TPRM: 40% of disruptions start with third parties — DORA and NIS2 require formal management

Third-Party Risk Management (TPRM) is the systematic process of identifying, assessing, monitoring, and mitigating the risks posed by suppliers, technology providers, and other external parties that have access to an organisation's critical systems, data, or processes. In the EU regulatory context, DORA (Digital Operational Resilience Act, applicable from January 2025) imposes specific TPRM obligations on financial entities regarding their critical ICT providers, including mandatory contractual clauses, enhanced due diligence, and incident notification requirements. NIS2 (transposed into Spanish law) similarly requires essential and important sector entities to assess and manage the cybersecurity risks of their digital supply chains.

Our third-party risk management team combines corporate due diligence expertise with knowledge of cybersecurity, digital regulation, and contract management for critical technology providers.

Why third-party dependency is the fastest-growing source of operational risk

Dependence on third parties is a structural feature of modern business. Companies outsource critical functions — data processing, technology infrastructure, logistics, payroll management — that twenty years ago were internally controlled capabilities. This outsourcing generates efficiency, but it also transfers risk: when the supplier fails, that supplier’s customers bear the consequences. The collapse of a cloud service provider, a ransomware attack on a payments processor, or the insolvency of a logistics partner can halt operations as severely as an internal disaster — with the added difficulty that the company has far less direct control over the incident.

The 40% of serious business disruptions that originate in third-party failures is not a figure that companies can afford to ignore, particularly under DORA for financial entities and NIS2 for essential and important entities. Both regulations require formal documentation and management of supply chain risks, with the possibility of sanction if the requirements are not met. The typical scenario: a company depends on a cloud provider for its ERP, the provider suffers a 24-hour outage, and on reviewing the contract the company discovers the SLA only guarantees 99.5% monthly availability (equivalent to 3.6 acceptable hours of downtime per month without compensation), there are no continuity clauses, and the provider has no obligation to notify incidents.

Our TPRM programme: from inventory to continuous monitoring

The first step is always visibility. Most organisations do not have a complete, up-to-date inventory of their critical suppliers: they know their main vendors, but lack a systematic classification of which ones, if they failed, would have a severe impact on operations or regulatory compliance. Building that inventory — with classification by criticality, system and data access, and regulatory risk level — is the foundation of any effective TPRM programme.

Our professionals implement the TPRM programme in three phases. The first is visibility: we build the complete inventory of third parties with access to critical systems, data, or processes, and classify them by criticality level (critical, important, ordinary). The second is assessment: for critical suppliers we conduct structured due diligence with a security questionnaire, certification review (ISO 27001, SOC2, ENS), and continuity capacity assessment. The third is protection: we review and strengthen contracts with critical suppliers (audit clauses, incident notification within 24 hours, SLAs with penalties, exit and transition clauses) and implement the continuous monitoring system with real-time risk alerts.

Supplier due diligence goes well beyond reviewing certifications. Assessing the real cybersecurity posture of a supplier — not just whether they hold ISO 27001, but how they actually manage incidents, how they segment access to their clients’ systems, what happens to the company’s data if the supplier is acquired — requires detailed questionnaires, technical review, and in the most critical cases, on-site audits. For financial entities subject to DORA, this process is governed by specific minimum contractual requirements that we manage end to end. We integrate third-party monitoring with the risk register of the corporate ERM framework to ensure that supplier risks have visibility at the leadership and board level. For companies that have also implemented a business continuity plan, TPRM is the essential complement that covers risks originating outside the organisation, and we coordinate with data protection obligations for suppliers that process personal data on the organisation’s behalf.

What our TPRM service includes

The service covers the inventory and classification of all third parties with access to critical systems or data, structured due diligence on critical suppliers (security questionnaire, certification review, continuity assessment, risk report with recommendations), review and strengthening of contractual framework with security, audit, SLA, and exit clauses, continuous monitoring system with risk alerts, annual review of critical supplier assessments, integration with corporate ERM risk register, and for financial entities, compliance with DORA’s specific ICT provider management requirements.

Real results in third-party risk management

Companies that implement the TPRM programme with our team identify on average between three and eight critical suppliers whose contracts lack minimum protection clauses in the event of a failure or security incident. Renegotiation of these contracts generates concrete protections: SLAs with real penalties, incident notification clauses within 24 hours, and audit rights. Detection time for a problem in a critical supplier is reduced from days or weeks to hours through the continuous monitoring system. And for entities subject to DORA or NIS2, implementing the TPRM programme eliminates the risk of regulatory sanction for non-compliance with supply chain risk management requirements.

Frequently asked questions about DORA, NIS2, and supplier risk

The contractual framework with critical suppliers is the most underestimated protection instrument. Contracts with large technology providers (cloud, SaaS, data processors) are often adhesion contracts that the provider presents without negotiation. However, in many cases it is possible to negotiate additional security, audit, and continuity clauses — particularly when contract volume justifies it. And in every case, the contract must include exit clauses that allow the company to migrate to an alternative provider without the current provider blocking the transition by retaining data or technical documentation. Continuous monitoring transforms TPRM from a point-in-time exercise into a permanent operational capability: a supplier with an adequate security posture today may suffer an incident tomorrow, and early detection is what enables proactive decisions before the problem affects operations.

Third-party risk management in the Spanish business context

Third-party risk management (TPRM) is the systematic process of identifying, assessing, and managing the risks that arise from a company’s relationships with its suppliers, contractors, partners, and other third parties. As business models have become more interconnected — through outsourcing, SaaS platforms, cloud services, supply chains, and commercial partnerships — the concentration of risk in third-party relationships has grown substantially.

The regulatory environment has reinforced this priority: the EU’s DORA regulation (Digital Operational Resilience Act, effective January 2025) requires financial sector entities to implement comprehensive ICT third-party risk management; the CSDDD (Corporate Sustainability Due Diligence Directive) requires companies above applicable thresholds to conduct human rights and environmental due diligence across their supply chains; and the NIS2 Directive extends cybersecurity supply chain risk requirements to essential and important entities. Spain’s national Esquema Nacional de Seguridad (ENS) imposes equivalent requirements on entities operating with the public administration.

The TPRM lifecycle

Our third-party risk management framework covers the full vendor lifecycle:

1. Third-party inventory and categorisation: establishing a complete inventory of third-party relationships, categorised by criticality (what would happen if this third party failed or was compromised?), data access (does this third party have access to personal data, sensitive commercial data, or critical IT systems?), and regulatory exposure (is this third party subject to their own regulatory obligations that affect our risk?).

2. Pre-engagement due diligence: for new third parties, conducting risk-proportionate due diligence before the relationship begins. For critical or data-intensive relationships, this includes: financial stability assessment, cybersecurity posture review (questionnaire, SOC2 report, or on-site assessment), AML screening, sanctions screening, and operational resilience assessment.

3. Contractual risk allocation: ensuring that contracts with third parties include appropriate risk allocation clauses — data protection requirements (processor agreements under GDPR), cybersecurity obligations, business continuity requirements, audit rights, and termination rights triggered by defined risk events.

4. Ongoing monitoring: third-party risk does not end at contract signature. Ongoing monitoring includes: periodic performance and compliance reviews, external risk signal monitoring (credit events, regulatory sanctions, adverse media, cybersecurity incidents), and trigger-based re-assessment for material changes in the third party’s circumstances.

5. Exit planning: for critical third parties, maintaining a credible exit plan — the ability to switch to an alternative provider or in-source the activity within an acceptable timeframe — is a key resilience requirement. Over-dependence on a single critical supplier without an exit plan creates a structural vulnerability that regulators and auditors increasingly scrutinise.

Concentration risk and supply chain disruption

For Spanish manufacturing, logistics, and agri-food businesses, supply chain concentration risk — dependence on a small number of critical suppliers, geographic concentration in specific regions or countries, or single-source components — is often the most material third-party risk. The 2024 DANA floods disrupted supply chains throughout south-east Spain, demonstrating the real-world cost of geographic concentration.

Our supply chain risk assessment identifies concentration dependencies, quantifies the potential disruption cost, and designs mitigation strategies — alternative supplier qualification, inventory buffer strategies, geographic diversification — that are commercially feasible and proportionate to the risk.

Contact our TPRM team for a third-party risk diagnostic and programme design.