Third-party risks – securing the supply chain in the age of NIS 2

A major lesson from recent attacks is that the supply chain is often the weakest link in cybersecurity. Viruses inserted in software updates (e.g. the SolarWinds affair), ransomware hitting a critical service provider and paralyzing its customers in cascade, data theft via a negligent supplier… So many scenarios that have highlighted the importance of managing third-party cyber risk(Third-Party Risk). The NIS 2 directive explicitly integrates this dimension: it requires companies to take into account the security of their suppliers and subcontractors in their own risk management(NIS2 Requirements | 10 Minimum Measures to Address). This reflects a stark reality: your level of security also depends on that of your partners.

Supplier risk: a growing systemic issue

With digital transformation, companies are becoming increasingly interconnected. On average, an S&P 500 company works with thousands of suppliers, many of whom access its systems or data. Each connection, each dependency, represents an additional attack surface. Cybercriminals are well aware of this: it is often easier to gain access via a less protected supplier than to attack a large, highly secure company directly. According to a recent study, 61% of companies have suffered a third-party data breach in the last 12 months(61% of Companies Have Been Breached by a Third Party – Prevalent). This alarming figure is up +49% on the previous year, a sign that supply chain attacks are exploding.

NIS 2 therefore devotes one of its minimum measures to supply chain security(NIS2 Requirements | 10 Minimum Measures to Address). Specifically, organizations must assess the vulnerabilities of each major direct supplier, and choose appropriate security measures for each(NIS2 Requirements | 10 Minimum Measures to Address). The aim is to establish a genuine Third-Party Risk Management (TPRM) process. In addition, the broader scope of NIS 2 means that a number of “smaller” supply chain players will themselves be subject to the directive. Indeed, even mid-sized subcontractors can be classified as large entities if they provide critical services and exceed the thresholds of 50 employees/10 M€(NIS 2 Directive: Impact on SMEs and suppliers)(NIS 2 Directive: Impact on SMEs and suppliers). The result is a wider safety net encompassing the entire ecosystem around critical operators.

For CIOs, this means a broader scope of vigilance. It is no longer enough to secure their own systems; they must ensure that their key partners do not become the gateway for attackers. There’s a saying that sums up the challenge: “You’re only as strong as your weakest link”. And unfortunately, many companies have little visibility of the robustness of their third parties. In the euphoria of digital transformation, SaaS tools and cloud providers have multiplied, sometimes without any real security controls. The result: VPN access provided to service providers with no MFA, unencrypted data exchanges with subcontractors, or contracts with no security clauses… These are all ticking time bombs that NIS 2 encourages you to defuse.

Implications and best practices for managing third-party risks

The integration of the supply chain into NIS 2 will push companies to professionalize their supplier management from a security point of view. Here are the best practices to implement:

• Draw up a register of third parties and map access: Make a list of your suppliers and digital service providers, identifying those that are critical to your operations or have access to sensitive data. For each, map the points of interconnection with your IS (network access, user accounts provided, file exchange, APIs, etc.). This overview is the prerequisite for risk assessment.
• Assess the security level of your suppliers: Set up athird-party risk assessment process. This can take the form of security questionnaires sent to suppliers (self-assessment of their practices: policies, certifications, measures in place), certification or audit requirements (ISO 27001, SecNumCloud label, etc.), or even technical scans or external assessments (cyberscore scores, SOC2 reports supplied by the service provider, etc.). The aim is to rate suppliers according to a level of risk (high, moderate, low), taking into account both their level of security and the criticality of the connection with your company.
• Integrate security requirements into contracts: Work with your legal department to insert specific clauses into your contracts and calls for tender. For example: requirement for the supplier to notify any cyber-attack affecting it (similar to NIS 2 notification obligations), termination clause in the event of a serious breach of security, security audit rights, commitment to comply with certain standards (e.g. encryption of entrusted data, MFA for access to customer systems, etc.). In this way, you formalize a level of requirements and give yourself leverage if the supplier drags his feet.
• Collaborate with suppliers on remediation: If a supplier has weaknesses (e.g. no continuity plan, no vulnerability management procedure), work together on a remediation plan. Rather than punishing the supplier outright, support him (especially if he’s a small provider). For example, invite them to take part in your security training courses, share best practices, or point them in the direction of resources (ANSSI guides, etc.). This collaborative approach raises the overall level of security in your chain.
• Limit third-party access and permissions: Apply the principle of least privilege to third-party accounts. Give access only to the resources you need, and disable access as soon as it is no longer required. Monitor supplier account activities (review logs). Implement specific controls on third-party connections: for example, impose strong authentication for service providers, segment the network to isolate supplier access, restrict authorized times or IP addresses, etc. If a service provider is compromised, these measures will limit the impact on you.
• Monitor continuously and reassess periodically: Third-party risk management is not an annual one-off exercise – it’s an ongoing process. Monitor alerts and news of cyber incidents involving your suppliers. Maintain a watch (for example, if one of your cloud providers suffers a public breach, react quickly). Reassess your key suppliers every year, or whenever there is a major change (new service entrusted to them, changes to their IS). And integrate the third-party risk dimension into your internal governance: whether this is discussed in a risk committee, with dedicated reporting.

By applying these principles, the company protects itself by raising the level of trust in its ecosystem. Note that this is a two-way process: just as you require your suppliers to be solid, your own customers may hold you to account for your security (especially if you yourself are a supplier in someone else’s chain). By creating a common standard, NIS 2 facilitates this exchange of requirements on both sides.

Smart Global Governance solutions for managing third-party risks

The Smart Global Governance platform integrates advanced functionalities for end-to-end supplier risk management. In particular, the Supply Chain Manager Suite module is designed to help you assess, monitor and reduce the cyber risks associated with your third parties, efficiently and centrally.

Here’s how Smart Global Governance meets this challenge in concrete terms:

• Centralized third-party database: The solution enables you to list all your suppliers and partners, with their key information (contact, contract, services provided, IS access, shared data, etc.). Each third party has a profile sheet that can be consulted by all authorized stakeholders (IT, Purchasing, Risk, etc.). No more scattered manual listings: you have a 360° view of your ecosystem.
• Automated evaluation questionnaires: Smart Global Governance makes it easy to send online security questionnaires to your suppliers. Thanks to pre-established templates aligned with standards (based on NIS 2, ISO 27001, etc.), you can uniformly evaluate your third parties. Suppliers respond via a dedicated portal, and responses are aggregated automatically. The system can even assign a maturity score to each supplier based on the responses, giving you an objective benchmark. This automated process saves you an enormous amount of time compared with manual e-mail reminders.
• Follow-up of supplier action plans: If a supplier presents non-conformities or weaknesses, Smart Global Governance helps you to steer remediation plans. You can assign actions to the supplier (e.g. “implement a backup policy within 3 months”) and track their completion via dashboards. The supplier himself can update progress or attach evidence in the portal, creating a transparent collaboration channel. You retain a history of all measures taken, proving your diligence in the event of an audit.
• Continuous assessment and alerts: The platform can interface with external cyber rating services (Cyber Threat Intelligence, attack surface scans, etc.) to feed a real-time risk score of your suppliers. If one of your suppliers suffers a public data leak or sees its security rating drop, you receive an instant alert. This enables you to take proactive action (contact the supplier, step up monitoring) without waiting for the next annual assessment. This continuous approach is in line with the spirit of permanent vigilance promoted by NIS 2.
• Integration with purchasing processes: Smart Global Governance can be integrated with your purchasing/ERP tools to intervene right from the start of the supplier life cycle. For example, when selecting a new critical supplier, a risk assessment via the platform may be required before final approval. In this way, safety becomes a selection criterion on a par with price or quality of service. This integration reinforces upstream consideration of third-party risk, avoiding the discovery of problems after the contract has been signed.
• Consolidated reporting: Finally, the solution provides global dashboards on third-party risk exposure. You can visualize how many suppliers are classified as high risk, track the evolution of scores over time, see the progress of remediation plans, and so on. This reporting is invaluable for informing management (e.g.: “Of our 50 critical suppliers, 45 are considered to be under controlled risk, and 5 are subject to reinforced monitoring”). This demonstrates mastery of the subject and reassures auditors/customers who are concerned about supply chain risk.

Thanks to Smart Global Governance, third-party risk management becomes a structured, tool-based process. You move from a potentially artisanal approach (Excel files, ad hoc reminders) to an industrial, data-driven approach. The result: far greater visibility and the ability to anticipate rather than suffer. In a context where supply chain attacks can have devastating effects, equipping your organization with this kind of control capability is a major asset. You’ll always know where your external weak points are, and can actively work with your partners to strengthen them – transforming your supply chain into a chain of trust.