Blog of cyber
With the rise in cyberattacks and the introduction of new European regulations (NIS2, DORA, CRA), digital services companies (DSCs) are facing a strategic challenge: protecting their value chain while meeting the growing demands of their customers and ecosystem.
It is no longer an option: ESNs must demonstrate a strong cyber posture to their customers and partners. Supplier cyber risk management, also known as Third-Party Risk Management (TPRM), is now at the heart of ESNs' operational, contractual, and regulatory challenges. However, few players know how to take action in a structured, effective, and competitive manner.
In this article, we look back at the highlights of the webinar organized by Numeum on June 17, 2025, with contributions from:
Derriennic now handles more than two cyberattacks per month, compared to just one five years ago. This trend is part of a broader context:
The link is clear: an uncontrolled cyber breach in the subcontracting chain can cause a direct loss of revenue and contracts.
“A company that suffers a cyberattack automatically loses customers. Once data has been leaked, trust is broken.”
– Maître François-Pierre LANI, Derriennic law firm
As essential links in the digital chain, digital service providers are under pressure :
“Today, you are being assessed, sometimes without even knowing it. We need to regain control over these assessments and turn them into a business lever. »
– François SAMARCQ, Board of Cyber
The NIS2 Directive targets essential and important entities in critical sectors, including many digital service companies through their activities and types of customers. The French transposition law is expected in October 2025, with the risk of rapid sanctions as early as 2026.
“Unlike the GDPR, the ANSSI and CPR will show no tolerance for NIS2. Audits are already underway.”
– Maître François-Pierre LANI
The DORA regulation only targets financial entities, but these entities pass on the requirements to their service providers. In concrete terms, an IT services company working with a bank is already indirectly subject to DORA.
Thus, even if an IT services company is not directly subject to DORA, it may be designated as:
It is difficult to escape this classification unless immediate substitutability can be demonstrated.
The CRA requires manufacturers, importers, and distributors to guarantee the cybersecurity of their digital products throughout their lifecycle. Digital services companies that integrate or distribute software or hardware components are affected. Anticipation is therefore key.
Solutions such as Security Rating enable digital service providers to:
It is also a powerful differentiator in tenders.
“With Numeum, we offer IT service providers a Security Rating summary report. This is the first step in regaining control.”
– Célien LEROY, Board of Cyber
The best way to save time (and gain credibility) is to standardize your evidence.
Examples:
Board of Cyber recommends a shared approach to supplier assessments :
The company is also investing heavily in AI to:
“The success of a TPRM program depends on preparation, collaboration with suppliers, and a gradual, pragmatic approach.”
– François SAMARCQ, Board of Cyber
Faced with more demanding customers, stricter regulators, and a more competitive market, managing cyber risk among suppliers is becoming a performance criterion. Cybersecurity is no longer a cost: it is a competitive factor.
It is also a strategic opportunity: professionalize your cyber posture, gain the trust of your customers, and make compliance a commercial lever.
To help you structure your TPRM approach, Board of Cyber offers solutions such as Security Rating and Trust HQ.
Contact Célien LEROY, IT services company manager at Board of Cyber, via this form to benefit from:
