THREAT BRIEFING · 16.07.2026 DEENFRES

Strategy & Governance

Supply Chain Risk Is a Program, Not an Audit Checklist

By Alec Chizhik · June 21, 2026 · 10 min read

The supplier list was green before the audit. Then an admin access of a subcontractor of the ERP hoster appeared in a ticket system that was neither in the contract nor in the register. NIS2 and DORA do not require a checked-off questionnaire archive, but a process that keeps contracts, data, and accesses continuously synchronized.

Key Points at a Glance

  • Legal Core: Section 30 BSIG requires supply chain security for direct suppliers. NIS2 Article 21 demands ongoing risk management. A register alone does not fulfill this.
  • DORA is stricter: In the financial sector, an ICT third-party register with annual reporting, exit strategies, and ongoing monitoring has been mandatory since January 17, 2025. On November 18, 2025, the supervisory authorities designated 19 critical providers.
  • A snapshot is not enough: Yesterday’s questionnaire status does not cover today’s subcontractor change. Tiering by criticality and continuous monitoring replace the annual audit.
  • Ownership decides: Without a clear owner for each process step and connection to the Enterprise Risk Register, supplier risk remains a procurement ticket instead of a board-level topic.

Related:TrapDoor: Supply Chain Attack on npm, PyPI and Crates  /  DORA and NIS2: Why Bank Audits Collide

What Section 30 Really Requires for the Supply Chain

What is Third-Party Risk Management? Third-Party Risk Management is the ongoing process by which an organization identifies, assesses, contractually secures, and monitors the security risks of its service providers, software vendors, and their subcontractors. It covers the entire cycle from onboarding through continuous oversight to offboarding.

Section 30 paragraph 2 number 4 BSIG explicitly names supply chain security as a mandatory measure. The focus lies on relationships with immediate providers. The entire chain down to raw materials is not intended. That is the good news for the Mittelstand: it concerns direct contractual partners who have access to systems or data.

The less convenient news stands in paragraph 1 and the European template. The measures must be appropriate, proportionate, and effective; in addition there is a documentation obligation. NIS2 Article 21 requires ongoing risk management for all network and information systems used in operations. Recital 85 of the Directive names cloud, managed security, and software explicitly. A directory that is created once a year does not reflect this obligation.

DORA Turns the Register into an Ongoing Obligation

Those working in the financial sector know the stricter benchmark. DORA has applied mandatorily since January 17, 2025. For financial undertakings it takes precedence as more specific law over the NIS2 supply chain obligations. Both regimes do not apply in parallel to the same company. Article 28 places full responsibility with the financial undertaking, even if the service is outsourced.

The register of information is not an Excel file that is filled out once. It is maintained at the institution and group level, reported annually to the supervisory authority, and must be fully available on request. Before every contract for a critical function comes due diligence, in addition to concentration risk analysis and exit strategies. Article 30 prescribes specific contract contents: subcontractor rules, location of data processing, audit rights, and notification obligations for material changes.

How seriously the supervisory authorities take this became clear on November 18, 2025. The European supervisory authorities EBA, EIOPA, and ESMA published the first list of critical ICT third-party service providers-19 providers, including several major cloud providers and SAP. These providers are now under direct EU supervision. Supply chain risk is regulated at the system level, far beyond the individual contract.

Why the Annual Questionnaire Does Not Close the Gap

I once filed a supplier questionnaire with a green checkmark for ISO 27001 and considered the matter closed. Four months later the provider changed its hosting subcontractor. The questionnaire was still green; reality no longer was. This temporal discrepancy is precisely the problem.

The regulatory text intends a cycle. A one-time audit does not satisfy it. Section 30 number 6 requires an assessment of effectiveness; DORA Article 30 requires ongoing monitoring for critical contracts. Not every supplier requires the same depth. Tiering according to system access, data sensitivity, and availability dependence separates Tier A partners from the long list of non-critical service providers.

A data problem also arises. A 2026 industry survey on Third-Party Risk Management indicates that only a minority of programs are fully integrated into Enterprise Risk Management and even fewer organizations rate their data quality as high. The exact values depend on the methodology. The finding remains: Without a clean register there is no reliable tiering decision. Without ERM linkage the risk stays stuck in the procurement ticket instead of appearing in the quarterly report to the management board.

The following overview contrasts the two mindsets.

Dimension Audit List (Snapshot) Program (Continuous)
Frequency Once a year, before the audit Ongoing, triggered by contract and system changes
Scope All suppliers treated equally Tiering by criticality, Tier A intensive
Subcontractors Not captured Cascading clauses, fourth party in the register
Integration Procurement ticket Enterprise Risk Register, report to management
Evidence Questionnaire archive Maintained register, monitoring history, effectiveness assessment

Five Building Blocks That Turn Control into a Program

A robust program does not require a large platform; it needs clear owners for each process step. Five building blocks are sufficient to begin.

Policy and Tiering. A criticality matrix based on access, data, and availability determines who is Tier A and how often they are reviewed. The owner is the Risk function or the CISO, implemented by a TPRM manager.

Onboarding Assessment. Due diligence precedes the contract. After signing, access is often already active. Security evidence, location questions, and conflict checks must be resolved before access is activated. DORA Article 28 makes this mandatory for critical functions.

Ongoing Monitoring. Register maintenance, risk-based re-certification, and a channel for the supplier’s incident reports. This is where the program lives or dies. A contract change at the provider must trigger a signal. A quiet note is not enough.

Offboarding. Revocation of access, return or deletion of data, and documented contract termination. The most common blind spot is accesses that remain active after project completion.

Fourth Party and Software Transparency. Subcontractors belong in the register fields; critical software requires a bill of materials following the SBOM principle. Such a list is not an explicit regulatory obligation, but it helps carry vulnerability management under Section 30 number 5 BSIG through the supply chain.

Above all stands the management board. Section 38 BSIG obliges it to implement and oversee. A TPRM program without visible management review is a CISO cover sheet without governance value. The facility service provider with access to the server room is Tier A, even if procurement files it only under building services. Exactly these classifications decide the risk.

Getting Started: Where to Begin This Week

The path from questionnaire to program does not require a big bang. Five steps bring structure without blocking operations. First: identify the Tier A suppliers, that is all with system access or critical data. Second: reconcile the register against reality and add any missing subcontractors. Third: assign an owner and a monitoring cadence for each Tier A partner. Fourth: review the contract clauses on audit rights, subcontractors, and notification obligations. Fifth: elevate supplier risks as entries in the Enterprise Risk Register, with quarterly reporting to management.

This is not a project with an end date. It is an operating mode. Once established, the next audit passes almost incidentally, because the evidence is a byproduct of ongoing operations.

Frequently Asked Questions

Each question is locked. A tap unlocks the answer.

Does a Supplier Directory Suffice for NIS2 Compliance?

No. Section 30 BSIG and NIS2 Article 21 require appropriate, effective, and continuously managed measures. A directory alone is not enough. A static register without tiering, monitoring, and effectiveness assessment does not cover the obligation for risk management.

What Distinguishes DORA from the NIS2 Supply Chain Obligations?

DORA has applied since January 17, 2025 in the financial sector and takes precedence there. It requires a formal ICT third-party register with annual reporting, exit strategies, and detailed contract contents pursuant to Article 30. NIS2 sets the broader framework but is less formalized.

Do We Have to Capture Subcontractors of Our Service Providers?

In the financial sector yes, as soon as they touch critical or important functions. DORA Article 30 and the technical specifications for the register require cascading clauses and the capture of relevant subcontractors. Under NIS2, Section 30 number 4 primarily addresses immediate providers; the explicit obligation to capture subcontractors is a DORA specialty.

How Often Do We Have to Reassess Suppliers?

There is no fixed frequency for all. The rhythm depends on the tier: critical providers with system access are reviewed closely and event-driven; non-critical service providers less frequently. Triggers are contract changes, subcontractor changes, and security incidents.

What Is an SBOM and Why Does It Belong in TPRM?

An SBOM is a bill of materials of a product’s software components, often in CycloneDX or SPDX format. It shows which libraries come from the supply chain and thereby supports vulnerability management under Section 30 number 5 BSIG. An SBOM is not explicitly mandated, but it has become established practice. Without this transparency, software origin remains a blind spot.

Editor’s Reading Recommendations

Editor’s Picks

Editor’s PickTrapDoor: Coordinated Supply-Chain Attack on npm, PyPI and Crates – What CI/CD Teams Must Check NowEditor’s PickDORA and NIS2: Why Bank Audits Are Now CollidingEditor’s PickWhere the SME Sector Still Lags Technically on NIS

More from the MBF Media Network

Digital ChiefsGeopolitics Meets the Data Center Roadmap: What CIOs Must Secure NowMyBusinessFutureEU AI Act from August 2026: What labelling obligations really affect SMEscloudmagazinXFS4IoT Meets the Cloud: The ATM Becomes a Platform

Further reading

A magazine by Evernine Media GmbH