CADIS - Cybersecurity Assessment for Defence Industry Suppliers
Measuring and sustainably strengthening resilience throughout the entire supply chain
The defence industry today relies more than ever on robust, secure, and resilient supply chains. At the same time, complexity is increasing: strong technological dependencies, interconnected production environments, rising cyber threats, and a heterogeneous landscape of standards and regulations make the reliable assessment of suppliers increasingly challenging.
CADIS closes this gap: As the first European assessment framework specifically designed for suppliers in the defence industry, it establishes a standardized, transparent, and measurable foundation for evaluating cyber and information security across the entire supply chain.
- Market Access: Be recognized as a trusted partner in the defence industry
- Competitive Advantage: Demonstrable security builds trust and strengthens your market position
- Security: Holistic protection of IT & OT systems and reduced operational risks
- Efficiency: A modular approach minimizes assessment effort
Cybersecurity in the Defence Industry: Responsibility Begins in the Supply Chain
Intellectual property, confidential project data, critical infrastructure — companies operating in the defence industry protect far more than their own business. Security does not end at the factory gate. It must be ensured across all suppliers and partners.
CADIS was developed precisely for this purpose: a structured assessment framework that translates the industry’s specific requirements into a clear and standardized evaluation model. No patchwork of internal checklists, no room for interpretation — but a reliable and transparent foundation for supplier decisions.
At the same time, CADIS remains practical and applicable: 14 modules, flexibly combined according to role and risk profile. Only what is relevant is assessed. The requirements are precise — while the technical implementation remains open.
1. Kick-Off
Joint assessment initiation: framework conditions, expectations, and assessment scope are aligned, while required documentation and contact persons are defined.
Joint assessment initiation: framework conditions, expectations, and assessment scope are aligned, while required documentation and contact persons are defined.
2. Phase 1
Document-Based Pre-Assessment: Formal and substantive pre-assessment based on the provided documentation. Risk areas are identified, and the main assessment is prepared in a targeted manner.
Document-Based Pre-Assessment: Formal and substantive pre-assessment based on the provided documentation. Risk areas are identified, and the main assessment is prepared in a targeted manner.
3. Phase 2
Main Assessment: The depth of the assessment depends on the selected Level of Examination (LoE):
Main Assessment: The depth of the assessment depends on the selected Level of Examination (LoE):
- LoE 1 – Plausibility review of the overall implementation for each assessment criterion, without verification of supporting evidence
- LoE 2 – Structured remote interview with risk-based sampling and in-depth verification
- LoE 3 – On-site audit including interviews, sample checks, and site inspection; evidence-based verification
4. Closing Meeting
The results are reviewed jointly. Action plans, follow-up activities, and the timeline for the risk-based surveillance assessment are agreed upon.
The results are reviewed jointly. Action plans, follow-up activities, and the timeline for the risk-based surveillance assessment are agreed upon.
5. Action Plan
In the event of non-conformities, the customer prepares a binding action plan including concrete corrective measures, responsibilities, and implementation deadlines.
In the event of non-conformities, the customer prepares a binding action plan including concrete corrective measures, responsibilities, and implementation deadlines.
6. Follow-Up
Review and documentation of implemented measures to ensure the sustainable remediation of identified weaknesses.
Review and documentation of implemented measures to ensure the sustainable remediation of identified weaknesses.
7. Risk-Based Surveillance Assessment
Conducted in the year following the initial assessment, based on the pre-assessment results, risk profile, open findings, and relevant changes (organizational, site-related, or security incidents).
Conducted in the year following the initial assessment, based on the pre-assessment results, risk profile, open findings, and relevant changes (organizational, site-related, or security incidents).
8. New Assessment Cycle
After completion of all steps, the process begins again — adapted to current conditions and the supplier’s evolving risk profile.
After completion of all steps, the process begins again — adapted to current conditions and the supplier’s evolving risk profile.
CADIS assesses security where it truly matters. The 14 modules cover all relevant security domains — from IT and OT to data protection and physical security. Depending on the company’s role, risk profile, and level of sensitivity, only the modules that are actually relevant are applied. This reduces effort, creates clarity, and provides a transparent overall picture of cyber and information security across the supply chain.
Overview of the Modules
1. Physical Security at the Site
2. Information Security Organization
3. IT Security
4. OT Security
5. Use of Cloud-Based and External Services
6. Business Continuity Management
7. Incident and Crisis Management
8. Identity and Access Management
9. Security in Software Development
10. Information Security in Project Management / Human Resources / Procurement
11. Data Protection
12. Compliance Management System
13. Use of Artificial Intelligence
14. Transport and Handling
2. Information Security Organization
3. IT Security
4. OT Security
5. Use of Cloud-Based and External Services
6. Business Continuity Management
7. Incident and Crisis Management
8. Identity and Access Management
9. Security in Software Development
10. Information Security in Project Management / Human Resources / Procurement
11. Data Protection
12. Compliance Management System
13. Use of Artificial Intelligence
14. Transport and Handling
Systematically Fulfill Regulatory Requirements – NIS2, BSIG, CRA & International Standards
NIS2 and the German BSIG require companies to address cybersecurity risks not in isolation, but across the entire supply chain. In practice, this means assessing suppliers, implementing protective measures, and providing verifiable evidence of compliance.
CADIS provides the structural foundation for this. The assessment framework is aligned with recognized standards and frameworks, including ISO/IEC 27001:2022, IEC 62443, the NIST Cybersecurity Framework v2.0, BSI IT-Grundschutz and C5, the NIS2 Directive, GDPR, and the EU Cyber Resilience Act.
Standardized supplier assessments deliver reliable documentation — verifiable, audit-ready, and recognized by public contracting authorities and in procurement processes.
CADIS is designed for all companies that act as suppliers or service providers in the defence industry, or aim to become part of it.
To establish a measurable and standardized basis for evaluating supply chain resilience.
The Product X process consists of 8 steps:
Kick-off → Pre-assessment → Main assessment → Closing → Action plan → Follow-up → Surveillance assessment → New cycle.
The LoE define the depth of the assessment:
- LoE 1: Self-assessment with a plausibility check of the overall implementation
- LoE 2: Document review followed by a structured remote interview
- LoE 3: Document review followed by a comprehensive on-site audit
- Pre-assessment: Depends on the scope of submitted documentation. The time between Phase 1 and Phase 2 is typically 2–7 calendar days (LoE 1/2) or 7–21 calendar days (LoE 3), depending on the selected Level of Examination.
- Main assessment: Duration depends on the LoE, the number of assessment modules, and the number of sites involved.
- Overall process including follow-up: Depends on any identified nonconformities and required corrective actions.
Only those modules that are relevant to the specific role and risk profile must be completed.
Yes. The requirements are precisely defined, while allowing flexibility in how they are technically implemented.
The SCE is the systematic classification of a supplier’s criticality carried out by the manufacturer or client. It considers security relevance, protection needs, supply chain complexity, regulatory requirements, business impact, as well as geographic and geopolitical risk profiles.
The result determines the applicable Level of Examination (LoE) and the assignment to Special Requirement Levels 1–3.
No. The selection is risk-based. The assessment modules are defined by the system manufacturer. To support this process, DEKRA provides the “Supplier Criticality Evaluation” tool — a standardized assessment framework that ensures a consistent and transparent definition of the individual assessment scope for each supplier.
If the assessment scope includes multiple sites under a shared ISMS, CADIS applies a risk-based multi-site approach. The head office is always fully assessed, while a risk-based sample of additional sites is selected according to the formula ⌈√n⌉. The remaining sites are assessed at the next lower LoE level.
Prerequisites include a unified, group-wide ISMS, centralized responsibility, and comparable risk profiles across all sites.
- Major nonconformities
The customer must prepare a binding action plan, which is approved by the auditor. Major nonconformities must be resolved or downgraded to minor nonconformities within a maximum of 3 months. - Minor nonconformities
If a temporary approval is requested, an action plan must be created. Remediation can be carried out during an optional follow-up, but no later than the risk-based surveillance assessment in the following year. If minor nonconformities are not effectively addressed by then, they will be escalated to “major nonconformity”.
The CADIS assessment cycle runs over two years: an initial assessment in the first year, including any necessary follow-up reviews, and a risk-based surveillance assessment in the second year. After the cycle is completed, a new assessment is required, and the assessment scope is redefined.
The CADIS assessment cycle runs for a standard period of 2 years: an initial assessment in the first year, followed by a risk-based surveillance assessment in the second year. The approval is valid for the duration of this cycle — up to a maximum of 2 years. After the cycle is completed, a new assessment is required
Why DEKRA?
- Developed and exclusively performed by DEKRA: CADIS is a proprietary DEKRA product.
- Industry expertise: We have decades of experience in cybersecurity, industrial inspection processes, and safety-critical sectors.
- Independence & credibility: As a neutral and internationally recognized testing organization, we ensure trust and transparency across the entire supply chain.