EXPERTISE
Supply-Chain & Third-Party Risk
Your security is only as strong as your suppliers'. We help you assess, govern, and continuously manage third-party and supply-chain risk — now a direct requirement under NIS2 and DORA.
What it is — and why it matters.
Modern organisations depend on a web of suppliers, cloud services, and partners — each a potential point of exposure. Supply-chain and third-party risk is the discipline of understanding and managing that exposure deliberately, rather than inheriting it by accident. It's also now a regulatory obligation: NIS2 mandates supply-chain security, and DORA places strict requirements on ICT third-party risk for financial entities.
Who this affects.
Any organisation that relies on external suppliers or ICT providers — nearly all of them — and especially those in scope for NIS2 or DORA, where supply-chain and third-party obligations are explicit.
What's involved
How we help.
Risk assessment & tiering | Identify and rank your third parties by the risk they carry.
Supplier due diligence | Due diligence and contractual security requirements.
Register of information | The oversight and register DORA expects.
Ongoing monitoring & governance | Continuous oversight rather than one-off reviews.
Integrated with NIS2 & DORA | One effort that satisfies the regulatory duties too.
Risk
Within your managed office.
Sits under Risk, tightly linked to Compliance (NIS2, DORA) and Architecture & Transformation (how suppliers integrate). Managed as part of your program, with strong cross-links to the NIS2 and DORA pages.
Related expertise
Topic
Enterprise Security Architecture
A business-driven, enterprise-wide architecture that links security to strategy — from business context down to logical and physical design, so every control traces back to a goal.
Topic
Information Security Architecture
The structured design of security controls across your technical estate — identity, network, data, cloud, endpoints — as one coherent system aligned to your risks.
Topic
Security Strategy
Setting direction and priorities for security — a sequenced, realistic roadmap aligned to your objectives and risk, not a wish list of everything.
Within your managed office.
Sits under Risk, tightly linked to Compliance (NIS2, DORA) and Architecture & Transformation (how suppliers integrate). Managed as part of your program, with strong cross-links to the NIS2 and DORA pages.
CTRL Disrupt
Your Managed Security & Risk Office.
Based in the Netherlands.
EXPERTISE
ISO 27001
NIS2
BIO2.0
EU AI Act
AI Security & Compliance
Marshalllaan 2
2625 GZ Delft
The Netherlands
© 2026 CTRL Disrupt Consulting B.V. · KvK 87198983 · All rights reserved.