What is supply chain risk management?

Supply chain risk management (SCRM) is the practice of identifying, assessing, and mitigating the security risks introduced by third-party vendors, suppliers, and service providers. Every organisation depends on external parties for software, infrastructure, data processing, and professional services. Each of these relationships creates a potential attack vector that must be managed systematically.

How does Fig differ from annual vendor questionnaires?

Annual questionnaires capture a single point-in-time snapshot that is outdated within weeks. Fig provides continuous monitoring of vendor risk posture through automated evidence collection, real-time certification tracking, and ongoing risk scoring. When a vendor's security posture changes (a new breach, an expired certification, a failed compliance check), Fig updates the risk score automatically and alerts you.

What is the shared control model for supply chain risk?

The shared control model recognises that security responsibilities are divided between your organisation and each vendor. Some controls are entirely your responsibility (access management for vendor systems), some are entirely the vendor's responsibility (their internal infrastructure security), and some are shared (data encryption, incident response coordination). Fig maps these shared responsibilities explicitly for each vendor relationship, ensuring nothing falls through the gaps.

How does Fig score vendor risk?

Fig uses a weighted scoring methodology that evaluates vendors across multiple dimensions: security certifications, patch management cadence, incident history, data handling practices, business continuity planning, sub-processor management, contractual commitments, and financial stability. Each factor is weighted by its impact on your risk posture, and the resulting score is continuously updated as new information becomes available.

Can Fig help us comply with NIS2 Article 21 supply chain requirements?

Yes. Fig maps directly to NIS2 Article 21(2)(d) requirements. The platform helps you maintain a register of critical suppliers, assess their security posture, document security requirements in contracts, monitor compliance on an ongoing basis, and generate evidence of supply chain due diligence for regulators. Fig also tracks the NIS2-specific requirement to consider sub-processor (fourth-party) risk.

How do we handle vendors who refuse to complete security assessments?

Fig provides multiple assessment methods. For cooperative vendors, automated questionnaires with evidence upload work well. For less cooperative vendors, Fig can assess risk using publicly available information: security certifications on record, known breach history, published security practices, and technical indicators. The platform flags unresponsive vendors as higher risk and recommends compensating controls.

What is fourth-party risk and why does it matter?

Fourth-party risk refers to the risk introduced by your vendors' vendors. If your cloud provider relies on a sub-processor that suffers a breach, your data may be affected even though you have no direct relationship with that sub-processor. NIS2 explicitly requires organisations to consider these downstream dependencies. Fig helps you map and monitor these relationships where possible.

How often should vendor risk assessments be updated?

Best practice is continuous monitoring supplemented by formal reassessment at least annually. Critical vendors (those with access to sensitive data or essential services) should be formally reassessed quarterly. Fig automates the continuous monitoring element and sends alerts when a vendor's risk score changes, so you can focus formal review effort where it matters most.

Does Fig support DORA supply chain requirements as well as NIS2?

Yes. DORA (the Digital Operational Resilience Act) has specific requirements for ICT third-party risk management in financial services. Fig maps controls to both NIS2 and DORA supply chain requirements, making it suitable for organisations that fall under both regulatory regimes. The platform helps you maintain the register of ICT third-party providers that DORA mandates.

Third-Party Risk Management

Supply Chain Risk Management

Annual vendor questionnaires are not enough. NIS2 and DORA demand continuous supply chain oversight. Fig provides real-time vendor risk scoring, shared control mapping, and automated monitoring across your entire supplier base.

Book a Demo All Solutions

Why Annual Questionnaires Fall Short

Point-in-time assessments create a false sense of security

Most organisations still rely on annual security questionnaires to assess vendor risk. A vendor completes a self-assessment form, someone reviews the responses, and the results are filed away for 12 months. This approach has three fundamental problems.

First, the assessment is outdated almost immediately. A vendor's security posture can change dramatically in the weeks and months following a questionnaire. Certifications expire, staff leave, new vulnerabilities emerge, and breaches occur. Your annual assessment captures none of this.

Second, self-assessment is inherently unreliable. Vendors have every incentive to present their security programme in the best possible light. Without independent verification or continuous evidence, you are relying on trust rather than data.

Third, questionnaires do not scale. An organisation with 50 vendors might manage annual questionnaires manually. An MSP managing supply chain risk across 200 clients, each with their own vendor relationships, simply cannot. The administrative burden becomes unmanageable, and critical vendors get the same level of scrutiny as low-risk ones.

NIS2 Supply Chain Requirements

What the directive requires and how Fig helps you comply

What NIS2 Mandates

NIS2 Article 21(2)(d) requires essential and important entities to implement "supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers."

This is not a suggestion. It is a legal obligation with potential penalties of up to 2% of global annual turnover for essential entities and 1.4% for important entities. Regulators expect to see documented evidence of supply chain risk management activities, not just policies.

The directive also requires organisations to consider "the vulnerabilities specific to each direct supplier and service provider" and "the overall quality of products and cybersecurity practices of their suppliers and service providers." This means vendor-specific risk assessment, not generic questionnaires.

How Fig Helps

Maintains a complete register of all third-party relationships with criticality ratings

Maps security controls to NIS2 Article 21(2)(d) requirements specifically

Tracks vendor certifications and alerts you when they expire

Provides continuous risk scoring that updates automatically

Documents supply chain due diligence activities for regulatory audit

Considers sub-processor (fourth-party) risk as NIS2 requires

Generates compliance evidence packs on demand

The Shared Control Model

Security responsibilities are divided between you and each vendor. Map them explicitly.

Every vendor relationship involves a division of security responsibilities. Some controls belong entirely to your organisation: managing user access to vendor systems, configuring integration security settings, and monitoring data flows. Other controls belong entirely to the vendor: securing their internal infrastructure, patching their systems, and managing their own staff. And some controls are shared: data encryption, incident response coordination, and business continuity planning.

Your Controls

Access management, integration configuration, data classification, usage monitoring

Shared Controls

Data encryption, incident response, business continuity, compliance reporting

Vendor Controls

Infrastructure security, patch management, staff vetting, physical security

Fig maps these responsibilities explicitly for each vendor relationship. The platform ensures that every control has a clear owner and that shared responsibilities have documented expectations on both sides. This prevents the most common supply chain risk failure: controls that both parties assume the other is handling.

Vendor Risk Scoring Methodology

A transparent, weighted approach to quantifying third-party risk

Fig evaluates each vendor across eight risk dimensions. Each dimension is weighted according to its potential impact on your security posture. The resulting score provides a clear, comparable measure of vendor risk that updates continuously as new information becomes available.

Factor	Weight	What We Evaluate
Security certifications held	High	ISO 27001, SOC 2, Cyber Essentials Plus, and other recognised certifications indicate a mature security programme.
Patch management cadence	High	How quickly does the vendor apply critical patches? Vendors with defined SLAs and evidence of compliance score higher.
Incident history and response	High	Past breach disclosures, response times, and remediation actions reveal operational resilience.
Data handling practices	Medium	Encryption standards, data residency, retention policies, and access controls applied to your data.
Business continuity planning	Medium	Documented and tested disaster recovery and business continuity plans with defined RPO and RTO targets.
Sub-processor management	Medium	How does the vendor manage its own supply chain? Fourth-party risk is increasingly important under NIS2.
Contractual security commitments	Medium	Security SLAs, breach notification timelines, audit rights, and liability provisions in vendor contracts.
Financial stability	Low	Vendor financial health affects their ability to invest in security and maintain service continuity.

Frequently Asked Questions

Common questions about supply chain risk management and regulatory compliance

Take Control of Your Supply Chain Risk

Move beyond annual questionnaires to continuous vendor risk monitoring. Fig helps you meet NIS2 and DORA requirements with automated evidence collection and real-time risk scoring.