NIS2 READY
The uncomfortable truth is that even if a cyber incident happens because of a supplier, an IT vendor, or even your supplier’s supplier, your business is legally responsible.
It’s like lending your car: if your friend drives recklessly and causes damage, your insurance still pays. The same applies to your vendors: their security problems can quickly become yours.
Modern businesses rely on a complex web of suppliers and service providers. This brings efficiency and flexibility, but it also means your security is only as strong as the weakest link in your supply chain.
Cybercriminals know this.
Attacking a small, less-protected vendor is often the easiest way to get to a bigger target.
One high-profile example is the Target breach in 2013, where attackers entered the retailer’s network through a third-party vendor. The incident cost Target over $200 million in damages and settlements (Source: Red River Security – https://redriver.com/security/target-data-breach).
With the NIS2 Directive, the EU has expanded accountability, making it clear that ignoring supplier risks is no longer an option. Managing third-party risk isn’t just best practice but, in the EU, it’s backed by law. NIS2 sets clear requirements for supply chain cybersecurity, GDPR adds strict rules for data protection when vendors handle personal data, and ISO standards provide the step-by-step playbook to put those rules into practice.
This also directly impacts your external audits.
Auditors no longer look only at internal controls — they verify how you manage supplier risks, what evidence you keep, and whether your third-party processes are documented and repeatable. If you want to understand what auditors typically expect, see our guide on How to prepare for an external audit.
Practical steps to minimize third-party risk:
STEP 1 – Map Your Vendors and Critical Suppliers
List all external companies you depend on, not just IT providers but also cloud platforms, software vendors, hardware suppliers, and key subcontractors. Include fourth parties (your vendors’ vendors) if they are critical to your operations.
Once mapped, group vendors by criticality (e.g., high, medium, low). Not every supplier carries the same risk; a cloud hosting provider or payment processor poses a bigger threat than a catering service. This helps to focus on security checks where they matter most.
STEP 2 – Check Their Security and Compliance
Ask basic but important questions, such as:
- Do they keep systems updated?
- Have they had a security breach in the last two years?
- Do they follow recognized standards like ISO 27001 or SOC 2?
- Do they have regular cybersecurity training for their staff?
If they handle personal data, check their GDPR measures and whether they can delete or return your data when asked. For critical vendors, ask for proof such as an up-to-date SOC 2 or ISO 27001 certificate, penetration test results, or a recent audit report.
You can streamline this process with tools – In Tazilla, the “Third Parties” module allows you to register suppliers, use a built-in self-assessment questionnaire, and automatically generate a risk profile (inherent and residual risk) for each vendor. Results are stored for audits and help you decide whether to continue, conditionally approve, or stop cooperation.
STEP 3 – Put Security Obligations in Contracts
Include clauses that require security best practices, fast incident reporting (e.g., within 24 hours), and give you audit rights. For GDPR processors, ensure the contract includes Article 28 requirements. Contracts can also specify requirements such as annual delivery of a SOC 2 report, maintaining ISO 27001 certification, or notification within 48 hours of any subcontractor change.
STEP 4 – Monitor and Review Regularly
Reassess critical vendors and suppliers at least once a year, or more often for high-risk ones. Check if their certifications are still valid, if they’ve had incidents, and if they’re meeting agreed standards. Consider continuous monitoring solutions or external vendor risk rating services for your most critical suppliers.
STEP 5 – Have a Vendor-Inclusive Incident Response Plan
Plan ahead for what to do if a vendor is compromised:
- Who will take over their role?
- How will you protect your customers?
- How will you communicate the incident internally and externally?
Test this plan with tabletop exercises involving your critical vendors to make sure everyone knows their role before a real incident happens.
STEP 6 – Offboarding
When a vendor relationship ends, make sure access is revoked, accounts are disabled, and any shared data is either deleted or returned. Otherwise, “orphaned” access or leftover data can create hidden risks long after the contract ends.
Third-party risk is no longer just an IT department concern.
Now it’s a legal, operational, and reputational issue.
After all, no one wants to do business with a company known for weak cybersecurity. NIS2 and GDPR make it clear: protecting your supply chain is your responsibility.
By starting with a simple process such as – mapping vendors, checking security, setting strong contracts, monitoring regularly, and preparing for incidents, you can protect your business and meet your legal obligations.
