Third-Party Security Risk Management: Simple Tips Navigating NIS2 and DORA
July 16, 2024
No business can operate without third parties. In our connected world, the security of these third parties is critical, especially with new regulations like NIS2 and DORA in Europe. In the past, an ISO 27001 certificate or SOC 2 Type II report was sufficient to show how secure a third party was. But now, that's […]

No business can operate without third parties. In our connected world, the security of these third parties is critical, especially with new regulations like NIS2 and DORA in Europe. In the past, an ISO 27001 certificate or SOC 2 Type II report was sufficient to show how secure a third party was. But now, that's not enough to comply with these new rules.
Borrowing from ISO 27001:2022 standard, here are five key controls that you can follow for managing third-party security:
- 5.19 Information security in supplier relationships
- 5.20 Addressing information security within supplier agreements
- 5.21 Managing information security in the ICT Supply Chain
- 5.22 Monitoring, review, and change management of supplier services
- 5.23 Information security for use of cloud services
To help you complying with NIS2 and DORA, here are four simple and yet cost-effective tips that we also use when working with our clients:
1. Categorize Your Third Parties
Not all third parties are equally important. Prioritize them based on their risk to your business. Create criteria that fit your industry to decide which third parties need thorough assessment and monitoring and which can be managed with less effort.
2. Define Security Requirements for Each Category
Set security requirements for each group. Decide what security measures you want each group of third parties to have. Make a list of important security controls, marking some as must-haves and others as nice-to-haves for each group.
When working with clients, we often call it Security Control Reference Framework. This ensures that our team consistently delivers the same level of high-quality outputs and is scalable.
If this is something that can be useful for you, don’t hesitate to contact us.
3. Perform Due Diligence Regularly
Conduct security reviews during onboarding and at regular intervals as defined in your criteria. Document any deviations from your established processes and the rationale behind them.
4. Keep a central list of all third parties
Many companies struggle to even identify all their third parties. Start by asking each department to list the third parties they work with daily. Update this list every few months. Make sure everyone in the company can see this list to avoid duplicates and keep it accurate.
While following these tips won't guarantee full compliance with NIS2 or DORA, they're a good start for any business looking to manage third-party security risks effectively.