Hybrid Cloud
Cybersecurity
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Smart Cities
Public Sector
Cybersecurity in the supply chain: from third party risk to ecosystem risk
The supply chain risk does not end with direct suppliers: it extends across the entire ecosystem. To explore how to tackle this challenge in more depth, see the full report in PDF.
Cybersecurity in the supply chain is often approached as a supplier issue: we identify risks, assess third parties and establish controls. However, this approach is no longer sufficient because today organisations no longer rely on linear relationships, but on interconnected ecosystems where risks are not always visible or direct.
In fact, many security breaches do not originate within the company perimeter, but somewhere within this extended network. According to BitSight, 60% of organisations have reported incidents linked to their supply chain. This figure reflects increased exposure and limitations in risk management.
Factors such as outsourcing and the growing adoption of digital services require a broader perspective to understand the full ecosystem, including suppliers of suppliers (and their suppliers), which indirectly expand the scope of risk.
Supply chain risk is no longer linear: it is distributed across an entire ecosystem of dependencies.
What is third party risk in the supply chain and why it is no longer sufficient
For years, organisations have strengthened the security of their direct suppliers through audits, assessments and contractual requirements. This has improved control at that first layer, but it does not solve the underlying problem.
Digitalisation has transformed business relationships. Each supplier integrates multiple services and technologies that, in turn, depend on third parties. The result is a network of interdependencies that traditional risk management models are not equipped to address.
This makes it possible to control what is within direct scope, but not what actually drives risk exposure. As a result, incidents are no longer isolated events but become propagation dynamics, where a vulnerability at one point in the ecosystem can quickly escalate and affect multiple parties.
The gap between what is controlled and what actually introduces risk is now one of the main challenges in Cybersecurity.
How supplier Cybersecurity is evolving towards ecosystem risk
Accepting that risk does not end with direct suppliers requires rethinking the model, moving from analysing individual relationships to understanding dependencies across the ecosystem.
This is where fourth party risk management (FPRM, Fourth Party Risk Management) becomes relevant, as it incorporates suppliers of our suppliers into the analysis. This approach enables a more accurate view of risk, aligned with the real structure of operations.
Its value lies in introducing three critical capabilities: visibility over indirect dependencies, continuous risk assessment and coordination between stakeholders. This makes it possible to anticipate cascading effects that, in traditional models, are only identified once the impact has already materialised.
The impact of an incident does not depend on where it originates, but on how it propagates across the ecosystem.
Key risks and blind spots in the digital supply chain
Although the shift towards fourth party risk is gaining traction, many organisations still operate with limitations that prevent its effective implementation.
These blind spots do not stem from a single issue, but from a combination of barriers that make it difficult to manage risk effectively beyond the first tier of suppliers.
Lack of visibility over third parties
A key risk in supply chain Cybersecurity is the lack of visibility over third parties. Organisations may control their direct suppliers, but often lack visibility of other actors involved in services or critical infrastructure.
—Lack of visibility makes it harder to assess supply chain risk, particularly in the case of indirect dependencies that may act as attack vectors.
Lack of traceability and mapping in the digital supply chain
Without a clear mapping of technological, operational and relational dependencies, it becomes difficult to identify how vulnerabilities propagate and anticipate incidents, complicating risk prioritisation.
—In practice, organisations operate with only a partial view of their exposure, reducing the effectiveness of any risk management strategy.
Difficulty in applying Cybersecurity controls to third parties
Outsourcing and subcontracting blur responsibility boundaries, reducing organisations’ ability to require, verify or audit security measures in indirect suppliers.
—This is one of the main challenges in third party risk management: extending security policies to environments that are not under direct control.
Uneven Cybersecurity maturity among suppliers
Not all actors within the ecosystem operate with the same levels of Cybersecurity maturity. This heterogeneity creates inconsistencies in protection and turns weaker links into entry points for attacks.
—From a global perspective, the security level of the chain largely depends on its least prepared participant.
Regulatory complexity in supply chain Cybersecurity
Supply chain risk management is both technical and regulatory; working with suppliers requires compliance with frameworks such as the NIS2 Directive, DORA or the Cyber Resilience Act, which introduce additional requirements for third parties.
—This complexity increases the need to integrate compliance and security within a unified strategy.
Limitations in detecting and responding to third party incidents
Without visibility or defined coordination channels, incidents originating in third parties are often detected later and handled less effectively. This amplifies their impact and makes containment more difficult.
—Improving incident response capabilities across the supply chain is key to preventing cascading effects between participating organisations.
■ Taken together, these blind spots explain why many organisations, despite investing in Cybersecurity, remain exposed to risks they cannot effectively identify or manage. In addition, the evolving regulatory landscape is raising the bar, requiring organisations to expand their control and oversight across the entire supply chain.
A significant proportion of risk remains outside the direct control of organisations.
What regulation requires in supply chain Cybersecurity (NIS2, DORA, CRA)
The regulatory framework is evolving to address increasingly interdependent risks. New regulations expand the scope of Cybersecurity by explicitly incorporating third party management into compliance requirements.
NIS2: enhanced oversight of suppliers
The NIS2 Directive strengthens organisations’ obligations in relation to their suppliers, requiring enhanced capabilities for assessment, monitoring and incident reporting.
DORA: operational resilience in third party dependent environments
DORA introduces specific requirements to strengthen digital resilience, with a clear focus on managing risks associated with technology providers.
Cyber Resilience Act: security across the digital lifecycle
The Cyber Resilience Act establishes requirements for security from design through to the operation of digital products, with a direct impact on the supply chain and the integration of third party components.
■ These regulations reflect a shift in approach: Cybersecurity can no longer be managed solely within the corporate perimeter, and reliance on third parties requires extending oversight and control across the entire supply chain.
How to evolve towards continuous risk management in the supply chain
In this context, and beyond identifying risks, the challenge is to manage risk continuously.
Moving towards models that combine visibility, analysis and data driven decision making involves implementing continuous monitoring mechanisms to assess the security posture of both the organisation and its supplier ecosystem.
This approach enables organisations to prioritise risks, anticipate vulnerabilities and align Cybersecurity with business decisions, from supplier selection to procurement processes or insurance management.
The objective is to transform risk management into a process that adapts to changes in context and environment. To achieve this, it is essential to integrate these capabilities within a model that combines expertise, technology, processes and governance. This allows organisations to evolve from reactive management towards sustained cyber resilience.
Capabilities that enable this approach to scale
When these capabilities are delivered as continuous third party risk management services and supported by objective data and continuous monitoring, they enable organisations to progress more efficiently towards more mature risk management models, reducing operational friction and facilitating adoption at scale. This shift marks the difference between managing risks in isolation and building genuine resilience across the entire supply chain.
Cybersecurity shifts from being a one off assessment to becoming a continuous, data driven process aligned with the business.
Conclusion
Supply chain Cybersecurity can no longer be addressed solely through relationships with direct suppliers, as exposure exists across the entire ecosystem. It therefore becomes part of both the strategy and the structure of business resilience.
The challenge lies in managing an environment of dependencies where risk is distributed across multiple actors. Developing this capability enables organisations to operate with greater predictability, strengthen trust across the ecosystem and maintain business continuity in environments where dependencies between suppliers, technologies and services are increasingly critical.
■ Our report Supply chain protection: keys to cyber resilience ⇣ explores in detail how to structure an effective third and fourth party risk management strategy in interconnected digital environments, covering:
— The current threat landscape and its impact on the supply chain.
— The application of approaches such as fourth party risk management (FPRM).
— The implications of regulations such as NIS2, DORA and the Cyber Resilience Act.
— A practical model based on visibility, continuous monitoring and collaboration.
