Digital Field Worker. Photo: Ole Jørgen Bratland.

Supplier
Information

We value and emphasize our commitment to working with high-performing suppliers who adhere to our health, safety, ethics, and corporate responsibility standards. We believe strong partnerships are key to maintaining our competitive edge.

  • Supply Chain in Equinor

    On our homepage, 

     

    discover how partnering with us as a supplier can enhance your business and our operations. We prioritize relationships with top-performing suppliers who share our commitment to health, safety, and ethical standards. By registering with us, you contribute to socio-economic growth and gain opportunities for continuous improvement in security, technology, and innovation. Expect transparency, fairness, and predictability in all our dealings as we strive for a sustainable supply chain.

     

    Learn more about becoming a supplier

  • Code of Conduct

    Equinor’s No Gift, Hospitality and Expense Policies
     

    Dear Valued Supplier,

    We would like to take this time to thank you for your collaboration and valuable contributions. This excellent and important cooperation is crucial for us and the industry, and will continue to be an essential factor in realizing our ambition of achieving net zero in 2050.


    GIFTS, HOSPITALITY AND EXPENSES

    As the holiday season is fast approaching, we would like to reiterate the importance of understanding and adhering to Equinor’s Policy on gifts, hospitality and expenses outlined in Equinor’s Code of Conduct.


    As a supplier to Equinor, no offer of gifts, directly or indirectly, to Equinor’s employees, company representatives and/or any procurement responsible should be made. Hospitality such as social events, meals or entertainment should be avoided, unless a strong and clear business reason exists, and the costs are reasonable. Travel, accommodation, and other expenses for the individual representing Equinor will always be paid by Equinor.


    We look forward to collaborating with you also in the future.


    To get there. Together.


    With best regards,

    Mette Halvorsen Ottøy
    PDP Procurement and Supplier Relations
    SVP Supply Chain – Chief Procurement Officer

  • Cyber Security Baseline

    Cyber Security Baseline Expectations to Suppliers

    Equinor’s Cyber Security Baseline Expectations to Suppliers (termed Expectations in the rest of this document) is a framework designed to ensure the integrity, confidentiality, and availability of information shared with suppliers. This document serves as a foundation for fostering a secure environment throughout our supply chain. By meeting these expectations, suppliers contribute to the overall resilience of our joint operations, safeguard our joint interests, and reinforce the trust and confidence of all stakeholders.

    The Expectations typically constitute part of the agreement between a supplier and Equinor for supply of materials or services. Additional cyber security requirements may also apply subject to cyber security risk assessments performed by Equinor.

    Any risks or vulnerabilities should be remediated according to its severity within due time in alignment with international standards and best practices.

     

     

     


     

     

    1.0 GENERAL

    It is Equinor’s intention that, in the implementation and administration of the agreement, the supplier shall use their own internal cyber security frameworks (including policies, systems, routines, and procedures) where these meet or exceed Equinor’s Expectations.

    The supplier shall adapt their frameworks to comply with the Expectations where these are not met.

    When work is carried out at Equinor’s Sites, suppliers shall follow appropriate Equinor guidelines.

     

     

     


     

     

    1.1 Definitions


    Equinor Information: Any information that Equinor shares with the supplier or an appointee in connection with the performance of the agreement, including but not limited to personal data and Equinor data.

    HSE: Health, Safety, Security, Social Responsibility and Environment.

    Site: The place where the work is being performed.

    Sub suppliers and their suppliers: All parties other than the supplier performing part of the work and includes all levels in the supply chain.

     

     

     


     

     

    1.2 Cyber Security Management System

    The supplier shall have implemented, or be able to demonstrate compliance to, a cyber security management system based on published, internationally accepted standards. The cyber security management system shall include all activities conducted by the supplier related to the delivery of the contract.

    The supplier’s cyber security management system shall, at a minimum, cover:

    • The identification, assessment, treatment, and reporting of cyber security risks

    • Application of controls to protect both the systems and information used by the supplier and Equinor

    • Cyber security incident response, recovery, and reporting

    • Cyber security of people, processes, and technology

    • Deliberate or accidental actions or omissions by supplier personnel, sub-suppliers, or third parties that may harm Equinor’s personnel, activities, or reputation.

    Suppliers may use compliance with, or certification against, internationally accepted cyber security standards and/or cyber security management systems to indicate complete or partial fulfillment of the above expectations.

     

     

     


     

     

    1.3 Continuous Improvement

    Equinor may, on a regular basis, review the cyber security activities of the supplier to ensure the supplier is meeting the Expectations and any other identified additional requirements.

    Equinor reserves the right to add, change, enhance or otherwise alter the Expectations and any other identified additional requirements based on incidents, changes to cyber security threats or risks, or changes to the state of the art.

    The supplier shall regularly review the cyber security threats and risks to its own operations and operations conducted as a supplier to Equinor. The supplier shall add, change, enhance or otherwise alter its cyber security activities and controls if the review indicates that these activities or controls do not address the risks to its own operations and operations conducted as a supplier to Equinor.

    The supplier shall establish and maintain a system for handling Equinor Information which corresponds to Equinor’s sensitivity classification of such information. Upon Equinor’s request, the supplier shall establish additional measures to protect Equinor Information if Equinor deems this necessary.

     

     

     


     

     

    1.4 Information Management

    Platforms used for exchanging information between Equinor and the supplier shall have controls in place to prevent exposure of any information from Equinor or the supplier.

    The supplier shall return all information in any format to Equinor upon request or at the end of the contract. If any Equinor information cannot be returned, then the supplier should destroy it in a secure manner and present Equinor with certificates of secure destruction. If the supplier is required by legal or regulatory obligations to retain information for a defined period of time, the supplier shall undertake to protect such information for the stated time and then securely destroy such information, presenting Equinor with certificates of secure destruction.

     

     

     


     

     

    1.5 Personnel Management

    The supplier shall ensure that any access granted to its personnel to Equinor Information is managed in accordance with Equinor’s instructions.

    The supplier shall ensure that the identity of personnel involved in the performance of the agreement has been properly verified (by manual or automated control), and that such personnel’s qualifications have been confirmed according to specific national and regional laws.

    The supplier shall have a dedicated point of contact for cyber security communications and shall require that any Sub suppliers provide the same.

    The supplier is responsible for planning and implementing all cyber security training and courses required by the agreement.

     

     

     


     

     

    1.6 Cyber Security Compliance

    The supplier shall upon request present Equinor with evidence of compliance with, or certification against, published nationally or internationally accepted cyber security standards. Suppliers should be able to provide evidence for compliance with one or more of the following standards and frameworks:

    • ISO/IEC 27001

    • Cyber Essentials

    • NIST CSF

    • PCI DSS

    • ISAE 3402

    • COBIT

    • ISF Standard of Good Practice

    Where a publication date is not provided, the latest published version should be used. Certificates should be valid and have their end-date clearly stated.
     

     

     


     

     

    2.0 DATA BREACH & INCIDENT NOTIFICATION

    In case of a data breach or cyber security incident affecting the ability to deliver according to the contract, the supplier shall notify Equinor without undue delay and no later than 72 hours after an identified breach.

    Where required by legal or regulatory obligation, the supplier shall inform Equinor and any legal or regulatory body within their stated time frames.

    The supplier shall notify Equinor by using agreed channels or calling Equinor’s service desk on number +47 51999222.

    Information to Equinor’s service desk should include the name of the Equinor representative for this Agreement and sufficient information to enable Equinor to meet its obligations to report to relevant stakeholders and handle the data breach/cyber security incident.

    The supplier shall cooperate with Equinor and take all reasonable steps as instructed by Equinor to assist in investigation, mitigation, and remediation of such breach.
     

     

     


     

     

    2.1 Emergency Situations and Serious Incidents

    The supplier shall have established an emergency organization according to the agreement. The supplier shall not notify or give any information to the media or other units or people without Equinor's consent.
     

     

     


     

     

    3.0 AUDIT AND VERIFICATION ACTIVITIES

    Equinor shall have the right to perform HSE audits and verifications towards the supplier, Sub suppliers, and their suppliers throughout the duration of the work. Audits and verifications carried out by Equinor shall not relieve the supplier of its responsibility for the work. An action plan based on the report shall be submitted to Equinor as requested. The supplier shall close findings in the report with corrective actions. Acceptable closing of findings shall be documented.

  • Important Purchase Orders (POs)

    Supplier Information regarding the follow-up of important Purchase Orders (POs) for Equinor

    We value our relationships with suppliers and appreciate your support in achieving our shared goals. On-time deliveries are crucial for a dependable and sustainable supply chain that meets our stakeholders' and customers' expectations.

     

    Equinor’s expediting team closely monitors and follows up on POs with items critical to our operations. If you receive a communication from us, it will include a detailed list of POs requiring follow-up, provided in an HTML table via email.

     

    We kindly request that you review these orders and provide feedback on the expected delivery timelines. If adjustments or corrective actions are needed, we request that suppliers promptly notify Equinor of any updates or changes related to POs.

     

    Your cooperation in maintaining clear communication and providing accurate updates strengthens our partnership and supports the success of our shared operations.