TPRM: 40% of disruptions start with third parties — DORA and NIS2 require formal management

Third-Party Risk Management (TPRM) is the systematic process of identifying, assessing, monitoring, and mitigating the risks posed by suppliers, technology providers, and other external parties that have access to an organisation's critical systems, data, or processes. In the EU regulatory context, DORA (Digital Operational Resilience Act, applicable from January 2025) imposes specific TPRM obligations on financial entities regarding their critical ICT providers, including mandatory contractual clauses, enhanced due diligence, and incident notification requirements. NIS2 (transposed into Spanish law) similarly requires essential and important sector entities to assess and manage the cybersecurity risks of their digital supply chains.

Our third-party risk management team combines corporate due diligence expertise with knowledge of cybersecurity, digital regulation, and contract management for critical technology providers.

Why third-party dependency is the fastest-growing source of operational risk

Dependence on third parties is a structural feature of modern business. Companies outsource critical functions — data processing, technology infrastructure, logistics, payroll management — that twenty years ago were internally controlled capabilities. This outsourcing generates efficiency, but it also transfers risk: when the supplier fails, that supplier’s customers bear the consequences. The collapse of a cloud service provider, a ransomware attack on a payments processor, or the insolvency of a logistics partner can halt operations as severely as an internal disaster — with the added difficulty that the company has far less direct control over the incident.

The 40% of serious business disruptions that originate in third-party failures is not a figure that companies can afford to ignore, particularly under DORA for financial entities and NIS2 for essential and important entities. Both regulations require formal documentation and management of supply chain risks, with the possibility of sanction if the requirements are not met. The typical scenario: a company depends on a cloud provider for its ERP, the provider suffers a 24-hour outage, and on reviewing the contract the company discovers the SLA only guarantees 99.5% monthly availability (equivalent to 3.6 acceptable hours of downtime per month without compensation), there are no continuity clauses, and the provider has no obligation to notify incidents.

Our TPRM programme: from inventory to continuous monitoring

The first step is always visibility. Most organisations do not have a complete, up-to-date inventory of their critical suppliers: they know their main vendors, but lack a systematic classification of which ones, if they failed, would have a severe impact on operations or regulatory compliance. Building that inventory — with classification by criticality, system and data access, and regulatory risk level — is the foundation of any effective TPRM programme.

Our professionals implement the TPRM programme in three phases. The first is visibility: we build the complete inventory of third parties with access to critical systems, data, or processes, and classify them by criticality level (critical, important, ordinary). The second is assessment: for critical suppliers we conduct structured due diligence with a security questionnaire, certification review (ISO 27001, SOC2, ENS), and continuity capacity assessment. The third is protection: we review and strengthen contracts with critical suppliers (audit clauses, incident notification within 24 hours, SLAs with penalties, exit and transition clauses) and implement the continuous monitoring system with real-time risk alerts.

Supplier due diligence goes well beyond reviewing certifications. Assessing the real cybersecurity posture of a supplier — not just whether they hold ISO 27001, but how they actually manage incidents, how they segment access to their clients’ systems, what happens to the company’s data if the supplier is acquired — requires detailed questionnaires, technical review, and in the most critical cases, on-site audits. For financial entities subject to DORA, this process is governed by specific minimum contractual requirements that we manage end to end. We integrate third-party monitoring with the risk register of the corporate ERM framework to ensure that supplier risks have visibility at the leadership and board level. For companies that have also implemented a business continuity plan, TPRM is the essential complement that covers risks originating outside the organisation, and we coordinate with data protection obligations for suppliers that process personal data on the organisation’s behalf.

What our TPRM service includes

The service covers the inventory and classification of all third parties with access to critical systems or data, structured due diligence on critical suppliers (security questionnaire, certification review, continuity assessment, risk report with recommendations), review and strengthening of contractual framework with security, audit, SLA, and exit clauses, continuous monitoring system with risk alerts, annual review of critical supplier assessments, integration with corporate ERM risk register, and for financial entities, compliance with DORA’s specific ICT provider management requirements.

Real results in third-party risk management

Companies that implement the TPRM programme with our team identify on average between three and eight critical suppliers whose contracts lack minimum protection clauses in the event of a failure or security incident. Renegotiation of these contracts generates concrete protections: SLAs with real penalties, incident notification clauses within 24 hours, and audit rights. Detection time for a problem in a critical supplier is reduced from days or weeks to hours through the continuous monitoring system. And for entities subject to DORA or NIS2, implementing the TPRM programme eliminates the risk of regulatory sanction for non-compliance with supply chain risk management requirements.

Frequently asked questions about DORA, NIS2, and supplier risk

The contractual framework with critical suppliers is the most underestimated protection instrument. Contracts with large technology providers (cloud, SaaS, data processors) are often adhesion contracts that the provider presents without negotiation. However, in many cases it is possible to negotiate additional security, audit, and continuity clauses — particularly when contract volume justifies it. And in every case, the contract must include exit clauses that allow the company to migrate to an alternative provider without the current provider blocking the transition by retaining data or technical documentation. Continuous monitoring transforms TPRM from a point-in-time exercise into a permanent operational capability: a supplier with an adequate security posture today may suffer an incident tomorrow, and early detection is what enables proactive decisions before the problem affects operations.