For years, third-party and supply chain risks have been among the most significant cybersecurity and legal threats to organizations.
The European Union Agency for Cybersecurity highlights supply chain risks as "prime threats," predicting the leading cybersecurity issue by 2023 will be the "supply chain compromise of software dependencies" carrying the highest risk score. This arises from increased reliance on third-party suppliers, introducing new vulnerabilities and attack vectors.
ENISA's March 2024 threat foresight report stresses these concerns, followed by the global disruptions caused by CrowdStrike-related outages in July.
Throughout the years, EU lawmakers have implemented legislation focusing on enhancing supply-chain security and resilience, addressing third-party risks explicitly to protect against evolving cyber threats.
GDPR
Under the EU General Data Protection Regulation, effective third-party risk management requires implementing data protection measures that align with accountability standards based on a risk-based approach.
Before outsourcing any data processing activities, proper planning and thorough risk assessments are crucial. The data controller must evaluate potential risks in the third party's processing operations, considering the nature of the personal data involved and the specific processing activities. This helps identify vulnerabilities and ensures appropriate safeguards are put in place as needed.
It is essential to correctly define the roles of all parties — whether as data controllers, processors or joint controllers — to ensure each one fully understands its obligations under the GDPR. As per Article 28(1), a data controller can only engage processors that provide adequate guarantees to implement the necessary technical and organizational measures.
In cases involving joint controllers, Article 26 mandates a joint controller agreement that clarifies each party's responsibilities, particularly regarding transparency and the rights of data subjects. For data transfers outside the EU, appropriate mechanisms like standard contractual clauses or other recognized agreements must be used to maintain accountability and data protection.
A written data processing agreement, outlining the processor's responsibilities and ensuring the controller can demonstrate compliance, is required under Article 28. Article 29 further mandates any individual with access to personal data must process it solely based on the controller's instructions.
Regular training may be needed for personnel involved in processing. The data controller must also monitor third-party processors through audits, questionnaires and on-site inspections when necessary.
Additionally, change management procedures must align with accountability standards, and obtaining consent for changes may be necessary depending on the risk level. Securing data return or deletion must be ensured at the end of the relationship to avoid issues like "vendor lock-in," while robust policies for supplier selection, monitoring and auditing must be maintained to adhere to GDPR principles.
NIS2 Directive
The Network and Information Security Directive II strengthens cybersecurity by expanding its scope to cover more sectors and eliminating distinctions between essential service operators and digital providers. It mandates essential and important entities to address cybersecurity risks, with a focus on supplier relationships and supply chain security, including measures for incident response, vulnerability handling, encryption and cybersecurity testing.
Organizations must have clear policies and procedures to manage security risks throughout the life cycle of third-party relationships, from selection to termination, ensuring compliance with NIS2 and national implementing laws in EU member states.
Under the NIS2 Directive, third-party risk management plays a key role in safeguarding networks and information systems. NIS2 enhances obligations for organizations to manage risks associated with their third-party relationships, particularly within the supply chain.
Adopting a risk-based approach to third-party risk management is a key requirement. This entails identifying and evaluating the risks posed by external suppliers and service providers, especially those involved in delivering critical services or maintaining essential infrastructure, as third-party relationships can introduce significant vulnerabilities, requiring organizations to exercise due diligence when selecting and overseeing their suppliers.
The NIS2 Directive emphasizes securing the entire supply chain, including fourth-party relationships, meaning the suppliers of suppliers. Organizations must set clear security requirements in their contracts with third parties, ensuring these external partners implement adequate cybersecurity measures and align with the organization's security policies.
This includes requiring third parties to contribute to the overall security of the organization by applying effective technical and organizational measures to protect against cyber threats.
Further, organizations must regularly monitor and review suppliers' cybersecurity practices to ensure security measures remain effective and evolve in response to emerging threats. This may involve conducting security audits, assessments or other forms of monitoring to ensure accountability and compliance with applicable legal security requirements.
DORA
The Digital Operational Resilience Act, special legislation to the NIS2 Directive, prescribes requirements for financial entities to integrate information and communications technology risks into their broader risk management frameworks.
Financial entities remain accountable for all obligations, even when outsourcing ICT services, and must ensure proportionality based on service complexity and criticality.
Strategies for managing ICT third-party risk, including policies for critical services, must be regularly reviewed by the management body. Entities must maintain an updated register of ICT third-party contracts and report key details annually to authorities. Prior to contracts, entities must assess criticality, risks and conflicts of interest, and ensure service providers meet high security standards.
Audits and inspections are mandatory, and the frequency and scope must be based on a risk-based approach. Auditors must possess appropriate skills, especially for technically complex services. Contracts must also allow for termination if the provider breaches legal obligations, demonstrates weak ICT risk management or prevents effective supervision.
Financial entities must establish robust exit strategies for critical ICT services to mitigate the risks of service failure, poor quality or business disruption. These plans should include comprehensive transition measures to ensure the safe transfer of services and data to alternative providers, avoiding disruption, regulatory breaches or reduced service quality.
EU AI Act
The EU Artificial Intelligence Act outlines specific responsibilities across the AI value chain, targeting distributors, importers, deployers and third parties involved with high-risk AI systems.
These entities, considered providers, must comply with the act if they modify, rebrand or change the intended use of an AI system, potentially making it high-risk. In such cases, the third party assuming the role of provider takes on regulatory obligations, while the original provider must still offer cooperation, such as supplying necessary information and assistance for compliance.
For high-risk AI systems integrated into products under EU harmonization laws, the product manufacturer becomes the provider. Agreements between providers and third-party suppliers must ensure compliance, though open-source services are excluded. The EU AI Office may offer voluntary contract terms to support compliance, safeguarding intellectual property and confidential information.
Ensure accountability, security
Managing third-party risks is critical for organizational security and legal compliance, as emphasized by various EU laws. The EU identifies third-party and supply chain risks as major cybersecurity threats, particularly with the growing reliance on external suppliers.
Laws such as the GDPR, NIS2, DORA and the AI Act address third-party risk management in sector-specific ways. These frameworks highlight the need for comprehensive planning, contractual safeguards, continuous monitoring and clear role definitions to ensure accountability and security.
Organizations must proactively manage these often overlapping requirements, which may be a challenge.
Tamás Bereczki, CIPP/E, and Ádám Liber, CIPP/E, CIPM, FIP, are partners at PROVARIS Varga & Partners.
