Third-party cyber risk refers both to IT security threats introduced into an organisation via its suppliers and to the risk that those suppliers, service providers or partners themselves may suffer a cyber attack. A breach affecting a third party can provide access to internal systems, sensitive data or critical infrastructure. NIS2 and DORA now require a formal assessment of the cyber posture of any significant third party.
