Cyber risk management for suppliers: digital service providers face the dual challenge of compliance and performance

Cyber risk management for suppliers: digital service providers face the dual challenge of compliance and performance

With the rise in cyberattacks and the introduction of new European regulations (NIS2, DORA, CRA), digital services companies (DSCs) are facing a strategic challenge: protecting their value chain while meeting the growing demands of their customers and ecosystem.

It is no longer an option: ESNs must demonstrate a strong cyber posture to their customers and partners. Supplier cyber risk management, also known as Third-Party Risk Management (TPRM), is now at the heart of ESNs' operational, contractual, and regulatory challenges. However, few players know how to take action in a structured, effective, and competitive manner.

In this article, we look back at the highlights of the webinar organized by Numeum on June 17, 2025, with contributions from:

• Maître François-Pierre LANI, partner at Derriennic law firm, specialist in digital law,
• François SAMARCQ, Director of Commercial Strategy at Board of Cyber,
• Célien LEROY, Digital Services Company Manager at Board of Cyber.

By reading this article, you will understand:

• Why digital services companies are now systematically exposed to cyber assessments, even without being informed
• What the new regulations really mean (and for whom)
• How to stand out in a tense environment by integrating supplier risk as a differentiating factor

Why managing cyber supplier risk has become critical for digital services companies

Cyberattacks are on the rise... with major consequences.

Derriennic now handles more than two cyberattacks per month, compared to just one five years ago. This trend is part of a broader context:

• +15% cyberattacks in 2024 according to ANSSI,
• economic consequences of up to €20 million for the largest SMEs affected,
• a direct reputational impact, with loss of customer confidence and evaporation of the customer base

The link is clear: an uncontrolled cyber breach in the subcontracting chain can cause a direct loss of revenue and contracts.

“A company that suffers a cyberattack automatically loses customers. Once data has been leaked, trust is broken.”
– Maître François-Pierre LANI, Derriennic law firm

Digital service companies: indirect targets but direct constraints.

As essential links in the digital chain, digital service providers are under pressure :

• their end customers demand guarantees (particularly financial and public institutions),
• insurers, banks, auditors, and other third parties evaluate them without notice,
• and regulations expose them even when they are unaware of it.

“Today, you are being assessed, sometimes without even knowing it. We need to regain control over these assessments and turn them into a business lever. »
– François SAMARCQ, Board of Cyber

DORA, NIS2, CRA: what do the regulations say and who is affected?

NIS2: imminent transposition, expanded obligations

The NIS2 Directive targets essential and important entities in critical sectors, including many digital service companies through their activities and types of customers. The French transposition law is expected in October 2025, with the risk of rapid sanctions as early as 2026.

“Unlike the GDPR, the ANSSI and CPR will show no tolerance for NIS2. Audits are already underway.”
– Maître François-Pierre LANI

DORA: sector-specific regulations... but with collateral effects

The DORA regulation only targets financial entities, but these entities pass on the requirements to their service providers. In concrete terms, an IT services company working with a bank is already indirectly subject to DORA.

Thus, even if an IT services company is not directly subject to DORA, it may be designated as:

• a critical ICT service provider (Article 31)
• or as performing a critical function

It is difficult to escape this classification unless immediate substitutability can be demonstrated.

CRA (Cyber Resilience Act): strengthening the entire product chain

The CRA requires manufacturers, importers, and distributors to guarantee the cybersecurity of their digital products throughout their lifecycle. Digital services companies that integrate or distribute software or hardware components are affected. Anticipation is therefore key.

How can you turn regulatory constraints into a competitive advantage?

Take back control of your cyber assessment

Solutions such as Security Rating enable digital service providers to:

• obtain an external cyber score from 0 to 1000,
• compare themselves to their sector,
• identify priority areas for improvement

It is also a powerful differentiator in tenders.

“With Numeum, we offer IT service providers a Security Rating summary report. This is the first step in regaining control.”
– Célien LEROY, Board of Cyber

Centralize evidence and anticipate questionnaires

The best way to save time (and gain credibility) is to standardize your evidence.

Examples:

• Centralize certifications (ISO 27001, SOC 2, etc.), security policies, PRA/PCA
• Reuse responses to previous questionnaires using a knowledge base
• Anticipate customer questionnaires as renewals approach

Focus on collaboration, sharing, and AI

Board of Cyber recommends a shared approach to supplier assessments :

• avoid duplication when a supplier has already been assessed elsewhere,
• integrate existing ratings (cyberscore, insurance rating, etc.),
• use AI to speed up audits and make them more reliable

The company is also investing heavily in AI to:

• help suppliers respond more quickly to questionnaires
• check the consistency of responses provided

“The success of a TPRM program depends on preparation, collaboration with suppliers, and a gradual, pragmatic approach.”
– François SAMARCQ, Board of Cyber

5 key points to remember

1. Digital services companies are already being evaluated by their customers. Ignoring this reality is a risk.
2. NIS2 and DORA entail indirect but very concrete obligations.
3. The CRA will impact all players integrating or distributing digital products.
4. Anticipating, centralizing evidence, and standardizing responses is vital.
5. Board of Cyber offers concrete tools to turn constraints into advantages.

Next steps for digital service providers

Faced with more demanding customers, stricter regulators, and a more competitive market, managing cyber risk among suppliers is becoming a performance criterion. Cybersecurity is no longer a cost: it is a competitive factor.

It is also a strategic opportunity: professionalize your cyber posture, gain the trust of your customers, and make compliance a commercial lever.

To help you structure your TPRM approach, Board of Cyber offers solutions such as Security Rating and Trust HQ.

Want to find out more?

Contact Célien LEROY, IT services company manager at Board of Cyber, via this form to benefit from:

• a free Security Rating,
• and personalized support on TPRM and NIS2/DORA compliance