Cyber Risk and the Supply Chain

Today, cyber risk associated with the supply chain stands out as one of the main vectors of vulnerability, too often overlooked during risk analysis but increasingly exploited in modern attack models. This is not just about isolated incidents: data collected in recent years shows that a significant portion of breaches originates from weaknesses in third-party supplier systems.

Le nuove normative europee vanno in questa direzione, ecco infatti che la risposta del legislatore europeo si è fatta più concreta: la direttiva NIS 2 amplia in modo significativo il perimetro della sicurezza informatica, includendo esplicitamente anche il monitoraggio e la gestione del rischio associato ai fornitori critici.

New European regulations are moving in this direction. The EU legislator’s response has become more concrete: the NIS 2 Directive significantly broadens the scope of cybersecurity, explicitly including the monitoring and management of risks associated with critical suppliers.
Companies are no longer asked merely to “protect themselves,” but also to assess and oversee the cyber reliability of the entities they work with. At the same time, the DORA (Digital Operational Resilience Act) regulation, in force since January 2025, requires companies to map, categorize, and continuously verify ICT suppliers, with particular attention to business continuity and incident management.