X
Število kibernetskih napadov se je v zadnjem letu podvojilo. Vas zanima, kako se jim lahko izognete? Postanite del naše skupnosti.
In the last year, the number of cyberattacks doubled compared to the year before. Do you want to repel potential threats? Join our community.
  • Skip to primary navigation
  • Skip to main content
  • Skip to footer
Carbonsec – Cybersecurity Consultancy Services Company

Carbonsec - Cybersecurity Consultancy Services Company

Cybersecurity services for businesses to be hackerproof, because it sucks to waste unnecessary time dealing with cyber criminals instead of focusing on business.

  • Services
    • Password security test
    • Ransomware Readiness
    • Penetration test
    • Red Teaming
    • DDoS test
    • ICS Security
    • Cybersecurity Consulting
    • Secure Static Code Review
  • Solutions
    • Pentera Automated Penetration Testing Solution
    • SecurityScorecard Risk Rating and Supply Chain Security
    • Simulated phishing attacks
    • Free Tools
    • Breach and Attack Simulation (BAS)
  • Training
    • Security Awareness Training
    • Security for Developers
    • Purple Team Coaching
  • News
    • News
    • Blog
  • Resources
  • Company
    • About Us
    • Core Team
    • Careers
    • Partners
  • Contact
  • ENG
    • SLO
  • Email
  • Facebook
  • LinkedIn

ZInfV-1 and supply chain security management

ZInfV-1 requires monitoring security posture of suppliers and mitigating the risks. SecurityScorecard helps you manage supply chain security.

3. June, 2025 by Ana Bokalič

On Friday, 23 May 2025, the National Assembly of the Republic of Slovenia approved the new Information Security Act (ZInfV-1), which transposes the European NIS2 Directive into Slovenian legislation. The Act will enter into force on the fifteenth day after its publication in the Official Gazette. From that day on, essential and important entities will have six months to self-register (Article 60). Self-registration will be governed by the Government Information Security Office, which is obligated to establish a mechanism for self-registration within four months of ZInfV-1 entering into force.

Entities subject to ZInfV-1 will have approximately two years to bring their organisation’s information security management in line with the requirements of the Act. As Slovenia’s first Information Security Act defined information security management more strictly than foreseen in the NIS Directive, many organisations have already implemented the majority of the new Act’s requirements. However, some requirements will be encountered for the first time by both existing and new entities subject to the Act.

Managing supply chain security through measures and security testing

One of the significant innovations of ZInfV-1 is certainly supply chain security management. This security measure, also introduced by DORA, aims to address the issue of a growing attack surface caused by the interconnection of organisations in digital supply chains.

Nowadays, it is a no-brainer that visitors to an organisation’s premises should not be left unattended, even if they are regular guests. A visitor is welcomed at the reception desk and escorted by an insider from there on. However, when it comes to accessing digital assets, it is still often the case that suppliers have a VPN connection established, even when they do not need it. This often leaves the door to the internal network wide open, especially in organisations where the network is not segmented correctly.

When speaking of supply chain security management, two aspects should be considered:

  • enforcing appropriate security policies when assigning and managing access rights to suppliers and integrating supplier solutions into the internal IT system;
  • monitoring the security posture of key suppliers and acting appropriately if their security posture changes.

How does the ZInfV-1 define supply chain security management?

As defined in Article 22 of the ZInfV-1, entities subject to the Act are required to ensure measures for supply chain security in a way that “appropriate minimum requirements related to information and cyber security are established for key suppliers or service providers, where the requirements relate to the relationship between the entity and its direct suppliers or service providers.”… “In assessing and implementing appropriate security measures for supply chain security, essential and important entities should take into account the vulnerabilities specific to each direct supplier and service provider and the overall quality of the products and services provided by their suppliers and service providers in the area of cybersecurity, including their secure development processes. They should determine which security measures are adequate and appropriate to ensure supply chain security and may verify their implementation by suppliers and service providers. …”

The ZInfV-1 requirement for essential and important entities is to keep a list of suppliers, to implement security requirements and measures related to their cooperation with suppliers, and to monitor the suppliers’ security posture, which includes:

  • assessing the risks of working with a particular supplier,
  • contractual definition of information and cyber security obligations; and
  • monitoring the implementation of the supplier’s security measures.

Which suppliers should be regularly monitored and included in the list?

Organisations should, in particular, monitor and keep the list of suppliers who:

  • provide critical ICT services such as security software, cloud services, managed services;
  • have access to systems and data;
  • have the potential to disrupt the organisation’s services and operations through security failures or deficiencies.

The list of suppliers should clearly show the criticality of each supplier (how important it is to the business) and the risk assessment based on questionnaires including:

  • information security management practices,
  • a statement of the sector-specific certifications in place, such as ISO 27001,
  • a statement of the information system audits carried out.

How can we ensure ZInfV-1 compliant supply chain security in practice?

In large organisations with dispersed supply chains, managing such risks can place a heavy burden on internal teams. It is therefore recommended to consider a separation of tasks:

  • The internal team should ensure that relationships with suppliers are clearly defined in security policies, that adherence to and assurance of appropriate levels of information and cyber security are specified in contracts, and access routes between the organisation and the supplier are adequately secured.
  • Monitoring of suppliers’ security posture can be efficiently managed by automated solutions that assess the security of the supplier’s external network. Such solutions utilise publicly available information to calculate the security score and do not interfere with the supplier’s network. Particularly for key suppliers, where continuous monitoring and rapid response to changes are necessary, such solutions are highly beneficial.
Download datasheet

  • For business-critical systems or solutions, arrange a third-party penetration test carried out on your request by cyber security testing specialists.

This approach not only provides a “checked box” from a legal compliance perspective but also contributes to improving your organisation’s security posture.

Smaller organisations should commit to at least the first two points: ensuring an adequate level of information and cybersecurity in contracts and policies and adequately securing links with suppliers, as well as regularly monitoring the security posture of suppliers. As a smaller organisation, you may find it more challenging to coordinate a third-party penetration test. Nevertheless, when discussing this issue with the supplier, point out that security testing also provides a business benefit for them, as it offers the opportunity to improve and gain a competitive advantage.

When to accept risk in the supply chain?

The business value of using a particular solution or service may outweigh the risk of working with its supplier. Or there may be only one suitable solution that efficiently addresses your specific problem. In this case, you will probably choose it despite the risks. It’s essential to be aware of these risks and address them accordingly: harden access control, assess the supplier more frequently, isolate the solution from other systems, or place it in a separate segment of the network.

The supplier’s security score, obtained either through an automated solution or a targeted security test, should guide you in further decision-making. Consider the results in the context of your organisation and internal security measures. Make an informed decision on whether to implement a solution or not based on risk analysis and Business Impact Assessment (BIA), which are also required documents when auditors knock on your door.

For more information on how to manage security in your supply chain, don’t hesitate to get in touch with us.

  • Penetration testing
  • SecurityScorecard – a solution for monitoring supplier security
  • Security Consulting

Blog,  Consulting,  News cyber resilience,  pentesting

Let’s work together

Get in touch with us and send some basic info about your project.

Get Quote

Footer

ABOUT

Cybersecurity services for businesses to be hackerproof, because it sucks to waste time dealing with cyber criminals instead of focusing on business.

  • Email
  • Facebook
  • LinkedIn

CONTACT

CARBONSEC Ltd.
Ajdovščina 4
1000 Ljubljana
Slovenia

[email protected]

QUICK LINKS

  • Join our community.
  • Blog
  • Terms & Conditions
  • Privacy Policy
  • Cookies

SERVICES

  • Ransomware Readiness
  • Password security test
  • DDoS test
  • Penetration test
  • Red Teaming
  • ICS Security
  • Cybersecurity Consulting
  • Secure Static Code Review
  • Training

Copyright © 2026 Carbonsec · Created by mod.si