Does Part-IS have requirements on suppliers/subcontractors that although they are not within the list of the organisations that have to comply with Part-IS, they work with/for an organisation that is within the Part-IS scope?
Does Part-IS have requirements on suppliers/subcontractors that although they are not within the list of the organisations that have to comply with Part-IS, they work with/for an organisation that is within the Part-IS scope?
Answer
Part-IS requirements are addressed to organisations within the scope of the rules (Article 2 'Scope' of Commission Implementing Regulation (EU) 2023/203 and Commission Delegated Regulation (EU) 2022/1645). These organisations need to address the information security risks at the interfaces with other organisations, whether the latter are within or outside the scope of the rule. To do so, organisations within the scope have two options:
- they can either implement mitigation measures and controls within their own organisational boundaries; or
- they may decide instead to manage the risks through contractual agreements and require the supplier/subcontractor to implement mitigation measures and controls within its own organisation.
Last updated
22/08/2025