A company's exposure is not defined solely by its internal boundaries, but also by the access points, integrations, and privileges granted within its supply chain.

Attacks on the supply chain are gaining prominence as one of the main categories of cyber threats. The European Union Agency for Cybersecurity (ENISA) identifies them as a priority vector in the European risk landscape, with a particular impact on public administration and digital service providers.

The reality is that, in an increasingly interconnected world, every integration with third parties (suppliers, partners, or subcontractors) expands the attack surface beyond the company’s direct control. The risk no longer lies solely within the internal perimeter, but in the network of external access points that support daily operations and which, in many cases, are not secured and monitored with the same rigor as the company’s own assets.

Let’s imagine that a company hires a certified and audited technology integrator to manage part of its critical systems. The integrator, in turn, subcontracts remote maintenance to a smaller company in another country. That subcontractor has permanent access to sensitive operating environments, but does not appear in any of the main company’s third-party records: no one has registered it, audited it, or verified its credentials. If a security incident occurs, the contractual chain has three links, and responsibility is diluted across each one.

This hypothetical scenario becomes particularly realistic when we consider that, according to ENISA, 86% of companies report having cybersecurity policies in place for their supply chain. However, only 47% allocate a specific budget to implement those policies, and an alarming 76% lack any dedicated roles or responsibilities for overseeing employees and third parties.

 

A new regulatory framework for shared responsibility

With the aim of promoting prevention and clarifying responsibilities, the so-called NIS2 Directive was adopted in 2023, and its transposition into national law is expected to be completed in Spain by the end of 2026. This cybersecurity regulatory framework particularly affects medium and large companies in key sectors such as digital service providers, industry, and waste management, among others.

The regulation requires active oversight and formal certification of the cybersecurity capabilities of every entity involved in the provision of services. It also introduces a principle of joint liability, under which penalties and reputational damage fall on the lead entity if it cannot demonstrate that it has exercised continuous oversight of its critical suppliers.

Regulatory compliance is no longer just a paperwork requirement; it has become a key aspect of business continuity. In this environment, regulatory pressure and autonomous threats are pushing companies toward more adaptive security models. But how can this be put into practice?

 

The gap between formal policy and actual implementation

Only 37% of companies conduct a formal risk assessment of their suppliers before contracting them, and only 43% use automated security assessment services to continuously monitor their partners’ security posture. Many companies assume that a one-time validation during the supplier onboarding process guarantees the system’s ongoing integrity.

However, the reality on the ground contradicts this assumption; information security requires dynamic governance based on constant verification.

To reverse this trend, supply chain cybersecurity must evolve from compliance auditing toward an architecture-based control model. A security manager should not approve third-party access without reviewing aspects such as isolation and operational segregation. It is a priority to determine the design criteria used to isolate environments shared with the partner to prevent an attacker from moving laterally in the event of a breach, or to identify the automated systems used to revoke an external professional’s access the moment their employment relationship with the subcontractor ends.

Furthermore, current governance contracts must be transformed into security level agreements that require active technical audits through simulated penetration tests and the mandatory reporting of any anomalies detected in the partner’s infrastructure. We must break the trend of trying to sweep minor security incidents under the rug… until the impact affects the entire system.

This shift toward dynamic governance requires a change in the relationship with the ecosystem of partners. Mitigating third-party risk does not mean blocking external collaboration, but rather structuring it on the premise that any link in the chain can put the rest at risk, and everyone must work together to prevent that from happening.

 

Cyber Security World Madrid 2026: A Global Perspective on Risk Management

Corporate resilience is no longer measured by the strength of an organization’s own defenses, but by its ability to operate securely within a network of trust where identity and privileges are continuously verified among all participants. The real challenge for security leaders is to spearhead this technical and contractual transition before a breach jeopardizes the entire system.

To address this transformation and explore solutions to meet the requirements of regulations such as NIS2, Cyber Security World 2026 is the premier gathering for business, corporate, and institutional cybersecurity in Spain. Held as part of Tech Show Madrid (whose previous edition brought together more than 470 exhibiting companies, 400 speakers, and 27,000 professionals), this specialized event will gather more than 40 vendors and over 60 leading experts for panel discussions and tech talks on November 4 and 5, 2026, at IFEMA Madrid.

This is a professional forum attracting over 3,600 qualified visitors, 32% of whom hold C-level positions (CISOs, CTOs, IT Risk Officers, and security architects), offering attendees a unique opportunity to identify emerging technologies and strategic partners in areas such as cloud security and hybrid environments, AI applied to cybersecurity, advanced identity and authentication, and data protection.... For their part, exhibitors can position themselves in front of decision-makers and connect with a specialized audience ready to transform supply chain risk management into a genuine competitive advantage.