Gyala closed a new investment round and accelerates the cyber resilience of critical IT/OT/IoT infrastructures Read

Beyond third parties

Excerpt from the ICT Security Magazine Article

Extended Supply Chain Cybersecurity

2026 and the End of Trust by Default

In 2026, cybersecurity completes its evolution from a defensive discipline to a strategic lever for the resilience of critical infrastructures and companies.

On the technological side, the interconnection between IT, OT, and IoT environments, the persistence of non-upgradable legacy systems, the growing dependence on cloud providers and SaaS services of the major hyperscalers, and the introduction of new artificial intelligence services (primarily language models used by end users) significantly expand the infrastructure perimeter. On the political side, tariffs, wars, and geopolitical frictions accelerate persistent state-sponsored attacks, and at the same time a new category of risk emerges: the so-called shadow risks, hidden risks linked to the supply chain and to the uncontrolled use of free tools, third-party software, and AI services.

Ghost Risks and the Necessary Change of Paradigm

The notion of a third party must today be extended far beyond contracted suppliers. Operating systems, hardware components, cloud platforms, any software equipped with automatic update mechanisms and, increasingly, artificial intelligence systems embedded in operational flows are, in all respects, third parties. Each one of these actors is already inside the infrastructure of the individual organization and could, in adverse scenarios, become a vector of compromise.

Recent regulations (NIS2, DORA, GDPR, the determinations of the National Cybersecurity Agency) rightly require that contracts with direct suppliers include verifiable and auditable security requirements. The point raised by Mugnato, however, is that such requirements, although strictly necessary, are often not sufficient. The most significant share of risk lies in suppliers and technologies “hidden” with respect to the formal perimeter of contracts, as well as in free services that may introduce channels of data exposure outside any governance.

Read the full article on ICT Security Magazine