Does Part-IS have requirements on suppliers/subcontractors that although they are not within the list of the organisations that have to comply with Part-IS, they work with/for an organisation that is within the Part-IS scope?
Part-IS requirements are addressed to organisations within the scope of the rules (Article 2 'Scope' of Commission Implementing Regulation (EU) 2023/203 and Commission Delegated Regulation (EU) 2022/1645). These organisations need to address the information security risks at the interfaces with other organisations, whether the latter are within or outside the scope of the rule. To do so, organisations within the scope have two options:
- they can either implement mitigation measures and controls within their own organisational boundaries; or
- they may decide instead to manage the risks through contractual agreements and require the supplier/subcontractor to implement mitigation measures and controls within its own organisation.
Is IS.I.OR.235 applicable to all suppliers/subcontractors?
No. The requirement of point IS.I.OR.235 of Annex II (Part-IS.I.OR) to Commission Implementing Regulation (EU) 2023/203 is applicable only to those suppliers/subcontractors that perform tasks pertinent to information security management activities. All the rest are covered by point IS.I.OR.205 to Part-IS.I.OR.
Can Part-IS implementation and/or the Part-IS compliance monitoring function be subcontracted? If yes, is the subcontracted organisation responsible for implementation and compliance?
Yes, Part-IS implementation and/or its compliance monitoring function can be subcontracted. It is important to note that the responsibility for performing tasks pertinent to Part-IS can be transferred, accountability however cannot. The organisation subject to Part-IS is always accountable for the implementation of the rule and for demonstration of compliance to the rule. This should be clarified in the agreement between the organisation subject to Part-IS and the subcontractor.