Third-Party & Supply-Chain Assurance

The supply chain has become a regulatory focal point. NIS2, DORA and the Cyber Resilience Act increase pressure on third-party and supplier relationships; NIST CSF 2.0 makes supply-chain risk management its own governance category. At the same time, the European Supervisory Authorities designated critical ICT third-party providers for the first time in 2025 - the need hits banks as well as their IT, cloud and infrastructure partners.

We create transparency over your third parties: a due diligence and supplier classification that ranks suppliers by criticality and risk. Only this classification allows attention and review effort to be directed where they are truly needed.

This is followed by robust contractual requirements and control testing: which security, evidence and reporting duties must contracts contain, and are the promised controls actually upheld? For the financial sector we integrate this with the DORA register of ICT third-party arrangements.

In addition we provide OSINT-based supplier and exposure analyses: publicly available information is evaluated in a structured way to detect supply-chain risks early - from exposed systems to reputational anomalies. This makes supply-chain risk steerable, instead of remaining a blind spot.

We deliver each of these services in three stages: as an assessment (baseline and gap analysis), as program build and implementation (structures, measures, evidence) and as ongoing steering - optionally as an interim mandate, fractional lead, evidence office or exercise and audit office. You decide how much responsibility to outsource and where to build your own capacity.