At a time when the digital supply chain has become one of the preferred attack vectors for cybercriminals, suppliers, partners, or subcontractors—although external to the organization—often have access to critical systems or sensitive data. In this context, Third-Party Cyber Risk Management (TPCRM) has become an essential approach, both to reduce the attack surface and to meet new European regulatory requirements such as NIS2.
This report provides an overview of the topic, before detailing the obligations introduced by NIS2, and mentions Egerie as a vendor in the report.
1. Third-Party Cyber Risk Management: Current Landscape, Key Figures, and Regulatory Frameworks
Third-Party Cyber Risk Management (TPCRM) involves identifying, assessing, and managing cybersecurity risks associated with external parties connected to the organization. This includes IT suppliers, cloud service providers, maintenance subcontractors, consultants, or any actor with access to the information system or data.
Some key figures:
- This year, Gartner® estimates that around 45% of organizations worldwide will have suffered cyberattacks via their software supply chains (a +300% increase since 2021).
- 81% of cybersecurity leaders consider supply chain security a top priority (Gitnux).
- The average cost of a supply chain attack in 2023 is estimated at $4.3 million (Gitnux).
Standards and Regulations
Often recommended but increasingly mandatory, TPCRM is now addressed in many regulatory and standards frameworks, including: ISO/IEC 27001, NIST Cybersecurity Framework, DORA (Digital Operational Resilience Act), PCI DSS v4.0, SOC 2, GDPR, and of course NIS2, which expands obligations across many critical sectors and introduces increased oversight of third parties.
2. NIS 2 and Third-Party Cyber Risk Management: New Obligations
As an extension of the 2016 NIS Directive, NIS2 is gradually coming into force across EU Member States, expanding the scope of covered organizations and imposing stricter requirements.
It applies to a wide range of essential and important entities in sectors such as health, energy, transport, digital services, critical infrastructure, and more.
Among the mandatory security measures, managing supplier relationships is a key requirement:
Article 21: "Entities shall implement security policies applicable to their supplier or service provider relationships."
This requirement leads to concrete actions, such as:
- Mapping third parties and critical dependencies.
- Analyzing cyber risks associated with these relationships.
- Including security clauses in supplier contracts.
- Continuously monitoring third-party security (audits, assessments, questionnaires, etc.).
- Documenting and tracking all implemented measures.
Failure to comply can result in significant penalties (up to €10M or 2% of global turnover, depending on the case).
3. How the Egerie Platform Supports NIS2 Third-Party Cyber Risk Management Requirements
Recognized in 2025 Gartner® Market Guide for Third-Party Risk Management Technology Solutions (TPRM) (1), we believe Egerie platform is designed to support your NIS 2 compliance efforts while addressing third-party cyber risk management challenges.
Supplier Mapping and Management
- Intuitive interface to list and categorize all suppliers and partners by criticality level (low, medium, high).
- Ability to create organizations and sub-organizations to group your third parties.
Cyber Risk Assessment and Questionnaires
- Risk assessment methods based on recognized standards (ISO 27005 and EBIOS RM).
- Customizable cybersecurity questionnaires automatically sent to third parties.
Evidence Hosting
- Attach documents and evidence to security measures directly within compliance or risk analysis modules.
- During internal or external audits, justify your actions and those of your third parties directly from the Egerie platform.
Continuous Monitoring and Reporting
- Management dashboards to track supplier risk evolution over time.
- Generate NIS2-compliant reports for internal audits or supervisory bodies.
Conclusion
Cybersecurity is no longer limited to what happens inside your organization. In an era of interconnected ecosystems and reinforced regulation under NIS2, managing third-party risks is both a strategic and regulatory obligation.
By structuring your TPCRM approach and leveraging purpose-built tools like the Egerie platform, your organization can meet these new requirements effectively while strengthening long-term resilience.
(1)
Gartner, Inc. Market Guide for Third-Party Risk Management Technology Solutions. Antonia Donaldson, Luke Ellery, etl. 5 May 2025.
Gartner is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
