impact on public procurement is significant and will lead to many changes in procurement practices of public institutions. Public entities will be required to implement appropriate cybersecurity management measures, including handling and reporting. However, the regulations concerning high-risk suppliers and the obligation to verify supply chain cybersecurity for an ICT product, ICT service or ICT process will have the greatest direct impact on public procurement. In particular, the latter obligation may arouse questions as to how it should be implemented within a strict framework of public procurement and contracting authority’s entitlements strictly defined by law.