Today almost any company depends on digital services, technology providers and interconnected networks to continue functioning. An incident can come from a technical failure, an attack, an interruption in a supplier or even a weather problem, and affect more than one service at a time. Digital resilience has become a priority to ensure business continuity, and the European NIS2 directive raises the security bar for thousands of organizations across Europe.
The standard draws a map of responsibilities within companies: those of essential and digital services, critical suppliers and large platforms must better identify their dependencies, anticipate possible breaking points and design mechanisms that allow them to maintain activity even if something fails. Cybersecurity is no longer just a technical issue and becomes another part of the business strategy, with senior management at the center, including personal responsibility in the event of non-compliance.
In this context, decisions about how networks are connected, traffic is distributed, and providers are managed directly impact the resilience of digital chains. DE‑CIX, the world’s leading Internet Exchange Point (IX) operator, highlights some of the key aspects that the NIS2 directive places at the heart of digital risk management.
Digital resilience and risk management
In today’s environment, operational continuity increasingly depends on digital resilience. The growing interconnection between systems, networks and technology providers amplifies the impact of any incident, which can spread rapidly between services and organizations.
This reality highlights the importance of anticipating risks and strengthening prevention capabilities. However, many companies still lack a complete view of their vulnerabilities. According to Willis Towers Watson’s Global Supply Chain Risk Report 2025, only 8% of companies surveyed say they have complete control over their risks.
In this context, reducing dependence on single points of failure, whether in infrastructures, networks or providers, becomes a key element to strengthen digital security and guarantee service continuity.
NIS2 forces us to look at the entire supplier chain
The new European NIS2 directive extends digital security requirements to around 150,000 companies across Europe, with the aim of strengthening the resilience of business processes and supply chains against any disruption, including cross-border and technological risks. The regulations require organizations to carefully manage IT risks and identify threats throughout the digital supply chain.
According to the European Cybersecurity Agency (ENISA), this is especially relevant in IT service management, given the complexity and cross-border nature of digital processes. Recommended measures include clear criteria for selecting vendors, protecting their applications, and defining contingency and incident reporting procedures. Additionally, the directive requires subcontractors to report incidents, collaborate in threat management and, in the event of an incident, allow access to their own technological environment. The objective is to guarantee that the entire supply chain meets the security and resilience standards established by the directive.
A concrete example of what this means in practice: many large companies in the financial, insurance and logistics sectors already require their service providers to submit self-declarations about their level of security. Organizations that already have recognized certifications, such as ISO/IEC 27001 in information security or ISO/IEC 22301 in business continuity, can face these demands with more peace of mind, and with a real competitive advantage over those who have not yet taken that step.
Interconnection and resilience strategy
Networks and connectivity are an essential part of any IT supply chain, from digital services to intelligent applications and data-driven business models. Internet Exchange Points (IX) play a central role, not only as critical infrastructure, but also as a mechanism to resiliently connect complex and interdependent business relationships.
An intelligent interconnection strategy is as necessary as emergency plans or business continuity management.
«Digital security only protects if you act preventively. NIS2 provides the guidance for organizations to plan, strengthen their supply chains and ensure the continuity of their digital services before an incident occurs,” said Dr. Thomas King, CTO of DE‑CIX.
Diversifying connections across multiple data centers and geographic locations offsets partial outages and reinforces the stability of the entire supply chain. Resilience is built when all levels of the network are mutually protected and partners design their components with redundancy, creating a more robust and reliable overall system.
An intelligent interconnection strategy is as necessary as emergency plans or business continuity management
NIS2 drives companies to put the security of their IT supply chains at the top of the corporate agenda. Assessing dependencies, managing risks and choosing partners who share the principle of resilience becomes a strategic requirement. Furthermore, the directive establishes the direct responsibility of the management bodies, with the personal involvement of its members, and the penalties for non-compliance can reach 10 million euros or 2% of the global annual turnover.
From the perspective of DE-CIX, in terms of digital risks, post-incident care is useless: only good prevention works. Just as healthy living helps prevent health problems before they appear, digital security only protects if you act before the problem occurs. NIS2 helps organizations plan and reinforce their operations by anticipating incidents, not reacting to them.
