Last review date: January 2025

Yes

The obligations are as follows:

☒   controllers must conduct due conduct diligence on the processor to ensure it will provide appropriate security and processing of the personal data

☒   controllers must only use processors subject to a written agreement that complies with specific requirements

☒   other

If the data controller is subject to the NIS2 Directive, it must aim to ensure the security of its supply chain. Such general obligation may include that that the data controller must ensure that data processors, that participate in the establishment, operation, maintenance and/or repair of the data controller’s electronic information system, maintain an appropriate level of cybersecurity relative to their services provided to the data controller. Local laws implementing NIS2 might stipulate specific obligations.

Last review date: January 2025

Yes

The following provisions apply directly to processors:

Art. 28, Art. 29, Art. 30 par. 2, Art. 31, Art. 32, Art. 33 par. 2, Art- 37-39, and Chapter V of the GDPR.