Third-party risk management
Third-party risk management is the systematic assessment, contractual safeguarding and ongoing monitoring of security risks that arise from engaging external service providers and suppliers.
Third-party risk management (in German Dienstleistersteuerung) is the process by which an organisation manages the information security and compliance risks posed by external service providers, cloud vendors and suppliers across the entire lifecycle of the business relationship. It starts with risk-based selection and onboarding due diligence, continues through contractual security agreements, and leads into continuous monitoring of the agreed safeguards. The goal is to ensure that the security requirements applied internally are also enforced along the supply and value chain, so that risks are not carried into the organisation through third parties.
At its core is a risk assessment of each individual provider: which data and systems does it process, what is their protection requirement, and what would be the impact of an outage or a compromise? On this basis, requirements are defined and evidenced, for example through certificates (ISO/IEC 27001), assurance reports (SOC 2, ISAE 3402), TISAX labels or security questionnaires. The question of sub-processors (fourth-party risk) is also critical, as is concentration on a few large providers, which can create cluster risk in the event of an incident.
With the NIS2 Directive and its transposition into German law, supply chain security becomes an explicit obligation: the management bodies of essential and important entities must take and oversee measures to manage supply chain risks. For financial entities, the DORA Regulation specifies the management of ICT third-party providers, including mandatory contractual content and a register of information. Effective third-party risk management is therefore at once a building block of the ISMS, of business continuity management and of regulatory compliance.
Legal Basis
Art. 21(2)(d) NIS2 Directive (EU) 2022/2555 (supply chain security); Sections 30 et seq. BSIG (German NIS2 transposition); Art. 28 et seq. DORA Regulation (EU) 2022/2554; ISO/IEC 27001 (esp. A.5.19-A.5.23 supplier relationships)
Practical Example
A municipal utility classified as an important entity engages a cloud provider to operate its billing system. The information security officer conducts an onboarding review, requests the ISO/IEC 27001 certificate and a SOC 2 Type 2 report, and assesses the protection requirement of the customer data being processed as high. The contract is amended to include incident notification duties, audit rights, encryption requirements and a list of approved sub-processors. The provider is then added to the annual supplier reassessment, and expiring certificates automatically trigger a follow-up review.