{"id":20896,"date":"2026-06-21T11:00:00","date_gmt":"2026-06-21T11:00:00","guid":{"rendered":"https:\/\/www.securitytoday.de\/?p=20896"},"modified":"2026-07-09T16:17:03","modified_gmt":"2026-07-09T16:17:03","slug":"supply-chain-risk-is-a-program-not-an-audit-list","status":"publish","type":"post","link":"https:\/\/www.securitytoday.de\/en\/2026\/06\/21\/supply-chain-risk-is-a-program-not-an-audit-list\/","title":{"rendered":"Supply Chain Risk Is a Program, Not an Audit Checklist"},"content":{"rendered":"<p style=\"color:#69d8ed;font-size:0.9em;margin:0 0 16px;padding:0;\">6 min read<\/p>\n<p><strong>The supplier list was green before the audit. Then an admin access of a subcontractor of the ERP hoster appeared in a ticket system that was neither in the contract nor in the register. NIS2 and DORA do not require a checked-off questionnaire archive, but a process that keeps contracts, data, and accesses continuously synchronized.<\/strong><\/p>\n<div style=\"background:#003340;color:#fff;padding:32px 36px;margin:32px 0;border-radius:8px;\">\n<p style=\"margin:0 0 18px 0;font-size:0.95em;font-weight:800;text-transform:uppercase;letter-spacing:0.2em;color:#69d8ed;border-bottom:2px solid rgba(105,216,237,0.25);padding-bottom:12px;\">Key Points at a Glance<\/p>\n<ul style=\"margin:0;padding-left:22px;color:rgba(255,255,255,0.92);line-height:1.6;\">\n<li><strong style=\"color:#69d8ed;\">Legal Core:<\/strong> Section 30 BSIG requires supply chain security for direct suppliers. NIS2 Article 21 demands ongoing risk management. A register alone does not fulfill this.<\/li>\n<li><strong style=\"color:#69d8ed;\">DORA is stricter:<\/strong> In the financial sector, an ICT third-party register with annual reporting, exit strategies, and ongoing monitoring has been mandatory since January 17, 2025. On November 18, 2025, the supervisory authorities designated 19 critical providers.<\/li>\n<li><strong style=\"color:#69d8ed;\">A snapshot is not enough:<\/strong> Yesterday&#8217;s questionnaire status does not cover today&#8217;s subcontractor change. Tiering by criticality and continuous monitoring replace the annual audit.<\/li>\n<li><strong style=\"color:#69d8ed;\">Ownership decides:<\/strong> Without a clear owner for each process step and connection to the Enterprise Risk Register, supplier risk remains a procurement ticket instead of a board-level topic.<\/li>\n<\/ul>\n<\/div>\n<p style=\"font-size:0.88em;color:#b8c5ce;margin:20px 0 32px 0;border-top:1px solid rgba(230,227,218,0.12);border-bottom:1px solid rgba(230,227,218,0.12);padding:10px 0;\"><span style=\"color:#69d8ed;font-weight:700;text-transform:uppercase;font-size:0.72em;letter-spacing:0.14em;margin-right:14px;\">Related:<\/span><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/05\/25\/trapdoor-coordinated-supply-chain-attack-on-npm-pypi-and-crates-what-ci-cd\/\" style=\"color:#333;text-decoration:underline;\">TrapDoor: Supply Chain Attack on npm, PyPI and Crates<\/a>&nbsp;&nbsp;<span style=\"color:#ccc;\">\/<\/span>&nbsp;&nbsp;<a href=\"https:\/\/www.securitytoday.de\/en\/2026\/05\/22\/dora-and-nis2-why-bank-audits-are-now-colliding\/\" style=\"color:#333;text-decoration:underline;\">DORA and NIS2: Why Bank Audits Collide<\/a><\/p>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">What Section 30 Really Requires for the Supply Chain<\/h2>\n<p><strong>What is Third-Party Risk Management?<\/strong> Third-Party Risk Management is the ongoing process by which an organization identifies, assesses, contractually secures, and monitors the security risks of its service providers, software vendors, and their subcontractors. It covers the entire cycle from onboarding through continuous oversight to offboarding.<\/p>\n<p>Section 30 paragraph 2 number 4 BSIG explicitly names supply chain security as a mandatory measure. The focus lies on relationships with immediate providers. The entire chain down to raw materials is not intended. That is the good news for the Mittelstand: it concerns direct contractual partners who have access to systems or data.<\/p>\n<p>The less convenient news stands in paragraph 1 and the European template. The measures must be appropriate, proportionate, and effective; in addition there is a documentation obligation. NIS2 Article 21 requires ongoing risk management for all network and information systems used in operations. Recital 85 of the Directive names cloud, managed security, and software explicitly. A directory that is created once a year does not reflect this obligation.<\/p>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">DORA Turns the Register into an Ongoing Obligation<\/h2>\n<p>Those working in the financial sector know the stricter benchmark. DORA has applied mandatorily since January 17, 2025. For financial undertakings it takes precedence as more specific law over the NIS2 supply chain obligations. Both regimes do not apply in parallel to the same company. Article 28 places full responsibility with the financial undertaking, even if the service is outsourced.<\/p>\n<p>The register of information is not an Excel file that is filled out once. It is maintained at the institution and group level, reported annually to the supervisory authority, and must be fully available on request. Before every contract for a critical function comes due diligence, in addition to concentration risk analysis and exit strategies. Article 30 prescribes specific contract contents: subcontractor rules, location of data processing, audit rights, and notification obligations for material changes.<\/p>\n<p>How seriously the supervisory authorities take this became clear on November 18, 2025. The European supervisory authorities EBA, EIOPA, and ESMA published the first list of critical ICT third-party service providers-19 providers, including several major cloud providers and SAP. These providers are now under direct EU supervision. Supply chain risk is regulated at the system level, far beyond the individual contract.<\/p>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">Why the Annual Questionnaire Does Not Close the Gap<\/h2>\n<p>I once filed a supplier questionnaire with a green checkmark for ISO 27001 and considered the matter closed. Four months later the provider changed its hosting subcontractor. The questionnaire was still green; reality no longer was. This temporal discrepancy is precisely the problem.<\/p>\n<p>The regulatory text intends a cycle. A one-time audit does not satisfy it. Section 30 number 6 requires an assessment of effectiveness; DORA Article 30 requires ongoing monitoring for critical contracts. Not every supplier requires the same depth. Tiering according to system access, data sensitivity, and availability dependence separates Tier A partners from the long list of non-critical service providers.<\/p>\n<p>A data problem also arises. A 2026 industry survey on Third-Party Risk Management indicates that only a minority of programs are fully integrated into Enterprise Risk Management and even fewer organizations rate their data quality as high. The exact values depend on the methodology. The finding remains: Without a clean register there is no reliable tiering decision. Without ERM linkage the risk stays stuck in the procurement ticket instead of appearing in the quarterly report to the management board.<\/p>\n<p>The following overview contrasts the two mindsets.<\/p>\n<div style=\"overflow-x:auto;-webkit-overflow-scrolling:touch;margin:16px 0 32px 0;\">\n<table style=\"width:100%;min-width:560px;border-collapse:collapse;margin:0;font-size:0.95em;\">\n<thead>\n<tr style=\"border-bottom:2px solid #69d8ed;\">\n<th style=\"text-align:left;padding:10px 12px;\">Dimension<\/th>\n<th style=\"text-align:left;padding:10px 12px;\">Audit List (Snapshot)<\/th>\n<th style=\"text-align:left;padding:10px 12px;\">Program (Continuous)<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr style=\"border-bottom:1px solid rgba(230,227,218,0.12);\">\n<td style=\"text-align:left;padding:10px 12px;\"><strong>Frequency<\/strong><\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Once a year, before the audit<\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Ongoing, triggered by contract and system changes<\/td>\n<\/tr>\n<tr style=\"border-bottom:1px solid rgba(230,227,218,0.12);\">\n<td style=\"text-align:left;padding:10px 12px;\"><strong>Scope<\/strong><\/td>\n<td style=\"text-align:left;padding:10px 12px;\">All suppliers treated equally<\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Tiering by criticality, Tier A intensive<\/td>\n<\/tr>\n<tr style=\"border-bottom:1px solid rgba(230,227,218,0.12);\">\n<td style=\"text-align:left;padding:10px 12px;\"><strong>Subcontractors<\/strong><\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Not captured<\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Cascading clauses, fourth party in the register<\/td>\n<\/tr>\n<tr style=\"border-bottom:1px solid rgba(230,227,218,0.12);\">\n<td style=\"text-align:left;padding:10px 12px;\"><strong>Integration<\/strong><\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Procurement ticket<\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Enterprise Risk Register, report to management<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align:left;padding:10px 12px;\"><strong>Evidence<\/strong><\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Questionnaire archive<\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Maintained register, monitoring history, effectiveness assessment<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">Five Building Blocks That Turn Control into a Program<\/h2>\n<p>A robust program does not require a large platform; it needs clear owners for each process step. Five building blocks are sufficient to begin.<\/p>\n<p><strong>Policy and Tiering.<\/strong> A criticality matrix based on access, data, and availability determines who is Tier A and how often they are reviewed. The owner is the Risk function or the CISO, implemented by a TPRM manager.<\/p>\n<p><strong>Onboarding Assessment.<\/strong> Due diligence precedes the contract. After signing, access is often already active. Security evidence, location questions, and conflict checks must be resolved before access is activated. DORA Article 28 makes this mandatory for critical functions.<\/p>\n<p><strong>Ongoing Monitoring.<\/strong> Register maintenance, risk-based re-certification, and a channel for the supplier&#8217;s incident reports. This is where the program lives or dies. A contract change at the provider must trigger a signal. A quiet note is not enough.<\/p>\n<p><strong>Offboarding.<\/strong> Revocation of access, return or deletion of data, and documented contract termination. The most common blind spot is accesses that remain active after project completion.<\/p>\n<p><strong>Fourth Party and Software Transparency.<\/strong> Subcontractors belong in the register fields; critical software requires a bill of materials following the SBOM principle. Such a list is not an explicit regulatory obligation, but it helps carry vulnerability management under Section 30 number 5 BSIG through the supply chain.<\/p>\n<p>Above all stands the management board. Section 38 BSIG obliges it to implement and oversee. A TPRM program without visible management review is a CISO cover sheet without governance value. The facility service provider with access to the server room is Tier A, even if procurement files it only under building services. Exactly these classifications decide the risk.<\/p>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">Getting Started: Where to Begin This Week<\/h2>\n<p>The path from questionnaire to program does not require a big bang. Five steps bring structure without blocking operations. First: identify the Tier A suppliers, that is all with system access or critical data. Second: reconcile the register against reality and add any missing subcontractors. Third: assign an owner and a monitoring cadence for each Tier A partner. Fourth: review the contract clauses on audit rights, subcontractors, and notification obligations. Fifth: elevate supplier risks as entries in the Enterprise Risk Register, with quarterly reporting to management.<\/p>\n<p>This is not a project with an end date. It is an operating mode. Once established, the next audit passes almost incidentally, because the evidence is a byproduct of ongoing operations.<\/p>\n<h2 style=\"padding-top:64px;margin-bottom:20px;\">Frequently Asked Questions<\/h2>\n<p class=\"st-faq-hint\">Each question is locked. A tap unlocks the answer.<\/p>\n<details>\n<summary><strong>Does a Supplier Directory Suffice for NIS2 Compliance?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">No. Section 30 BSIG and NIS2 Article 21 require appropriate, effective, and continuously managed measures. A directory alone is not enough. A static register without tiering, monitoring, and effectiveness assessment does not cover the obligation for risk management.<\/p>\n<\/details>\n<details>\n<summary><strong>What Distinguishes DORA from the NIS2 Supply Chain Obligations?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">DORA has applied since January 17, 2025 in the financial sector and takes precedence there. It requires a formal ICT third-party register with annual reporting, exit strategies, and detailed contract contents pursuant to Article 30. NIS2 sets the broader framework but is less formalized.<\/p>\n<\/details>\n<details>\n<summary><strong>Do We Have to Capture Subcontractors of Our Service Providers?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">In the financial sector yes, as soon as they touch critical or important functions. DORA Article 30 and the technical specifications for the register require cascading clauses and the capture of relevant subcontractors. Under NIS2, Section 30 number 4 primarily addresses immediate providers; the explicit obligation to capture subcontractors is a DORA specialty.<\/p>\n<\/details>\n<details>\n<summary><strong>How Often Do We Have to Reassess Suppliers?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">There is no fixed frequency for all. The rhythm depends on the tier: critical providers with system access are reviewed closely and event-driven; non-critical service providers less frequently. Triggers are contract changes, subcontractor changes, and security incidents.<\/p>\n<\/details>\n<details>\n<summary><strong>What Is an SBOM and Why Does It Belong in TPRM?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">An SBOM is a bill of materials of a product&#8217;s software components, often in CycloneDX or SPDX format. It shows which libraries come from the supply chain and thereby supports vulnerability management under Section 30 number 5 BSIG. An SBOM is not explicitly mandated, but it has become established practice. Without this transparency, software origin remains a blind spot.<\/p>\n<\/details>\n<h3>Editor&#8217;s Reading Recommendations<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/05\/25\/trapdoor-coordinated-supply-chain-attack-on-npm-pypi-and-crates-what-ci-cd\/\">TrapDoor: Coordinated Supply Chain Attack on npm, PyPI and Crates<\/a><\/li>\n<li><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/05\/22\/dora-and-nis2-why-bank-audits-are-now-colliding\/\">DORA and NIS2: Why Bank Audits Now Collide<\/a><\/li>\n<li><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/05\/16\/nis2-technical-minimum-requirements-2026\/\">Where the Mittelstand Is Still Lagging Technically on NIS2<\/a><\/li>\n<\/ul>\n<p><!--ST-LOWER-CARDS lang=en--><\/p>\n<h3 style=\"margin:48px 0 18px;padding-left:12px;font-size:1.05em;font-weight:800;color:#e6e3da;border-left:3px solid #69d8ed;line-height:1.2;\">Editor&#8217;s Picks<\/h3>\n<p><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/05\/25\/trapdoor-coordinated-supply-chain-attack-on-npm-pypi-and-crates-what-ci-cd\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/05\/st-15595-pexels-30901557-cybersecurity-vulnerability-250x167.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">TrapDoor: Coordinated Supply-Chain Attack on npm, PyPI and Crates \u2013 What CI\/CD Teams Must Check Now<\/span><\/span><\/a><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/05\/22\/dora-and-nis2-why-bank-audits-are-now-colliding\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/05\/dora-nis2-doppel-compliance-deutsche-banken-audit-team-2026-cover-hero-1-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">DORA and NIS2: Why Bank Audits Are Now Colliding<\/span><\/span><\/a><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/05\/16\/nis2-technical-minimum-requirements-2026\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/05\/nis2-technische-mindestanforderungen-mittelstand-2026-cover-hero-250x141.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">Where the SME Sector Still Lags Technically on NIS<\/span><\/span><\/a><\/p>\n<h3 style=\"margin:48px 0 18px;padding-left:12px;font-size:1.05em;font-weight:800;color:#e6e3da;border-left:3px solid #69d8ed;line-height:1.2;\">More from the MBF Media Network<\/h3>\n<p><a href=\"https:\/\/www.digital-chiefs.de\/en\/geopolitics-meets-the-data-center-roadmap-what-cios-must-secure-now\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-geopolitik-datacenter-roadmap-lieferkett-8054517-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#e8828d;margin-bottom:5px;\">Digital Chiefs<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">Geopolitics Meets the Data Center Roadmap: What CIOs Must Secure Now<\/span><\/span><\/a><a href=\"https:\/\/mybusinessfuture.com\/en\/eu-requires-labeling-obligations-for-sme-2026\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-eu-ai-act-2026-kennzeichnungspflichten-m-35346140-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#aa8ac2;margin-bottom:5px;\">MyBusinessFuture<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">EU AI Act from August 2026: What labelling obligations really affect SMEs<\/span><\/span><\/a><a href=\"https:\/\/www.cloudmagazin.com\/en\/2026\/06\/16\/xfs4iot-meets-the-cloud-the-atm-becomes-a-platform\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-xfs4iot-cloud-geldautomat-plattform-syna-61345494.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#0bb7fd;margin-bottom:5px;\">cloudmagazin<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">XFS4IoT Meets the Cloud: The ATM Becomes a Platform<\/span><\/span><\/a><!--\/ST-LOWER-CARDS--><\/p>\n","protected":false},"excerpt":{"rendered":"Supply chain risks according to NIS2 and DORA: Why the vendor questionnaire isn&#8217;t enough and how a TPRM program with tiering, a register, and ownership\u2026","protected":false},"author":10,"featured_media":18182,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"Supply chain risk NIS2","_yoast_wpseo_title":"Supply chain risk is a program, not an audit list","_yoast_wpseo_metadesc":"Mit NIS2 & DORA supply chain risks tackle - why vendor questionnaires fall short & how a smart TPRM program with tiering, registers & ownership delivers\u2026","_yoast_wpseo_meta-robots-noindex":"","_yoast_wpseo_meta-robots-nofollow":"","_yoast_wpseo_meta-robots-adv":"","_yoast_wpseo_canonical":"","_yoast_wpseo_opengraph-title":"","_yoast_wpseo_opengraph-description":"","_yoast_wpseo_opengraph-image":"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/tprm-lieferkettenrisiko-nis2-dora-programm-cover-hero.jpg","_yoast_wpseo_opengraph-image-id":0,"_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","_yoast_wpseo_twitter-image":"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/tprm-lieferkettenrisiko-nis2-dora-programm-cover-hero.jpg","_yoast_wpseo_twitter-image-id":0,"evm_cvss":0,"evm_risk":0,"evm_casefile":"","evm_primary_cve":"","evm_external_preview_token":"","evm_external_preview_expires":"","_evm_translation_lang":"","featured_post":0,"featured_post_sortierung":0,"_wp_old_slug":[],"footnotes":""},"categories":[258,259],"tags":[],"class_list":["post-20896","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-strategie-governance","category-strategie-governance-en"],"evm_reading_time_minutes":10,"wpml_language":"en","wpml_translation_of":18181,"_links":{"self":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/20896","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/comments?post=20896"}],"version-history":[{"count":2,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/20896\/revisions"}],"predecessor-version":[{"id":21057,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/20896\/revisions\/21057"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media\/18182"}],"wp:attachment":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media?parent=20896"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/categories?post=20896"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/tags?post=20896"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}