← Back

Third-Party Security Risk Management: Simple Tips Navigating NIS2 and DORA

July 16, 2024

No business can operate without third parties. In our connected world, the security of these third parties is critical, especially with new regulations like NIS2 and DORA in Europe. In the past, an ISO 27001 certificate or SOC 2 Type II report was sufficient to show how secure a third party was. But now, that's […]

No business can operate without third parties. In our connected world, the security of these third parties is critical, especially with new regulations like NIS2 and DORA in Europe. In the past, an ISO 27001 certificate or SOC 2 Type II report was sufficient to show how secure a third party was. But now, that's not enough to comply with these new rules.

Borrowing from ISO 27001:2022 standard, here are five key controls that you can follow for managing third-party security:

  • 5.19 Information security in supplier relationships
  • 5.20 Addressing information security within supplier agreements
  • 5.21 Managing information security in the ICT Supply Chain
  • 5.22 Monitoring, review, and change management of supplier services
  • 5.23 Information security for use of cloud services

To help you complying with NIS2 and DORA, here are four simple and yet cost-effective tips that we also use when working with our clients:

1. Categorize Your Third Parties

Not all third parties are equally important. Prioritize them based on their risk to your business. Create criteria that fit your industry to decide which third parties need thorough assessment and monitoring and which can be managed with less effort.

2. Define Security Requirements for Each Category

Set security requirements for each group. Decide what security measures you want each group of third parties to have. Make a list of important security controls, marking some as must-haves and others as nice-to-haves for each group.

When working with clients, we often call it Security Control Reference Framework. This ensures that our team consistently delivers the same level of high-quality outputs and is scalable.

If this is something that can be useful for you, don’t hesitate to contact us.

3. Perform Due Diligence Regularly

Conduct security reviews during onboarding and at regular intervals as defined in your criteria. Document any deviations from your established processes and the rationale behind them.

4. Keep a central list of all third parties

Many companies struggle to even identify all their third parties. Start by asking each department to list the third parties they work with daily. Update this list every few months. Make sure everyone in the company can see this list to avoid duplicates and keep it accurate.

While following these tips won't guarantee full compliance with NIS2 or DORA, they're a good start for any business looking to manage third-party security risks effectively.

Related

May 14, 2025

What Most ISO 27001 Platforms Won’t Tell You

Security & Compliance
May 6, 2025

Do organisations need a dedicated Cybersecurity Committee?

Gartner, according to the article shared by one of my contacts in LinkedIn, predicts that by 2025 40% of Boards will have a dedicated cybersecurity committee. It’s a good news for Cybersecurity and GRC professionals of course. But I’m challenging this movement with a question “Do we really need a dedicated committee to get cybersecurity […]
Security & Compliance
May 6, 2025

Network and Idol Effect for Successful Security and Privacy Awareness

For the past week my Twitter, LinkedIn and Facebook timelines were busy with people discussing the updated Terms for WhatsApp. This update eventually lead to a lot of noise and many people looking into alternatives like Telegram or Signal. Whether people truly and fully migrate from WhatsApp or not, I guess only time will tell, […]

Book a Demo

FEHA is the first global company who provides AI-powered platform and experts guidance in one package. We help businesses to comply with various standards andregulations seamlessly. Our business focus is making sure your compliance is continuous both during and after certification
Schedule a call with our CEO
Company
HomeProductsFrameworksPlansBlogsAbout FEHA
LEGAL
Terms & ConditionsPrivacy PolicyAI Governance PolicyResponsible Disclosure
Copyright © 2025 FEHA