IT EN
Client Portal →
sales@10punto10.eu · 02 87176855
· 10punto10

From Collins Aerospace to NIS2: How a Compromised Supplier Paralyzes Europe

intelligenza artificialesupply chainVendor Risk / NIS2supplychain
From Collins Aerospace to NIS2: How a Compromised Supplier Paralyzes Europe

When a single supplier goes down, everyone feels the shock

In early 2024, the cybersecurity world got another reminder of how fragile global supply chains really are. Collins Aerospace, a division of RTX Corporation and a major supplier to both the defence and commercial aviation sectors, became the subject of intense scrutiny after reports emerged linking compromised supplier networks to operational disruptions across European partners. The incident was not an isolated blip — it was a case study in exactly the kind of cascading risk that the European Union’s NIS2 directive was designed to address.

For European SMBs, particularly those operating in Italy and across the EU, the message is blunt: your cybersecurity is only as strong as the weakest link in your supply chain. And under NIS2, ignoring that reality now carries serious financial and legal consequences.

What happened with Collins Aerospace and why it matters

Collins Aerospace supplies critical components and systems to airlines, airports, and defence organisations worldwide. When threat actors target a company of this scale, the damage does not stay contained. Compromised credentials, tampered software updates, or breached internal systems at a single tier-two supplier can ripple outward, paralysing operations for dozens of downstream partners.

This pattern is not new. The 3CX supply chain attack in 2023 affected roughly 600,000 companies globally, many of them European. The MOVEit Transfer vulnerability exploited by the Clop ransomware group hit organisations like the BBC, British Airways, and Shell. According to ENISA, 62% of cyberattacks on organisations now exploit the trust embedded in supplier relationships.

What makes the Collins Aerospace scenario particularly instructive is the sector involved. Aviation and defence supply chains are deeply interconnected across borders. A breach in one node does not just compromise data — it can ground flights, delay military readiness, and erode trust in critical infrastructure that spans the entire continent.

NIS2 and the new rules for supply chain security

The NIS2 directive, which EU member states were required to transpose into national law by October 2024, fundamentally changes how European businesses must approach cybersecurity. Italy completed its transposition in late 2024, and enforcement is now a reality.

Who falls under NIS2

The directive targets two categories: essential entities (energy, transport, health, digital infrastructure) and important entities (postal services, waste management, manufacturing, food production, and others). Medium and large enterprises in these 18 sectors — those with 50 or more employees or over EUR 10 million in annual turnover — are directly in scope.

But here is where it gets critical for SMBs. Even if your company falls below those thresholds, you are almost certainly affected if you supply products or services to organisations that are in scope. NIS2’s Article 21 explicitly requires covered entities to assess and manage cybersecurity risks across their entire supply chain. That means your larger clients will start demanding proof of your security posture — contractually.

What NIS2 requires for supply chains

The obligations are specific and non-negotiable:

  • Risk assessments of all direct suppliers and service providers, evaluating the overall quality of cybersecurity practices.
  • Contractual cybersecurity requirements embedded in supplier agreements — not just best-effort promises, but binding obligations.
  • Incident reporting within 24 hours for early warnings and 72 hours for full notifications to the relevant national CSIRT.
  • Regular audits and ongoing monitoring of third-party security measures.

For a small IT services firm in Milan or a component manufacturer in the Veneto region, this means that a phone call from your biggest client asking about your incident response plan is not hypothetical. It is coming, if it has not arrived already.

The real cost of non-compliance

NIS2 introduces penalties that European businesses cannot afford to dismiss. Essential entities face fines of up to EUR 10 million or 2% of global annual turnover, whichever is higher. Important entities risk fines of up to EUR 7 million or 1.4% of turnover.

Perhaps more significant for SMB owners: senior management can be held personally liable. Directors and C-level executives may face temporary bans from management positions if their organisation fails to meet NIS2 requirements. This is not just a corporate risk — it is a personal one.

According to Gartner’s projections, 45% of organisations worldwide were expected to experience software supply chain attacks by 2025, a threefold increase compared to 2021. The regulatory framework is catching up with the threat landscape, and European regulators are signalling that they intend to enforce it.

Practical steps for Italian and European SMBs

If you are running an SMB that supplies goods or services to larger European enterprises, here is what you should be doing now.

Map your own supply chain exposure

Start by identifying which of your clients fall under NIS2’s scope. If you serve companies in energy, healthcare, transport, digital infrastructure, or manufacturing, expect contractual cybersecurity requirements to flow down to you. Document your own suppliers as well — your vulnerability is their vulnerability.

Invest in baseline security measures

You do not need a Fortune 500 security budget, but you do need the fundamentals in place. Multi-factor authentication, regular patching, encrypted communications, access controls, and a tested incident response plan are the minimum. ENISA publishes free guidance tailored to SMBs that is worth reviewing.

Prepare for contractual demands

Your larger clients will begin — or have already begun — inserting cybersecurity clauses into supplier contracts. Be ready to demonstrate compliance with recognised frameworks such as ISO 27001, or at minimum, show documented policies and procedures. Proactive preparation here is a competitive advantage, not just a compliance exercise.

Build an incident response capability

The 24-hour early warning requirement under NIS2 means you cannot afford to discover a breach on a Friday and address it on Monday. Even a lean incident response plan, rehearsed quarterly, puts you ahead of most SMBs in Europe. Know who to contact, what to report, and how to contain damage before it spreads to your clients.

Supply chain security is no longer optional

The Collins Aerospace case is a reminder that supply chain attacks are not theoretical scenarios discussed at cybersecurity conferences. They are operational realities that disrupt businesses, damage reputations, and now trigger regulatory consequences across Europe.

For Italian and European SMBs, the NIS2 directive has moved the goalposts permanently. Cybersecurity is no longer just an IT department concern — it is a board-level responsibility with personal liability attached. The companies that recognise this shift early and act on it will not only avoid penalties but will position themselves as trusted partners in an increasingly security-conscious European market.

The question is no longer whether your supply chain will be tested. It is whether you will be ready when it happens.

Need support on this topic? Contact us for a free consultation — let’s assess your company’s situation together.

Stay updated every week on cybersecurity, AI and technology for SMBs: subscribe to our newsletter.

💬

Need support on this topic?

Let’s assess your company’s situation together. First consultation is free.

Contact us
📩

Stay updated every week

Cybersecurity, AI and technology for SMBs. No spam, only useful content.

Subscribe to newsletter