{"id":2348,"date":"2025-07-14T10:31:11","date_gmt":"2025-07-14T10:31:11","guid":{"rendered":"https:\/\/magicstone.nl\/en\/?page_id=2348"},"modified":"2026-07-08T08:01:24","modified_gmt":"2026-07-08T08:01:24","slug":"nis2-third-party-risk-management","status":"publish","type":"page","link":"https:\/\/magicstone.nl\/en\/nis2-third-party-risk-management\/","title":{"rendered":"NIS2 &#038; Third-Party Risk Management"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-page\" data-elementor-id=\"2348\" class=\"elementor elementor-2348\" data-elementor-post-type=\"page\">\n\t\t\t\t<section class=\"elementor-element elementor-element-873e7d6 e-con-full e-flex wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no wpr-column-slider-no wpr-equal-height-no e-con e-parent\" data-id=\"873e7d6\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-6f90b26 elementor-widget__width-inherit elementor-widget elementor-widget-html\" data-id=\"6f90b26\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"html.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<!-- NIS2 Third-Party Risk Management (TPRM) | Magic Stone Cyber Security -->\r\n\r\n<section class=\"ms-service-page\">\r\n\r\n  <style>\r\n    .ms-service-page { width:100%; font-family:inherit; color:#1f2933; line-height:1.65; }\r\n    .ms-service-page * { box-sizing:border-box; }\r\n    .ms-hero { width:100%; background:linear-gradient(135deg,#0f172a 0%,#1f2937 100%); color:#fff; padding:70px 6%; margin-bottom:45px; }\r\n    .ms-hero h1 { max-width:1120px; font-size:42px; line-height:1.15; margin:0 auto 20px; color:#fff; }\r\n    .ms-a<!-- NIS2 Third-Party Risk Management (TPRM) | Magic Stone Cyber Security -->\r\n\r\n<section class=\"ms-service-page\">\r\n\r\n  <style>\r\n    .ms-service-page { width:100%; font-family:inherit; color:#1f2933; line-height:1.65; }\r\n    .ms-service-page * { box-sizing:border-box; }\r\n    .ms-hero { width:100%; background:linear-gradient(135deg,#0f172a 0%,#1f2937 100%); color:#fff; padding:70px 6%; margin-bottom:45px; }\r\n    .ms-hero h1 { max-width:1120px; font-size:42px; line-height:1.15; margin:0 auto 20px; color:#fff; }\r\n    .ms-hero p { max-width:1120px; font-size:19px; margin:0 auto 28px; color:#e5e7eb; }\r\n    .ms-hero .ms-btn-wrap { max-width:1120px; margin:0 auto; }\r\n    .ms-content { width:100%; max-width:1120px; margin:0 auto; padding:0 20px 55px; }\r\n    .ms-btn { display:inline-block; background:#57A200; color:#fff!important; padding:14px 26px; border-radius:8px; text-decoration:none; font-weight:700; margin-top:10px; }\r\n    .ms-btn:hover { background:#468500; color:#fff!important; }\r\n    .ms-btn-secondary { display:inline-block; background:transparent; color:#57A200!important; border:2px solid #57A200; padding:12px 24px; border-radius:8px; text-decoration:none; font-weight:700; margin-top:10px; margin-left:10px; }\r\n    .ms-btn-secondary:hover { background:#57A200; color:#fff!important; }\r\n    .ms-btn-dl { display:inline-flex; align-items:center; gap:10px; background:#173154; color:#fff!important; padding:14px 26px; border-radius:8px; text-decoration:none; font-weight:700; margin-top:10px; margin-left:10px; font-size:16px; transition:background .2s; }\r\n    .ms-btn-dl:hover { background:#0f2440; color:#fff!important; }\r\n    .ms-btn-dl svg { flex-shrink:0; }\r\n    .ms-section { margin-bottom:48px; }\r\n    .ms-section h2 { font-size:30px; margin-bottom:8px; color:#111827; }\r\n    .ms-section-intro { font-size:16px; color:#6b7280; margin-bottom:22px; }\r\n    .ms-grid-2 { display:grid; grid-template-columns:repeat(2,1fr); gap:20px; margin-top:25px; }\r\n    .ms-grid-3 { display:grid; grid-template-columns:repeat(3,1fr); gap:20px; margin-top:25px; }\r\n    .ms-grid-4 { display:grid; grid-template-columns:repeat(4,1fr); gap:18px; margin-top:25px; }\r\n\r\n    .ms-checklist-card { background:#fff; border:1px solid #e5e7eb; border-top:4px solid #57A200; border-radius:14px; padding:22px 24px; box-shadow:0 4px 16px rgba(0,0,0,.04); }\r\n    .ms-checklist-card .ms-card-num { display:inline-flex; align-items:center; justify-content:center; width:26px; height:26px; background:#0f172a; color:#57A200; border-radius:6px; font-size:12px; font-weight:800; margin-bottom:10px; }\r\n    .ms-checklist-card h3 { margin:0 0 5px; font-size:17px; color:#111827; }\r\n    .ms-checklist-card .ms-card-intro { font-size:13.5px; color:#6b7280; margin-bottom:12px; line-height:1.5; }\r\n    .ms-checklist { list-style:none; padding:0; margin:0; }\r\n    .ms-checklist li { display:flex; gap:9px; align-items:flex-start; padding:6px 0; border-bottom:1px solid #f3f4f6; font-size:14px; color:#374151; line-height:1.5; }\r\n    .ms-checklist li:last-child { border-bottom:none; }\r\n    .ms-checklist li::before { content:\"\\2610\"; font-size:16px; color:#57A200; flex-shrink:0; margin-top:1px; }\r\n\r\n    .ms-pain-card { background:#fff; border:1px solid #e5e7eb; border-left:4px solid #e8192c; border-radius:14px; padding:22px 24px; box-shadow:0 4px 16px rgba(0,0,0,.04); }\r\n    .ms-pain-card h3 { margin:0 0 8px; font-size:17px; color:#111827; }\r\n    .ms-pain-card p { font-size:14px; color:#6b7280; margin:0; line-height:1.6; }\r\n    .ms-pain-icon { font-size:26px; margin-bottom:10px; }\r\n\r\n    .ms-sol-card { background:#f3f8ef; border:1px solid #d1e8b8; border-radius:14px; padding:22px 24px; }\r\n    .ms-sol-card h3 { margin:0 0 8px; font-size:17px; color:#111827; }\r\n    .ms-sol-card p { font-size:14px; color:#374151; margin:0; line-height:1.6; }\r\n    .ms-sol-icon { font-size:26px; margin-bottom:10px; }\r\n\r\n    .ms-outcome-card { background:#fff; border:1px solid #e5e7eb; border-radius:14px; padding:22px 24px; box-shadow:0 4px 16px rgba(0,0,0,.04); }\r\n    .ms-outcome-card h3 { margin:0 0 8px; font-size:17px; color:#111827; }\r\n    .ms-outcome-card p { font-size:14px; color:#6b7280; margin:0; line-height:1.6; }\r\n    .ms-outcome-icon { font-size:26px; margin-bottom:10px; }\r\n\r\n    .ms-proof-card { background:#fff; border:1px solid #e5e7eb; border-radius:14px; padding:20px 22px; box-shadow:0 4px 16px rgba(0,0,0,.04); }\r\n    .ms-proof-card h3 { margin:0 0 8px; font-size:16px; color:#111827; }\r\n    .ms-proof-card p { font-size:14px; color:#6b7280; margin:0; line-height:1.6; }\r\n\r\n    .ms-strip { background:#f3f8ef; border-left:5px solid #57A200; padding:28px; border-radius:14px; margin:40px 0; }\r\n    .ms-warning-strip { background:#fff7ed; border-left:5px solid #f97316; padding:24px 28px; border-radius:14px; margin:0 0 36px; }\r\n    .ms-warning-strip strong { color:#9a3412; }\r\n\r\n    .ms-download-strip { background:#0f172a; border-radius:14px; padding:28px 32px; margin:40px 0; display:flex; align-items:center; justify-content:space-between; gap:24px; flex-wrap:wrap; }\r\n    .ms-download-strip h3 { color:#fff; font-size:20px; margin:0 0 6px; }\r\n    .ms-download-strip p { color:#94a3b8; font-size:15px; margin:0; }\r\n    .ms-download-btn { display:inline-flex; align-items:center; gap:10px; background:#57A200; color:#fff!important; padding:14px 24px; border-radius:8px; text-decoration:none; font-weight:700; font-size:15px; white-space:nowrap; transition:background .2s; flex-shrink:0; }\r\n    .ms-download-btn:hover { background:#468500; }\r\n\r\n    .ms-stat-row { display:grid; grid-template-columns:repeat(3,1fr); gap:20px; margin:28px 0 10px; }\r\n    .ms-stat-box { background:#fff; border:1px solid #e5e7eb; border-radius:14px; padding:24px; text-align:center; box-shadow:0 4px 16px rgba(0,0,0,.04); }\r\n    .ms-stat-num { font-size:38px; font-weight:800; color:#57A200; line-height:1; margin-bottom:6px; }\r\n    .ms-stat-label { font-size:14px; color:#6b7280; line-height:1.4; }\r\n    .ms-source-note { font-size:12px; color:#9ca3af; margin:10px 0 34px; line-height:1.5; }\r\n    .ms-source-note a { color:#6b7280; text-decoration:underline; }\r\n\r\n    .ms-service-cta { background:linear-gradient(135deg,#173154 0%,#1e3a6e 100%); border-radius:18px; padding:40px 36px; margin:40px 0; display:grid; grid-template-columns:1fr auto; gap:32px; align-items:center; }\r\n    .ms-service-cta h3 { color:#fff; font-size:24px; margin:0 0 10px; }\r\n    .ms-service-cta p { color:#94a3b8; font-size:16px; margin:0; line-height:1.65; }\r\n    .ms-service-cta-badge { display:inline-block; background:rgba(87,162,0,0.15); color:#57A200; border:1px solid rgba(87,162,0,0.3); border-radius:6px; font-size:12px; font-weight:700; padding:3px 10px; margin-bottom:10px; letter-spacing:.04em; text-transform:uppercase; }\r\n    .ms-btn-white { display:inline-block; background:#fff; color:#173154!important; padding:14px 26px; border-radius:8px; text-decoration:none; font-weight:700; white-space:nowrap; transition:background .2s; }\r\n    .ms-btn-white:hover { background:#f0f4ff; }\r\n\r\n    .ms-table-wrap { overflow-x:auto; margin-top:24px; }\r\n    .ms-compare-table { width:100%; border-collapse:collapse; background:#fff; border:1px solid #e5e7eb; border-radius:14px; overflow:hidden; box-shadow:0 4px 16px rgba(0,0,0,.04); }\r\n    .ms-compare-table th { background:#0f172a; color:#fff; padding:14px 16px; text-align:left; font-size:14px; }\r\n    .ms-compare-table td { padding:14px 16px; border-bottom:1px solid #eef2f7; font-size:14px; color:#374151; }\r\n    .ms-compare-table tr:last-child td { border-bottom:none; }\r\n    .ms-yes { color:#57A200; font-weight:800; }\r\n    .ms-partial { color:#f97316; font-weight:800; }\r\n    .ms-no { color:#e8192c; font-weight:800; }\r\n\r\n    .ms-faq { border-top:1px solid #e5e7eb; margin-top:22px; }\r\n    .ms-faq-item { border-bottom:1px solid #e5e7eb; padding:18px 0; }\r\n    .ms-faq-item h3 { font-size:17px; margin:0 0 8px; color:#111827; }\r\n    .ms-faq-item p { margin:0; color:#6b7280; font-size:14.5px; line-height:1.65; }\r\n\r\n    .ms-cta { background:#111827; color:#fff; border-radius:18px; padding:45px 35px; text-align:center; margin-top:50px; }\r\n    .ms-cta h2 { color:#fff; font-size:32px; margin-bottom:15px; }\r\n    .ms-cta p { color:#e5e7eb; max-width:780px; margin:0 auto 22px; font-size:18px; }\r\n\r\n    .ms-links a { color:#57A200; font-weight:700; text-decoration:none; }\r\n    .ms-links a:hover { text-decoration:underline; }\r\n    .ms-list { padding-left:22px; }\r\n    .ms-list li { margin-bottom:10px; }\r\n    .ms-art21-note { font-size:13px; color:#9ca3af; margin-top:6px; font-style:italic; }\r\n\r\n    @media(max-width:900px) {\r\n      .ms-grid-2, .ms-grid-3, .ms-grid-4, .ms-stat-row { grid-template-columns:1fr; }\r\n      .ms-service-cta { grid-template-columns:1fr; }\r\n      .ms-hero { padding:50px 24px; }\r\n      .ms-hero h1 { font-size:32px; }\r\n      .ms-btn-secondary, .ms-btn-dl { margin-left:0; display:block; margin-top:10px; text-align:center; }\r\n      .ms-btn { display:block; text-align:center; }\r\n      .ms-download-strip { flex-direction:column; }\r\n    }\r\n  <\/style>\r\n\r\n  <div class=\"ms-hero\">\r\n    <h1>NIS2 Third-Party Risk Management (TPRM): Manage Supply Chain Risk and Satisfy Article 21(2)(d)<\/h1>\r\n    <p>NIS2 makes supply chain security an explicit obligation for essential and important entities. You must not only demonstrably manage your own cybersecurity \u2014 you must also manage the risks of critical suppliers, ICT service providers, and dependencies across your chain.<\/p>\r\n    <div class=\"ms-btn-wrap\">\r\n      <a href=\"https:\/\/magicstone.nl\/en\/services\/supply-chain-risk\/\" class=\"ms-btn\">See How We Automate TPRM &rarr;<\/a>\r\n      <a href=\"https:\/\/tidycal.com\/raviv\/45-minute-meeting\" target=\"_blank\" rel=\"noopener noreferrer\" class=\"ms-btn-secondary\">Book a NIS2 Assessment<\/a>\r\n      <a href=\"https:\/\/magicstone.nl\/en\/wp-content\/uploads\/2026\/06\/MagicStone_NIS2_Workbook.pdf\" target=\"_blank\" rel=\"noopener noreferrer\" class=\"ms-btn-dl\">\r\n        <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2.5\"><path d=\"M21 15v4a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2v-4\"\/><polyline points=\"7 10 12 15 17 10\"\/><line x1=\"12\" y1=\"15\" x2=\"12\" y2=\"3\"\/><\/svg>\r\n        Download Workbook 2026\r\n      <\/a>\r\n    <\/div>\r\n  <\/div>\r\n\r\n  <div class=\"ms-content\">\r\n\r\n    <div class=\"ms-stat-row\">\r\n      <div class=\"ms-stat-box\">\r\n        <div class=\"ms-stat-num\">NIS2<\/div>\r\n        <div class=\"ms-stat-label\">requires organisations to actively manage risks across their supply chain<\/div>\r\n      <\/div>\r\n      <div class=\"ms-stat-box\">\r\n        <div class=\"ms-stat-num\">24\/7<\/div>\r\n        <div class=\"ms-stat-label\">continuous monitoring detects changes in supplier risk faster than annual reviews<\/div>\r\n      <\/div>\r\n      <div class=\"ms-stat-box\">\r\n        <div class=\"ms-stat-num\">\u20ac10M<\/div>\r\n        <div class=\"ms-stat-label\">maximum NIS2 penalty for essential entities \u2014 or 2% of global annual turnover<\/div>\r\n      <\/div>\r\n    <\/div>\r\n    <p class=\"ms-source-note\">Penalty reference based on NIS2 Article 34: essential entities up to at least \u20ac10,000,000 or 2% of global annual turnover; important entities up to at least \u20ac7,000,000 or 1.4% of global annual turnover. See <a href=\"https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/HTML\/?uri=CELEX:32022L2555\" target=\"_blank\" rel=\"noopener noreferrer\">Directive (EU) 2022\/2555<\/a> and the Dutch <a href=\"https:\/\/www.ncsc.nl\/cyberbeveiligingswet-nis2\" target=\"_blank\" rel=\"noopener noreferrer\">Cyberbeveiligingswet\/NIS2 guidance from the NCSC<\/a>.<\/p>\r\n\r\n    <div class=\"ms-warning-strip\">\r\n      <strong>Note:<\/strong> NIS2 requires governance and oversight by management bodies. Management boards have explicit oversight and accountability obligations. The exact legal consequences, including potential personal management liability, depend on national implementation and specific circumstances. Always have legal claims reviewed before publishing.\r\n    <\/div>\r\n\r\n    <div class=\"ms-section\">\r\n      <h2>What NIS2 Requires for Third-Party Risk<\/h2>\r\n      <p class=\"ms-section-intro\">NIS2 Article 21(2)(d) requires organisations to address cybersecurity risks in their supply chain \u2014 including security-related aspects of relationships with direct suppliers and service providers. In practice, this means: inventorise, embed contractually, monitor, document, and remediate.<\/p>\r\n\r\n      <div class=\"ms-grid-2\">\r\n        <div class=\"ms-checklist-card\">\r\n          <div class=\"ms-card-num\">1<\/div>\r\n          <h3>Supplier Risk Assessments<\/h3>\r\n          <p class=\"ms-card-intro\">Evaluate the cybersecurity posture of critical suppliers and service providers.<\/p>\r\n          <ul class=\"ms-checklist\">\r\n            <li>Identify critical suppliers, ICT providers, and key service dependencies<\/li>\r\n            <li>Assess supplier cybersecurity policies, controls, and governance practices<\/li>\r\n            <li>Review certifications, audit reports, incident history, and compliance evidence<\/li>\r\n            <li>Classify suppliers based on criticality, access privileges, and business impact<\/li>\r\n          <\/ul>\r\n          <p class=\"ms-art21-note\">\u2192 NIS2 Article 21(2)(d)<\/p>\r\n        <\/div>\r\n\r\n        <div class=\"ms-checklist-card\">\r\n          <div class=\"ms-card-num\">2<\/div>\r\n          <h3>Contractual Security Requirements<\/h3>\r\n          <p class=\"ms-card-intro\">Embed cybersecurity obligations into supplier and service-provider agreements.<\/p>\r\n          <ul class=\"ms-checklist\">\r\n            <li>Include security requirements and incident-response obligations in contracts<\/li>\r\n            <li>Require timely notification of security incidents affecting your organisation<\/li>\r\n            <li>Define audit rights, assurance mechanisms, and compliance verification processes<\/li>\r\n            <li>Address subcontractor and fourth-party risks through contractual controls<\/li>\r\n          <\/ul>\r\n          <p class=\"ms-art21-note\">\u2192 NIS2 Article 21(2)(d)<\/p>\r\n        <\/div>\r\n\r\n        <div class=\"ms-checklist-card\">\r\n          <div class=\"ms-card-num\">3<\/div>\r\n          <h3>Continuous Monitoring<\/h3>\r\n          <p class=\"ms-card-intro\">Maintain ongoing visibility into changing cyber risk across your supplier base.<\/p>\r\n          <ul class=\"ms-checklist\">\r\n            <li>Monitor the external attack surface of critical suppliers<\/li>\r\n            <li>Track changes in security posture, vulnerabilities, and risk indicators<\/li>\r\n            <li>Identify hidden dependencies and unmanaged third-party relationships<\/li>\r\n            <li>Maintain a current supply-chain risk register with remediation tracking<\/li>\r\n          <\/ul>\r\n          <p class=\"ms-art21-note\">\u2192 NIS2 Article 21(2)(d)<\/p>\r\n        <\/div>\r\n\r\n        <div class=\"ms-checklist-card\">\r\n          <div class=\"ms-card-num\">4<\/div>\r\n          <h3>Incident Coordination<\/h3>\r\n          <p class=\"ms-card-intro\">Manage supplier-related incidents and support NIS2 reporting requirements.<\/p>\r\n          <ul class=\"ms-checklist\">\r\n            <li>Assess the impact of supplier incidents on systems, services, and data<\/li>\r\n            <li>Determine whether incidents could trigger NIS2 reporting obligations<\/li>\r\n            <li>Coordinate incident communication and response activities with suppliers<\/li>\r\n            <li>Maintain evidence, remediation records, and incident documentation<\/li>\r\n          <\/ul>\r\n          <p class=\"ms-art21-note\">\u2192 NIS2 Article 21(2)(b), 21(2)(d) and Article 23<\/p>\r\n        <\/div>\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"ms-section\">\r\n      <h2>Why Manual TPRM Cannot Scale Under NIS2<\/h2>\r\n      <p class=\"ms-section-intro\">Most organisations manage dozens to hundreds of supplier relationships. Spreadsheets, annual questionnaires, and scattered email evidence do not provide a reliable, current, and auditable picture of supplier risk.<\/p>\r\n\r\n      <div class=\"ms-grid-3\">\r\n        <div class=\"ms-pain-card\"><div class=\"ms-pain-icon\">\ud83d\udccb<\/div><h3>Spreadsheets Break at Scale<\/h3><p>Managing supplier risk manually leads to gaps, duplicates, and stale data. NIS2 requires demonstrable governance \u2014 not a spreadsheet from last quarter.<\/p><\/div>\r\n        <div class=\"ms-pain-card\"><div class=\"ms-pain-icon\">\ud83d\udd0d<\/div><h3>Hidden Dependencies<\/h3><p>Sub-processors, cloud dependencies, and shadow vendors introduce risk that often only becomes visible after an incident has already occurred.<\/p><\/div>\r\n        <div class=\"ms-pain-card\"><div class=\"ms-pain-icon\">\u23f1\ufe0f<\/div><h3>Annual Assessments Are Not Enough<\/h3><p>A supplier that scored acceptably in January may have new vulnerabilities, exposed systems, or leaked credentials by March.<\/p><\/div>\r\n        <div class=\"ms-pain-card\"><div class=\"ms-pain-icon\">\ud83d\udcc4<\/div><h3>Audit Evidence Is Scattered<\/h3><p>Regulators and auditors expect documented evidence. Scattered emails, shared folders, and loose screenshots make compliance difficult to demonstrate.<\/p><\/div>\r\n        <div class=\"ms-pain-card\"><div class=\"ms-pain-icon\">\ud83d\udd17<\/div><h3>Fourth-Party Risk Is Invisible<\/h3><p>Your suppliers have suppliers too. Without visibility into sub-processors and dependencies, your risk picture stops too early in the chain.<\/p><\/div>\r\n        <div class=\"ms-pain-card\"><div class=\"ms-pain-icon\">\u2696\ufe0f<\/div><h3>Management Accountability<\/h3><p>NIS2 Article 20 places governance obligations on management bodies. Without demonstrable oversight, supplier risk becomes a board-level exposure.<\/p><\/div>\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"ms-section\">\r\n      <h2>Business Impact: From Compliance Burden to Operational Advantage<\/h2>\r\n      <p class=\"ms-section-intro\">Effective third-party risk management does more than satisfy NIS2. It accelerates audits, improves board reporting, and makes supplier risk manageable and visible.<\/p>\r\n      <div class=\"ms-grid-4\">\r\n        <div class=\"ms-outcome-card\"><div class=\"ms-outcome-icon\">\ud83d\ude80<\/div><h3>Faster Audits<\/h3><p>Centralise evidence, assessments, and remediation so audit preparation becomes less ad hoc and more efficient.<\/p><\/div>\r\n        <div class=\"ms-outcome-card\"><div class=\"ms-outcome-icon\">\ud83d\udc41\ufe0f<\/div><h3>Continuous Visibility<\/h3><p>See changes in supplier risk as they emerge \u2014 not when you get to next year's annual review.<\/p><\/div>\r\n        <div class=\"ms-outcome-card\"><div class=\"ms-outcome-icon\">\ud83d\udcc8<\/div><h3>Board-Ready Reporting<\/h3><p>Translate technical findings into priorities, trends, and decision-ready information for management.<\/p><\/div>\r\n        <div class=\"ms-outcome-card\"><div class=\"ms-outcome-icon\">\ud83d\udee1\ufe0f<\/div><h3>Lower Exposure<\/h3><p>Prioritise suppliers with the greatest impact and reduce risk before it becomes an incident.<\/p><\/div>\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"ms-service-cta\">\r\n      <div>\r\n        <div class=\"ms-service-cta-badge\">Magic Stone Solution<\/div>\r\n        <h3>AI-Powered Supply Chain Risk Management \u2014 Powered by Rescana<\/h3>\r\n        <p>Magic Stone replaces manual TPRM spreadsheets with continuous, AI-driven supplier risk monitoring powered by Rescana. Discover your supplier ecosystem, monitor external exposure, prioritise remediation, and build a demonstrable compliance dossier for NIS2 Article 21(2)(d) and DORA.<\/p>\r\n      <\/div>\r\n      <a href=\"https:\/\/magicstone.nl\/en\/services\/supply-chain-risk\/\" class=\"ms-btn-white\">See the Service &rarr;<\/a>\r\n    <\/div>\r\n\r\n    <div class=\"ms-section\">\r\n      <h2>How Magic Stone Solves TPRM for NIS2<\/h2>\r\n      <p class=\"ms-section-intro\">Magic Stone deploys Rescana as part of a practical TPRM programme \u2014 from supplier inventory and risk classification to monitoring, remediation, and management reporting.<\/p>\r\n\r\n      <div class=\"ms-grid-3\">\r\n        <div class=\"ms-sol-card\"><div class=\"ms-sol-icon\">\ud83e\udd16<\/div><h3>Automated Supplier Discovery<\/h3><p>Map your full supplier ecosystem \u2014 including sub-processors and unknown dependencies not captured in existing spreadsheets.<\/p><\/div>\r\n        <div class=\"ms-sol-card\"><div class=\"ms-sol-icon\">\ud83d\udce1<\/div><h3>Continuous Attack Surface Monitoring<\/h3><p>Monitor external exposure, misconfigurations, vulnerabilities, and signals indicating elevated supplier risk.<\/p><\/div>\r\n        <div class=\"ms-sol-card\"><div class=\"ms-sol-icon\">\ud83d\udcca<\/div><h3>Real-Time Risk Scoring<\/h3><p>Prioritise suppliers based on current security posture, criticality, and business impact \u2014 not last year's questionnaire.<\/p><\/div>\r\n        <div class=\"ms-sol-card\"><div class=\"ms-sol-icon\">\ud83d\udcc1<\/div><h3>Audit-Ready Evidence<\/h3><p>Centralise assessments, risk scores, monitoring logs, actions, and decisions in one demonstrable compliance dossier.<\/p><\/div>\r\n        <div class=\"ms-sol-card\"><div class=\"ms-sol-icon\">\u26a1<\/div><h3>NIS2 &amp; DORA Mapping<\/h3><p>Map supplier risk findings directly to NIS2 and DORA obligations so compliance efforts remain targeted and traceable.<\/p><\/div>\r\n        <div class=\"ms-sol-card\"><div class=\"ms-sol-icon\">\ud83c\udfc6<\/div><h3>Recognised Innovation<\/h3><p>Rescana was selected by Magic Stone for its AI-driven approach to supplier risk management, chain visibility, continuous monitoring, and support for European regulatory compliance requirements.<\/p><\/div>\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"ms-section\">\r\n      <h2>Why Rescana Instead of Traditional TPRM?<\/h2>\r\n      <p class=\"ms-section-intro\">Many TPRM processes are built around questionnaires. That remains useful \u2014 but NIS2 demands better evidence, more current insight, and faster follow-up.<\/p>\r\n      <div class=\"ms-table-wrap\">\r\n        <table class=\"ms-compare-table\">\r\n          <thead><tr><th>Capability<\/th><th>Rescana \/ Magic Stone Approach<\/th><th>Traditional TPRM<\/th><\/tr><\/thead>\r\n          <tbody>\r\n            <tr><td>Supplier discovery<\/td><td><span class=\"ms-yes\">\u2713<\/span> Automated discovery and enrichment<\/td><td><span class=\"ms-partial\">Limited<\/span> Often manual inventory<\/td><\/tr>\r\n            <tr><td>Continuous monitoring<\/td><td><span class=\"ms-yes\">\u2713<\/span> Ongoing external risk signals<\/td><td><span class=\"ms-partial\">Limited<\/span> Often annual assessment<\/td><\/tr>\r\n            <tr><td>NIS2 mapping<\/td><td><span class=\"ms-yes\">\u2713<\/span> Findings mapped to obligations<\/td><td><span class=\"ms-partial\">Limited<\/span> Often manual interpretation<\/td><\/tr>\r\n            <tr><td>Audit evidence<\/td><td><span class=\"ms-yes\">\u2713<\/span> Central dossier with exports<\/td><td><span class=\"ms-partial\">Limited<\/span> Emails, folders, spreadsheets<\/td><\/tr>\r\n            <tr><td>Fourth-party visibility<\/td><td><span class=\"ms-yes\">\u2713<\/span> Focus on chain dependencies<\/td><td><span class=\"ms-no\">\u2717<\/span> Often first-tier only<\/td><\/tr>\r\n            <tr><td>Management reporting<\/td><td><span class=\"ms-yes\">\u2713<\/span> Risk translated into priorities<\/td><td><span class=\"ms-partial\">Limited<\/span> Often technical or fragmented<\/td><\/tr>\r\n          <\/tbody>\r\n        <\/table>\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"ms-section\">\r\n      <h2>Examples of Audit-Ready Evidence<\/h2>\r\n      <p class=\"ms-section-intro\">A NIS2 programme must be demonstrable. Magic Stone helps structure evidence so you are not scrambling when an auditor, regulator, or customer asks for substantiation.<\/p>\r\n      <div class=\"ms-grid-3\">\r\n        <div class=\"ms-proof-card\"><h3>Supplier Inventory<\/h3><p>A current overview of critical suppliers, ICT service providers, subcontractors, and dependencies.<\/p><\/div>\r\n        <div class=\"ms-proof-card\"><h3>Risk Register<\/h3><p>Categorised risks with owner, impact, likelihood, status, and planned actions.<\/p><\/div>\r\n        <div class=\"ms-proof-card\"><h3>Supplier Scorecards<\/h3><p>Per-supplier overview of risk score, findings, trends, and relevant evidence documents.<\/p><\/div>\r\n        <div class=\"ms-proof-card\"><h3>Remediation Tracking<\/h3><p>Open actions, deadlines, ownership, and evidence of follow-up and completion.<\/p><\/div>\r\n        <div class=\"ms-proof-card\"><h3>Incident Dossier<\/h3><p>Documentation of supplier incidents, impact analysis, communication, and decision records.<\/p><\/div>\r\n        <div class=\"ms-proof-card\"><h3>Board Reporting<\/h3><p>Management summaries with trends, top risks, status, and decision-ready points.<\/p><\/div>\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <!-- Download strip -->\r\n    <div class=\"ms-download-strip\">\r\n      <div>\r\n        <h3>&#128203; NIS2 Compliance Checklist &amp; Readiness Workbook 2026<\/h3>\r\n        <p>Download the full workbook \u2014 all ten NIS2 sections with Yes \/ Partial \/ No scoring, organisation details, and a scoring guide. Print it, fill it in, share it with your board.<\/p>\r\n      <\/div>\r\n      <a href=\"https:\/\/magicstone.nl\/en\/wp-content\/uploads\/2026\/06\/MagicStone_NIS2_Workbook.pdf\" target=\"_blank\" rel=\"noopener noreferrer\" class=\"ms-download-btn\">\r\n        <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2.5\"><path d=\"M21 15v4a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2v-4\"\/><polyline points=\"7 10 12 15 17 10\"\/><line x1=\"12\" y1=\"15\" x2=\"12\" y2=\"3\"\/><\/svg>\r\n        Download Workbook (PDF)\r\n      <\/a>\r\n    <\/div>\r\n\r\n    <div class=\"ms-strip\">\r\n      <strong>NIS2 Article 21(2)(d) \u2014 the core obligation<\/strong><br><br>\r\n      <em>\"...security of the supply chain, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers...\"<\/em><br><br>\r\n      This means supplier risk must be part of your cybersecurity risk-management measures. <a href=\"https:\/\/magicstone.nl\/en\/services\/supply-chain-risk\/\" style=\"color:#57A200;font-weight:700;\">Magic Stone's Supply Chain Risk Management service<\/a> is built to make this demonstrable, scalable, and manageable.\r\n    <\/div>\r\n\r\n    <div class=\"ms-section\">\r\n      <h2>Frequently Asked Questions about NIS2 and Third-Party Risk<\/h2>\r\n      <div class=\"ms-faq\">\r\n        <div class=\"ms-faq-item\"><h3>What does NIS2 require for third-party risk management?<\/h3><p>NIS2 Article 21(2)(d) requires organisations to address supply chain security as part of their cybersecurity risk-management measures \u2014 including security-related aspects of relationships with direct suppliers and service providers.<\/p><\/div>\r\n        <div class=\"ms-faq-item\"><h3>Do we need to monitor all suppliers?<\/h3><p>Not every supplier requires the same level of monitoring. A risk-based approach starts with criticality: access to systems or data, impact on essential services, dependency, geographic risk, and compliance requirements.<\/p><\/div>\r\n        <div class=\"ms-faq-item\"><h3>Does NIS2 require continuous monitoring?<\/h3><p>NIS2 does not prescribe one specific tool or monitoring frequency, but organisations must take appropriate and proportionate measures. For critical suppliers, an annual questionnaire is often insufficient to demonstrably manage changing cyber risk.<\/p><\/div>\r\n        <div class=\"ms-faq-item\"><h3>Are spreadsheets sufficient for NIS2 compliance?<\/h3><p>Spreadsheets can serve as a starting point, but often fall short at scale, currency, evidence management, workflows, and reporting. For a mature TPRM programme, centralised, current, and exportable evidence is important.<\/p><\/div>\r\n        <div class=\"ms-faq-item\"><h3>What is the difference between NIS2 and DORA for supplier risk?<\/h3><p>NIS2 applies broadly to essential and important entities across multiple sectors. DORA focuses specifically on digital operational resilience in the financial sector and contains detailed requirements for ICT third-party risk. Many organisations need to look at both frameworks together.<\/p><\/div>\r\n        <div class=\"ms-faq-item\"><h3>How long does implementation take?<\/h3><p>This depends on the number of suppliers, data quality, and existing processes. A pragmatic start typically consists of scope definition, supplier inventory, risk classification, monitoring priorities, and a first management report.<\/p><\/div>\r\n        <div class=\"ms-faq-item\"><h3>Can Magic Stone also help with policy and contractual requirements?<\/h3><p>Yes. Beyond tooling, Magic Stone can assist with risk classification, contractual security clauses, supplier due diligence, evidence structuring, and NIS2\/DORA reporting.<\/p><\/div>\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"ms-section ms-links\">\r\n      <h2>Related<\/h2>\r\n      <ul class=\"ms-list\">\r\n        <li><a href=\"https:\/\/magicstone.nl\/en\/services\/supply-chain-risk\/\">Supply Chain Risk Management \u2014 the Magic Stone service<\/a><\/li>\r\n        <li><a href=\"https:\/\/magicstone.nl\/en\/what-is-nis2\/\">What is NIS2? \u2014 Plain Language Guide<\/a><\/li>\r\n        <li><a href=\"https:\/\/magicstone.nl\/en\/nis2-assessment\/\">NIS2 Assessment \u2014 Gap Analysis &amp; Compliance Roadmap<\/a><\/li>\r\n        <li><a href=\"https:\/\/magicstone.nl\/en\/nis2-compliance-checklist\/\">NIS2 Compliance Checklist<\/a><\/li>\r\n        <li><a href=\"https:\/\/magicstone.nl\/en\/dora-compliance-made-simple\/\">DORA Compliance<\/a><\/li>\r\n        <li><a href=\"https:\/\/magicstone.nl\/en\/partners\/rescana\/\">Rescana \u2014 AI Supply Chain Risk Partner<\/a><\/li>\r\n      <\/ul>\r\n    <\/div>\r\n\r\n    <div class=\"ms-cta\">\r\n      <h2>Ready to Automate Your NIS2 Supply Chain Compliance?<\/h2>\r\n      <p>Book a call with Magic Stone. We'll show you how to structure supplier risk, monitor it continuously, and turn it into demonstrable compliance evidence for NIS2, DORA, and management reporting.<\/p>\r\n      <a href=\"https:\/\/magicstone.nl\/en\/services\/supply-chain-risk\/\" class=\"ms-btn\" style=\"margin-right:10px;\">See the Supply Chain Risk Management Service<\/a>\r\n      <a href=\"https:\/\/tidycal.com\/raviv\/45-minute-meeting\" target=\"_blank\" rel=\"noopener noreferrer\" class=\"ms-btn-secondary\" style=\"margin-top:10px;\">Book a NIS2 Assessment<\/a>\r\n    <\/div>\r\n\r\n  <\/div>\r\n<\/section>\r\n\r\n<script type=\"application\/ld+json\">\r\n{\r\n  \"@context\": \"https:\/\/schema.org\",\r\n  \"@type\": \"FAQPage\",\r\n  \"mainEntity\": [\r\n    {\"@type\":\"Question\",\"name\":\"What does NIS2 require for third-party risk management?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"NIS2 Article 21(2)(d) requires organisations to address supply chain security as part of their cybersecurity risk-management measures \u2014 including security-related aspects of relationships with direct suppliers and service providers.\"}},\r\n    {\"@type\":\"Question\",\"name\":\"Do we need to monitor all suppliers under NIS2?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Not every supplier requires the same level of monitoring. A risk-based approach starts with criticality: access to systems or data, impact on essential services, dependency, geographic risk, and compliance requirements.\"}},\r\n    {\"@type\":\"Question\",\"name\":\"Does NIS2 require continuous monitoring of suppliers?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"NIS2 does not prescribe one specific tool or monitoring frequency, but organisations must take appropriate and proportionate measures. For critical suppliers, an annual questionnaire is often insufficient to demonstrably manage changing cyber risk.\"}},\r\n    {\"@type\":\"Question\",\"name\":\"Are spreadsheets sufficient for NIS2 TPRM compliance?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Spreadsheets can serve as a starting point, but often fall short at scale, currency, evidence management, workflows, and reporting. For a mature TPRM programme, centralised, current, and exportable evidence is important.\"}},\r\n    {\"@type\":\"Question\",\"name\":\"What is the difference between NIS2 and DORA for supplier risk?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"NIS2 applies broadly to essential and important entities across multiple sectors. DORA focuses specifically on digital operational resilience in the financial sector and contains detailed requirements for ICT third-party risk. Many organisations need to look at both frameworks together.\"}},\r\n    {\"@type\":\"Question\",\"name\":\"How does Magic Stone help with NIS2 third-party risk?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Magic Stone helps organisations with supplier inventory, risk classification, continuous monitoring, evidence management, remediation tracking, and reporting for NIS2 Article 21(2)(d) \u2014 including deployment of Rescana for AI-driven supply chain risk management.\"}}\r\n  ]\r\n}\r\n<\/script>\r\n\r\n<script type=\"application\/ld+json\">\r\n{\"@context\":\"https:\/\/schema.org\",\"@type\":\"BreadcrumbList\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/magicstone.nl\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"NIS2\",\"item\":\"https:\/\/magicstone.nl\/en\/what-is-nis2\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"NIS2 & Third-Party Risk Management\",\"item\":\"https:\/\/magicstone.nl\/en\/nis2-third-party-risk-management\/\"}]}\r\n<\/script>\r\n<script type=\"application\/ld+json\">\r\n{\"@context\":\"https:\/\/schema.org\",\"@type\":\"Service\",\"name\":\"NIS2 Third-Party Risk Management \u2014 Magic Stone\",\"description\":\"Magic Stone helps organisations manage NIS2 Article 21(2)(d) supply chain security obligations through automated supplier discovery, continuous monitoring, risk scoring, and audit-ready evidence management powered by Rescana.\",\"provider\":{\"@type\":\"Organization\",\"name\":\"Magic Stone Cyber Security\",\"url\":\"https:\/\/magicstone.nl\/en\/\",\"address\":{\"@type\":\"PostalAddress\",\"streetAddress\":\"Rembrandtweg 343\",\"addressLocality\":\"Amstelveen\",\"postalCode\":\"1181 GL\",\"addressCountry\":\"NL\"}},\"areaServed\":[\"NL\",\"BE\",\"LU\",\"NO\",\"SE\",\"DK\",\"FI\"],\"serviceType\":\"Cybersecurity Compliance\",\"keywords\":\"NIS2 TPRM, third-party risk management, supply chain security, NIS2 Article 21, supplier risk monitoring\"}\r\n<\/script>hero p { max-width:1120px; font-size:19px; margin:0 auto 28px; color:#e5e7eb; }\r\n    .ms-hero .ms-btn-wrap { max-width:1120px; margin:0 auto; }\r\n    .ms-content { width:100%; max-width:1120px; margin:0 auto; padding:0 20px 55px; }\r\n    .ms-btn { display:inline-block; background:#57A200; color:#fff!important; padding:14px 26px; border-radius:8px; text-decoration:none; font-weight:700; margin-top:10px; }\r\n    .ms-btn:hover { background:#468500; color:#fff!important; }\r\n    .ms-btn-secondary { display:inline-block; background:transparent; color:#57A200!important; border:2px solid #57A200; padding:12px 24px; border-radius:8px; text-decoration:none; font-weight:700; margin-top:10px; margin-left:10px; }\r\n    .ms-btn-secondary:hover { background:#57A200; color:#fff!important; }\r\n    .ms-section { margin-bottom:48px; }\r\n    .ms-section h2 { font-size:30px; margin-bottom:8px; color:#111827; }\r\n    .ms-section-intro { font-size:16px; color:#6b7280; margin-bottom:22px; }\r\n    .ms-grid-2 { display:grid; grid-template-columns:repeat(2,1fr); gap:20px; margin-top:25px; }\r\n    .ms-grid-3 { display:grid; grid-template-columns:repeat(3,1fr); gap:20px; margin-top:25px; }\r\n    .ms-grid-4 { display:grid; grid-template-columns:repeat(4,1fr); gap:18px; margin-top:25px; }\r\n\r\n    .ms-checklist-card { background:#fff; border:1px solid #e5e7eb; border-top:4px solid #57A200; border-radius:14px; padding:22px 24px; box-shadow:0 4px 16px rgba(0,0,0,.04); }\r\n    .ms-checklist-card .ms-card-num { display:inline-flex; align-items:center; justify-content:center; width:26px; height:26px; background:#0f172a; color:#57A200; border-radius:6px; font-size:12px; font-weight:800; margin-bottom:10px; }\r\n    .ms-checklist-card h3 { margin:0 0 5px; font-size:17px; color:#111827; }\r\n    .ms-checklist-card .ms-card-intro { font-size:13.5px; color:#6b7280; margin-bottom:12px; line-height:1.5; }\r\n    .ms-checklist { list-style:none; padding:0; margin:0; }\r\n    .ms-checklist li { display:flex; gap:9px; align-items:flex-start; padding:6px 0; border-bottom:1px solid #f3f4f6; font-size:14px; color:#374151; line-height:1.5; }\r\n    .ms-checklist li:last-child { border-bottom:none; }\r\n    .ms-checklist li::before { content:\"\\2610\"; font-size:16px; color:#57A200; flex-shrink:0; margin-top:1px; }\r\n\r\n    .ms-pain-card { background:#fff; border:1px solid #e5e7eb; border-left:4px solid #e8192c; border-radius:14px; padding:22px 24px; box-shadow:0 4px 16px rgba(0,0,0,.04); }\r\n    .ms-pain-card h3 { margin:0 0 8px; font-size:17px; color:#111827; }\r\n    .ms-pain-card p { font-size:14px; color:#6b7280; margin:0; line-height:1.6; }\r\n    .ms-pain-icon { font-size:26px; margin-bottom:10px; }\r\n\r\n    .ms-sol-card { background:#f3f8ef; border:1px solid #d1e8b8; border-radius:14px; padding:22px 24px; }\r\n    .ms-sol-card h3 { margin:0 0 8px; font-size:17px; color:#111827; }\r\n    .ms-sol-card p { font-size:14px; color:#374151; margin:0; line-height:1.6; }\r\n    .ms-sol-icon { font-size:26px; margin-bottom:10px; }\r\n\r\n    .ms-outcome-card { background:#fff; border:1px solid #e5e7eb; border-radius:14px; padding:22px 24px; box-shadow:0 4px 16px rgba(0,0,0,.04); }\r\n    .ms-outcome-card h3 { margin:0 0 8px; font-size:17px; color:#111827; }\r\n    .ms-outcome-card p { font-size:14px; color:#6b7280; margin:0; line-height:1.6; }\r\n    .ms-outcome-icon { font-size:26px; margin-bottom:10px; }\r\n\r\n    .ms-proof-card { background:#fff; border:1px solid #e5e7eb; border-radius:14px; padding:20px 22px; box-shadow:0 4px 16px rgba(0,0,0,.04); }\r\n    .ms-proof-card h3 { margin:0 0 8px; font-size:16px; color:#111827; }\r\n    .ms-proof-card p { font-size:14px; color:#6b7280; margin:0; line-height:1.6; }\r\n\r\n    .ms-strip { background:#f3f8ef; border-left:5px solid #57A200; padding:28px; border-radius:14px; margin:40px 0; }\r\n    .ms-warning-strip { background:#fff7ed; border-left:5px solid #f97316; padding:24px 28px; border-radius:14px; margin:0 0 36px; }\r\n    .ms-warning-strip strong { color:#9a3412; }\r\n\r\n    .ms-stat-row { display:grid; grid-template-columns:repeat(3,1fr); gap:20px; margin:28px 0 10px; }\r\n    .ms-stat-box { background:#fff; border:1px solid #e5e7eb; border-radius:14px; padding:24px; text-align:center; box-shadow:0 4px 16px rgba(0,0,0,.04); }\r\n    .ms-stat-num { font-size:38px; font-weight:800; color:#57A200; line-height:1; margin-bottom:6px; }\r\n    .ms-stat-label { font-size:14px; color:#6b7280; line-height:1.4; }\r\n    .ms-source-note { font-size:12px; color:#9ca3af; margin:10px 0 34px; line-height:1.5; }\r\n    .ms-source-note a { color:#6b7280; text-decoration:underline; }\r\n\r\n    .ms-service-cta { background:linear-gradient(135deg,#173154 0%,#1e3a6e 100%); border-radius:18px; padding:40px 36px; margin:40px 0; display:grid; grid-template-columns:1fr auto; gap:32px; align-items:center; }\r\n    .ms-service-cta h3 { color:#fff; font-size:24px; margin:0 0 10px; }\r\n    .ms-service-cta p { color:#94a3b8; font-size:16px; margin:0; line-height:1.65; }\r\n    .ms-service-cta-badge { display:inline-block; background:rgba(87,162,0,0.15); color:#57A200; border:1px solid rgba(87,162,0,0.3); border-radius:6px; font-size:12px; font-weight:700; padding:3px 10px; margin-bottom:10px; letter-spacing:.04em; text-transform:uppercase; }\r\n    .ms-btn-white { display:inline-block; background:#fff; color:#173154!important; padding:14px 26px; border-radius:8px; text-decoration:none; font-weight:700; white-space:nowrap; transition:background .2s; }\r\n    .ms-btn-white:hover { background:#f0f4ff; }\r\n\r\n    .ms-table-wrap { overflow-x:auto; margin-top:24px; }\r\n    .ms-compare-table { width:100%; border-collapse:collapse; background:#fff; border:1px solid #e5e7eb; border-radius:14px; overflow:hidden; box-shadow:0 4px 16px rgba(0,0,0,.04); }\r\n    .ms-compare-table th { background:#0f172a; color:#fff; padding:14px 16px; text-align:left; font-size:14px; }\r\n    .ms-compare-table td { padding:14px 16px; border-bottom:1px solid #eef2f7; font-size:14px; color:#374151; }\r\n    .ms-compare-table tr:last-child td { border-bottom:none; }\r\n    .ms-yes { color:#57A200; font-weight:800; }\r\n    .ms-partial { color:#f97316; font-weight:800; }\r\n    .ms-no { color:#e8192c; font-weight:800; }\r\n\r\n    .ms-faq { border-top:1px solid #e5e7eb; margin-top:22px; }\r\n    .ms-faq-item { border-bottom:1px solid #e5e7eb; padding:18px 0; }\r\n    .ms-faq-item h3 { font-size:17px; margin:0 0 8px; color:#111827; }\r\n    .ms-faq-item p { margin:0; color:#6b7280; font-size:14.5px; line-height:1.65; }\r\n\r\n    .ms-cta { background:#111827; color:#fff; border-radius:18px; padding:45px 35px; text-align:center; margin-top:50px; }\r\n    .ms-cta h2 { color:#fff; font-size:32px; margin-bottom:15px; }\r\n    .ms-cta p { color:#e5e7eb; max-width:780px; margin:0 auto 22px; font-size:18px; }\r\n\r\n    .ms-links a { color:#57A200; font-weight:700; text-decoration:none; }\r\n    .ms-links a:hover { text-decoration:underline; }\r\n    .ms-list { padding-left:22px; }\r\n    .ms-list li { margin-bottom:10px; }\r\n    .ms-art21-note { font-size:13px; color:#9ca3af; margin-top:6px; font-style:italic; }\r\n\r\n    @media(max-width:900px) {\r\n      .ms-grid-2, .ms-grid-3, .ms-grid-4, .ms-stat-row { grid-template-columns:1fr; }\r\n      .ms-service-cta { grid-template-columns:1fr; }\r\n      .ms-hero { padding:50px 24px; }\r\n      .ms-hero h1 { font-size:32px; }\r\n      .ms-btn-secondary { margin-left:0; display:block; margin-top:10px; text-align:center; }\r\n      .ms-btn { display:block; text-align:center; }\r\n    }\r\n  <\/style>\r\n\r\n  <div class=\"ms-hero\">\r\n    <h1>NIS2 Third-Party Risk Management (TPRM): Manage Supply Chain Risk and Satisfy Article 21(2)(d)<\/h1>\r\n    <p>NIS2 makes supply chain security an explicit obligation for essential and important entities. You must not only demonstrably manage your own cybersecurity \u2014 you must also manage the risks of critical suppliers, ICT service providers, and dependencies across your chain.<\/p>\r\n    <div class=\"ms-btn-wrap\">\r\n      <a href=\"https:\/\/magicstone.nl\/en\/services\/supply-chain-risk\/\" class=\"ms-btn\">See How We Automate TPRM &rarr;<\/a>\r\n      <a href=\"https:\/\/tidycal.com\/raviv\/45-minute-meeting\" target=\"_blank\" rel=\"noopener noreferrer\" class=\"ms-btn-secondary\">Book a NIS2 Assessment<\/a>\r\n    <\/div>\r\n  <\/div>\r\n\r\n  <div class=\"ms-content\">\r\n\r\n    <div class=\"ms-stat-row\">\r\n      <div class=\"ms-stat-box\">\r\n        <div class=\"ms-stat-num\">NIS2<\/div>\r\n        <div class=\"ms-stat-label\">requires organisations to actively manage risks across their supply chain<\/div>\r\n      <\/div>\r\n      <div class=\"ms-stat-box\">\r\n        <div class=\"ms-stat-num\">24\/7<\/div>\r\n        <div class=\"ms-stat-label\">continuous monitoring detects changes in supplier risk faster than annual reviews<\/div>\r\n      <\/div>\r\n      <div class=\"ms-stat-box\">\r\n        <div class=\"ms-stat-num\">\u20ac10M<\/div>\r\n        <div class=\"ms-stat-label\">maximum NIS2 penalty for essential entities \u2014 or 2% of global annual turnover<\/div>\r\n      <\/div>\r\n    <\/div>\r\n    <p class=\"ms-source-note\">Penalty reference based on NIS2 Article 34: essential entities up to at least \u20ac10,000,000 or 2% of global annual turnover; important entities up to at least \u20ac7,000,000 or 1.4% of global annual turnover. See <a href=\"https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/HTML\/?uri=CELEX:32022L2555\" target=\"_blank\" rel=\"noopener noreferrer\">Directive (EU) 2022\/2555<\/a> and the Dutch <a href=\"https:\/\/www.ncsc.nl\/cyberbeveiligingswet-nis2\" target=\"_blank\" rel=\"noopener noreferrer\">Cyberbeveiligingswet\/NIS2 guidance from the NCSC<\/a>.<\/p>\r\n\r\n    <div class=\"ms-warning-strip\">\r\n      <strong>Note:<\/strong> NIS2 requires governance and oversight by management bodies. Management boards have explicit oversight and accountability obligations. The exact legal consequences, including potential personal management liability, depend on national implementation and specific circumstances. Always have legal claims reviewed before publishing.\r\n    <\/div>\r\n\r\n    <div class=\"ms-section\">\r\n      <h2>What NIS2 Requires for Third-Party Risk<\/h2>\r\n      <p class=\"ms-section-intro\">NIS2 Article 21(2)(d) requires organisations to address cybersecurity risks in their supply chain \u2014 including security-related aspects of relationships with direct suppliers and service providers. In practice, this means: inventorise, embed contractually, monitor, document, and remediate.<\/p>\r\n\r\n      <div class=\"ms-grid-2\">\r\n        <div class=\"ms-checklist-card\">\r\n          <div class=\"ms-card-num\">1<\/div>\r\n          <h3>Supplier Risk Assessments<\/h3>\r\n          <p class=\"ms-card-intro\">Evaluate the cybersecurity posture of critical suppliers and service providers.<\/p>\r\n          <ul class=\"ms-checklist\">\r\n            <li>Identify critical suppliers, ICT providers, and key service dependencies<\/li>\r\n            <li>Assess supplier cybersecurity policies, controls, and governance practices<\/li>\r\n            <li>Review certifications, audit reports, incident history, and compliance evidence<\/li>\r\n            <li>Classify suppliers based on criticality, access privileges, and business impact<\/li>\r\n          <\/ul>\r\n          <p class=\"ms-art21-note\">\u2192 NIS2 Article 21(2)(d)<\/p>\r\n        <\/div>\r\n\r\n        <div class=\"ms-checklist-card\">\r\n          <div class=\"ms-card-num\">2<\/div>\r\n          <h3>Contractual Security Requirements<\/h3>\r\n          <p class=\"ms-card-intro\">Embed cybersecurity obligations into supplier and service-provider agreements.<\/p>\r\n          <ul class=\"ms-checklist\">\r\n            <li>Include security requirements and incident-response obligations in contracts<\/li>\r\n            <li>Require timely notification of security incidents affecting your organisation<\/li>\r\n            <li>Define audit rights, assurance mechanisms, and compliance verification processes<\/li>\r\n            <li>Address subcontractor and fourth-party risks through contractual controls<\/li>\r\n          <\/ul>\r\n          <p class=\"ms-art21-note\">\u2192 NIS2 Article 21(2)(d)<\/p>\r\n        <\/div>\r\n\r\n        <div class=\"ms-checklist-card\">\r\n          <div class=\"ms-card-num\">3<\/div>\r\n          <h3>Continuous Monitoring<\/h3>\r\n          <p class=\"ms-card-intro\">Maintain ongoing visibility into changing cyber risk across your supplier base.<\/p>\r\n          <ul class=\"ms-checklist\">\r\n            <li>Monitor the external attack surface of critical suppliers<\/li>\r\n            <li>Track changes in security posture, vulnerabilities, and risk indicators<\/li>\r\n            <li>Identify hidden dependencies and unmanaged third-party relationships<\/li>\r\n            <li>Maintain a current supply-chain risk register with remediation tracking<\/li>\r\n          <\/ul>\r\n          <p class=\"ms-art21-note\">\u2192 NIS2 Article 21(2)(d)<\/p>\r\n        <\/div>\r\n\r\n        <div class=\"ms-checklist-card\">\r\n          <div class=\"ms-card-num\">4<\/div>\r\n          <h3>Incident Coordination<\/h3>\r\n          <p class=\"ms-card-intro\">Manage supplier-related incidents and support NIS2 reporting requirements.<\/p>\r\n          <ul class=\"ms-checklist\">\r\n            <li>Assess the impact of supplier incidents on systems, services, and data<\/li>\r\n            <li>Determine whether incidents could trigger NIS2 reporting obligations<\/li>\r\n            <li>Coordinate incident communication and response activities with suppliers<\/li>\r\n            <li>Maintain evidence, remediation records, and incident documentation<\/li>\r\n          <\/ul>\r\n          <p class=\"ms-art21-note\">\u2192 NIS2 Article 21(2)(b), 21(2)(d) and Article 23<\/p>\r\n        <\/div>\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"ms-section\">\r\n      <h2>Why Manual TPRM Cannot Scale Under NIS2<\/h2>\r\n      <p class=\"ms-section-intro\">Most organisations manage dozens to hundreds of supplier relationships. Spreadsheets, annual questionnaires, and scattered email evidence do not provide a reliable, current, and auditable picture of supplier risk.<\/p>\r\n\r\n      <div class=\"ms-grid-3\">\r\n        <div class=\"ms-pain-card\"><div class=\"ms-pain-icon\">\ud83d\udccb<\/div><h3>Spreadsheets Break at Scale<\/h3><p>Managing supplier risk manually leads to gaps, duplicates, and stale data. NIS2 requires demonstrable governance \u2014 not a spreadsheet from last quarter.<\/p><\/div>\r\n        <div class=\"ms-pain-card\"><div class=\"ms-pain-icon\">\ud83d\udd0d<\/div><h3>Hidden Dependencies<\/h3><p>Sub-processors, cloud dependencies, and shadow vendors introduce risk that often only becomes visible after an incident has already occurred.<\/p><\/div>\r\n        <div class=\"ms-pain-card\"><div class=\"ms-pain-icon\">\u23f1\ufe0f<\/div><h3>Annual Assessments Are Not Enough<\/h3><p>A supplier that scored acceptably in January may have new vulnerabilities, exposed systems, or leaked credentials by March.<\/p><\/div>\r\n        <div class=\"ms-pain-card\"><div class=\"ms-pain-icon\">\ud83d\udcc4<\/div><h3>Audit Evidence Is Scattered<\/h3><p>Regulators and auditors expect documented evidence. Scattered emails, shared folders, and loose screenshots make compliance difficult to demonstrate.<\/p><\/div>\r\n        <div class=\"ms-pain-card\"><div class=\"ms-pain-icon\">\ud83d\udd17<\/div><h3>Fourth-Party Risk Is Invisible<\/h3><p>Your suppliers have suppliers too. Without visibility into sub-processors and dependencies, your risk picture stops too early in the chain.<\/p><\/div>\r\n        <div class=\"ms-pain-card\"><div class=\"ms-pain-icon\">\u2696\ufe0f<\/div><h3>Management Accountability<\/h3><p>NIS2 Article 20 places governance obligations on management bodies. Without demonstrable oversight, supplier risk becomes a board-level exposure.<\/p><\/div>\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"ms-section\">\r\n      <h2>Business Impact: From Compliance Burden to Operational Advantage<\/h2>\r\n      <p class=\"ms-section-intro\">Effective third-party risk management does more than satisfy NIS2. It accelerates audits, improves board reporting, and makes supplier risk manageable and visible.<\/p>\r\n      <div class=\"ms-grid-4\">\r\n        <div class=\"ms-outcome-card\"><div class=\"ms-outcome-icon\">\ud83d\ude80<\/div><h3>Faster Audits<\/h3><p>Centralise evidence, assessments, and remediation so audit preparation becomes less ad hoc and more efficient.<\/p><\/div>\r\n        <div class=\"ms-outcome-card\"><div class=\"ms-outcome-icon\">\ud83d\udc41\ufe0f<\/div><h3>Continuous Visibility<\/h3><p>See changes in supplier risk as they emerge \u2014 not when you get to next year's annual review.<\/p><\/div>\r\n        <div class=\"ms-outcome-card\"><div class=\"ms-outcome-icon\">\ud83d\udcc8<\/div><h3>Board-Ready Reporting<\/h3><p>Translate technical findings into priorities, trends, and decision-ready information for management.<\/p><\/div>\r\n        <div class=\"ms-outcome-card\"><div class=\"ms-outcome-icon\">\ud83d\udee1\ufe0f<\/div><h3>Lower Exposure<\/h3><p>Prioritise suppliers with the greatest impact and reduce risk before it becomes an incident.<\/p><\/div>\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"ms-service-cta\">\r\n      <div>\r\n        <div class=\"ms-service-cta-badge\">Magic Stone Solution<\/div>\r\n        <h3>AI-Powered Supply Chain Risk Management \u2014 Powered by Rescana<\/h3>\r\n        <p>Magic Stone replaces manual TPRM spreadsheets with continuous, AI-driven supplier risk monitoring powered by Rescana. Discover your supplier ecosystem, monitor external exposure, prioritise remediation, and build a demonstrable compliance dossier for NIS2 Article 21(2)(d) and DORA.<\/p>\r\n      <\/div>\r\n      <a href=\"https:\/\/magicstone.nl\/en\/services\/supply-chain-risk\/\" class=\"ms-btn-white\">See the Service &rarr;<\/a>\r\n    <\/div>\r\n\r\n    <div class=\"ms-section\">\r\n      <h2>How Magic Stone Solves TPRM for NIS2<\/h2>\r\n      <p class=\"ms-section-intro\">Magic Stone deploys Rescana as part of a practical TPRM programme \u2014 from supplier inventory and risk classification to monitoring, remediation, and management reporting.<\/p>\r\n\r\n      <div class=\"ms-grid-3\">\r\n        <div class=\"ms-sol-card\"><div class=\"ms-sol-icon\">\ud83e\udd16<\/div><h3>Automated Supplier Discovery<\/h3><p>Map your full supplier ecosystem \u2014 including sub-processors and unknown dependencies not captured in existing spreadsheets.<\/p><\/div>\r\n        <div class=\"ms-sol-card\"><div class=\"ms-sol-icon\">\ud83d\udce1<\/div><h3>Continuous Attack Surface Monitoring<\/h3><p>Monitor external exposure, misconfigurations, vulnerabilities, and signals indicating elevated supplier risk.<\/p><\/div>\r\n        <div class=\"ms-sol-card\"><div class=\"ms-sol-icon\">\ud83d\udcca<\/div><h3>Real-Time Risk Scoring<\/h3><p>Prioritise suppliers based on current security posture, criticality, and business impact \u2014 not last year's questionnaire.<\/p><\/div>\r\n        <div class=\"ms-sol-card\"><div class=\"ms-sol-icon\">\ud83d\udcc1<\/div><h3>Audit-Ready Evidence<\/h3><p>Centralise assessments, risk scores, monitoring logs, actions, and decisions in one demonstrable compliance dossier.<\/p><\/div>\r\n        <div class=\"ms-sol-card\"><div class=\"ms-sol-icon\">\u26a1<\/div><h3>NIS2 &amp; DORA Mapping<\/h3><p>Map supplier risk findings directly to NIS2 and DORA obligations so compliance efforts remain targeted and traceable.<\/p><\/div>\r\n        <div class=\"ms-sol-card\"><div class=\"ms-sol-icon\">\ud83c\udfc6<\/div><h3>Recognised Innovation<\/h3><p>Rescana was selected by Magic Stone for its AI-driven approach to supplier risk management, chain visibility, continuous monitoring, and support for European regulatory compliance requirements.<\/p><\/div>\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"ms-section\">\r\n      <h2>Why Rescana Instead of Traditional TPRM?<\/h2>\r\n      <p class=\"ms-section-intro\">Many TPRM processes are built around questionnaires. That remains useful \u2014 but NIS2 demands better evidence, more current insight, and faster follow-up.<\/p>\r\n      <div class=\"ms-table-wrap\">\r\n        <table class=\"ms-compare-table\">\r\n          <thead><tr><th>Capability<\/th><th>Rescana \/ Magic Stone Approach<\/th><th>Traditional TPRM<\/th><\/tr><\/thead>\r\n          <tbody>\r\n            <tr><td>Supplier discovery<\/td><td><span class=\"ms-yes\">\u2713<\/span> Automated discovery and enrichment<\/td><td><span class=\"ms-partial\">Limited<\/span> Often manual inventory<\/td><\/tr>\r\n            <tr><td>Continuous monitoring<\/td><td><span class=\"ms-yes\">\u2713<\/span> Ongoing external risk signals<\/td><td><span class=\"ms-partial\">Limited<\/span> Often annual assessment<\/td><\/tr>\r\n            <tr><td>NIS2 mapping<\/td><td><span class=\"ms-yes\">\u2713<\/span> Findings mapped to obligations<\/td><td><span class=\"ms-partial\">Limited<\/span> Often manual interpretation<\/td><\/tr>\r\n            <tr><td>Audit evidence<\/td><td><span class=\"ms-yes\">\u2713<\/span> Central dossier with exports<\/td><td><span class=\"ms-partial\">Limited<\/span> Emails, folders, spreadsheets<\/td><\/tr>\r\n            <tr><td>Fourth-party visibility<\/td><td><span class=\"ms-yes\">\u2713<\/span> Focus on chain dependencies<\/td><td><span class=\"ms-no\">\u2717<\/span> Often first-tier only<\/td><\/tr>\r\n            <tr><td>Management reporting<\/td><td><span class=\"ms-yes\">\u2713<\/span> Risk translated into priorities<\/td><td><span class=\"ms-partial\">Limited<\/span> Often technical or fragmented<\/td><\/tr>\r\n          <\/tbody>\r\n        <\/table>\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"ms-section\">\r\n      <h2>Examples of Audit-Ready Evidence<\/h2>\r\n      <p class=\"ms-section-intro\">A NIS2 programme must be demonstrable. Magic Stone helps structure evidence so you are not scrambling when an auditor, regulator, or customer asks for substantiation.<\/p>\r\n      <div class=\"ms-grid-3\">\r\n        <div class=\"ms-proof-card\"><h3>Supplier Inventory<\/h3><p>A current overview of critical suppliers, ICT service providers, subcontractors, and dependencies.<\/p><\/div>\r\n        <div class=\"ms-proof-card\"><h3>Risk Register<\/h3><p>Categorised risks with owner, impact, likelihood, status, and planned actions.<\/p><\/div>\r\n        <div class=\"ms-proof-card\"><h3>Supplier Scorecards<\/h3><p>Per-supplier overview of risk score, findings, trends, and relevant evidence documents.<\/p><\/div>\r\n        <div class=\"ms-proof-card\"><h3>Remediation Tracking<\/h3><p>Open actions, deadlines, ownership, and evidence of follow-up and completion.<\/p><\/div>\r\n        <div class=\"ms-proof-card\"><h3>Incident Dossier<\/h3><p>Documentation of supplier incidents, impact analysis, communication, and decision records.<\/p><\/div>\r\n        <div class=\"ms-proof-card\"><h3>Board Reporting<\/h3><p>Management summaries with trends, top risks, status, and decision-ready points.<\/p><\/div>\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"ms-strip\">\r\n      <strong>NIS2 Article 21(2)(d) \u2014 the core obligation<\/strong><br><br>\r\n      <em>\"...security of the supply chain, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers...\"<\/em><br><br>\r\n      This means supplier risk must be part of your cybersecurity risk-management measures. <a href=\"https:\/\/magicstone.nl\/en\/services\/supply-chain-risk\/\" style=\"color:#57A200;font-weight:700;\">Magic Stone's Supply Chain Risk Management service<\/a> is built to make this demonstrable, scalable, and manageable.\r\n    <\/div>\r\n\r\n    <div class=\"ms-section\">\r\n      <h2>Frequently Asked Questions about NIS2 and Third-Party Risk<\/h2>\r\n      <div class=\"ms-faq\">\r\n        <div class=\"ms-faq-item\"><h3>What does NIS2 require for third-party risk management?<\/h3><p>NIS2 Article 21(2)(d) requires organisations to address supply chain security as part of their cybersecurity risk-management measures \u2014 including security-related aspects of relationships with direct suppliers and service providers.<\/p><\/div>\r\n        <div class=\"ms-faq-item\"><h3>Do we need to monitor all suppliers?<\/h3><p>Not every supplier requires the same level of monitoring. A risk-based approach starts with criticality: access to systems or data, impact on essential services, dependency, geographic risk, and compliance requirements.<\/p><\/div>\r\n        <div class=\"ms-faq-item\"><h3>Does NIS2 require continuous monitoring?<\/h3><p>NIS2 does not prescribe one specific tool or monitoring frequency, but organisations must take appropriate and proportionate measures. For critical suppliers, an annual questionnaire is often insufficient to demonstrably manage changing cyber risk.<\/p><\/div>\r\n        <div class=\"ms-faq-item\"><h3>Are spreadsheets sufficient for NIS2 compliance?<\/h3><p>Spreadsheets can serve as a starting point, but often fall short at scale, currency, evidence management, workflows, and reporting. For a mature TPRM programme, centralised, current, and exportable evidence is important.<\/p><\/div>\r\n        <div class=\"ms-faq-item\"><h3>What is the difference between NIS2 and DORA for supplier risk?<\/h3><p>NIS2 applies broadly to essential and important entities across multiple sectors. DORA focuses specifically on digital operational resilience in the financial sector and contains detailed requirements for ICT third-party risk. Many organisations need to look at both frameworks together.<\/p><\/div>\r\n        <div class=\"ms-faq-item\"><h3>How long does implementation take?<\/h3><p>This depends on the number of suppliers, data quality, and existing processes. A pragmatic start typically consists of scope definition, supplier inventory, risk classification, monitoring priorities, and a first management report.<\/p><\/div>\r\n        <div class=\"ms-faq-item\"><h3>Can Magic Stone also help with policy and contractual requirements?<\/h3><p>Yes. Beyond tooling, Magic Stone can assist with risk classification, contractual security clauses, supplier due diligence, evidence structuring, and NIS2\/DORA reporting.<\/p><\/div>\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"ms-section ms-links\">\r\n      <h2>Related<\/h2>\r\n      <ul class=\"ms-list\">\r\n        <li><a href=\"https:\/\/magicstone.nl\/en\/services\/supply-chain-risk\/\">Supply Chain Risk Management \u2014 the Magic Stone service<\/a><\/li>\r\n        <li><a href=\"https:\/\/magicstone.nl\/en\/what-is-nis2\/\">What is NIS2? \u2014 Plain Language Guide<\/a><\/li>\r\n        <li><a href=\"https:\/\/magicstone.nl\/en\/nis2-assessment\/\">NIS2 Assessment \u2014 Gap Analysis &amp; Compliance Roadmap<\/a><\/li>\r\n        <li><a href=\"https:\/\/magicstone.nl\/en\/nis2-compliance-checklist\/\">NIS2 Compliance Checklist<\/a><\/li>\r\n        <li><a href=\"https:\/\/magicstone.nl\/en\/dora-compliance-made-simple\/\">DORA Compliance<\/a><\/li>\r\n        <li><a href=\"https:\/\/magicstone.nl\/en\/partners\/rescana\/\">Rescana \u2014 AI Supply Chain Risk Partner<\/a><\/li>\r\n      <\/ul>\r\n    <\/div>\r\n\r\n    <div class=\"ms-cta\">\r\n      <h2>Ready to Automate Your NIS2 Supply Chain Compliance?<\/h2>\r\n      <p>Book a call with Magic Stone. We'll show you how to structure supplier risk, monitor it continuously, and turn it into demonstrable compliance evidence for NIS2, DORA, and management reporting.<\/p>\r\n      <a href=\"https:\/\/magicstone.nl\/en\/services\/supply-chain-risk\/\" class=\"ms-btn\" style=\"margin-right:10px;\">See the Supply Chain Risk Management Service<\/a>\r\n      <a href=\"https:\/\/tidycal.com\/raviv\/45-minute-meeting\" target=\"_blank\" rel=\"noopener noreferrer\" class=\"ms-btn-secondary\" style=\"margin-top:10px;\">Book a NIS2 Assessment<\/a>\r\n    <\/div>\r\n\r\n  <\/div>\r\n<\/section>\r\n\r\n<script type=\"application\/ld+json\">\r\n{\r\n  \"@context\": \"https:\/\/schema.org\",\r\n  \"@type\": \"FAQPage\",\r\n  \"mainEntity\": [\r\n    {\"@type\":\"Question\",\"name\":\"What does NIS2 require for third-party risk management?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"NIS2 Article 21(2)(d) requires organisations to address supply chain security as part of their cybersecurity risk-management measures \u2014 including security-related aspects of relationships with direct suppliers and service providers.\"}},\r\n    {\"@type\":\"Question\",\"name\":\"Do we need to monitor all suppliers under NIS2?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Not every supplier requires the same level of monitoring. A risk-based approach starts with criticality: access to systems or data, impact on essential services, dependency, geographic risk, and compliance requirements.\"}},\r\n    {\"@type\":\"Question\",\"name\":\"Does NIS2 require continuous monitoring of suppliers?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"NIS2 does not prescribe one specific tool or monitoring frequency, but organisations must take appropriate and proportionate measures. For critical suppliers, an annual questionnaire is often insufficient to demonstrably manage changing cyber risk.\"}},\r\n    {\"@type\":\"Question\",\"name\":\"Are spreadsheets sufficient for NIS2 TPRM compliance?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Spreadsheets can serve as a starting point, but often fall short at scale, currency, evidence management, workflows, and reporting. For a mature TPRM programme, centralised, current, and exportable evidence is important.\"}},\r\n    {\"@type\":\"Question\",\"name\":\"What is the difference between NIS2 and DORA for supplier risk?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"NIS2 applies broadly to essential and important entities across multiple sectors. DORA focuses specifically on digital operational resilience in the financial sector and contains detailed requirements for ICT third-party risk. Many organisations need to look at both frameworks together.\"}},\r\n    {\"@type\":\"Question\",\"name\":\"How does Magic Stone help with NIS2 third-party risk?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Magic Stone helps organisations with supplier inventory, risk classification, continuous monitoring, evidence management, remediation tracking, and reporting for NIS2 Article 21(2)(d) \u2014 including deployment of Rescana for AI-driven supply chain risk management.\"}}\r\n  ]\r\n}\r\n<\/script>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>NIS2 Third-Party Risk Management (TPRM): Manage Supply Chain Risk and Satisfy Article 21(2)(d) NIS2 makes supply chain security an explicit obligation for essential and important entities. You must not only demonstrably manage your own cybersecurity \u2014 you must also manage the risks of critical suppliers, ICT service providers, and dependencies across your chain. See How We Automate TPRM &rarr; Book a NIS2 Assessment Download Workbook 2026 NIS2 requires organisations to actively manage risks across their supply chain 24\/7 continuous monitoring detects changes in supplier risk faster than annual reviews \u20ac10M maximum NIS2 penalty for essential entities \u2014 or 2% of global annual turnover Penalty reference based on NIS2 Article 34: essential entities up to at least \u20ac10,000,000 or 2% of global annual turnover; important entities up to at least \u20ac7,000,000 or 1.4% of global annual turnover. See Directive (EU) 2022\/2555 and the Dutch Cyberbeveiligingswet\/NIS2 guidance from the NCSC. Note: NIS2 requires governance and oversight by management bodies. Management boards have explicit oversight and accountability obligations. The exact legal consequences, including potential personal management liability, depend on national implementation and specific circumstances. Always have legal claims reviewed before publishing. What NIS2 Requires for Third-Party Risk NIS2 Article 21(2)(d) requires organisations to address cybersecurity risks in their supply chain \u2014 including security-related aspects of relationships with direct suppliers and service providers. In practice, this means: inventorise, embed contractually, monitor, document, and remediate. 1 Supplier Risk Assessments Evaluate the cybersecurity posture of critical suppliers and service providers. Identify critical suppliers, ICT providers, and key service dependencies Assess supplier cybersecurity policies, controls, and governance practices Review certifications, audit reports, incident history, and compliance evidence Classify suppliers based on criticality, access privileges, and business impact \u2192 NIS2 Article 21(2)(d) 2 Contractual Security Requirements Embed cybersecurity obligations into supplier and service-provider agreements. Include security requirements and incident-response obligations in contracts Require timely notification of security incidents affecting your organisation Define audit rights, assurance mechanisms, and compliance verification processes Address subcontractor and fourth-party risks through contractual controls \u2192 NIS2 Article 21(2)(d) 3 Continuous Monitoring Maintain ongoing visibility into changing cyber risk across your supplier base. Monitor the external attack surface of critical suppliers Track changes in security posture, vulnerabilities, and risk indicators Identify hidden dependencies and unmanaged third-party relationships Maintain a current supply-chain risk register with remediation tracking \u2192 NIS2 Article 21(2)(d) 4 Incident Coordination Manage supplier-related incidents and support NIS2 reporting requirements. Assess the impact of supplier incidents on systems, services, and data Determine whether incidents could trigger NIS2 reporting obligations Coordinate incident communication and response activities with suppliers Maintain evidence, remediation records, and incident documentation \u2192 NIS2 Article 21(2)(b), 21(2)(d) and Article 23 Why Manual TPRM Cannot Scale Under NIS2 Most organisations manage dozens to hundreds of supplier relationships. Spreadsheets, annual questionnaires, and scattered email evidence do not provide a reliable, current, and auditable picture of supplier risk. \ud83d\udccb Spreadsheets Break at Scale Managing supplier risk manually leads to gaps, duplicates, and stale data. NIS2 requires demonstrable governance \u2014 not a spreadsheet from last quarter. \ud83d\udd0d Hidden Dependencies Sub-processors, cloud dependencies, and shadow vendors introduce risk that often only becomes visible after an incident has already occurred. \u23f1\ufe0f Annual Assessments Are Not Enough A supplier that scored acceptably in January may have new vulnerabilities, exposed systems, or leaked credentials by March. \ud83d\udcc4 Audit Evidence Is Scattered Regulators and auditors expect documented evidence. Scattered emails, shared folders, and loose screenshots make compliance difficult to demonstrate. \ud83d\udd17 Fourth-Party Risk Is Invisible Your suppliers have suppliers too. Without visibility into sub-processors and dependencies, your risk picture stops too early in the chain. \u2696\ufe0f Management Accountability NIS2 Article 20 places governance obligations on management bodies. Without demonstrable oversight, supplier risk becomes a board-level exposure. Business Impact: From Compliance Burden to Operational Advantage Effective third-party risk management does more than satisfy NIS2. It accelerates audits, improves board reporting, and makes supplier risk manageable and visible. \ud83d\ude80 Faster Audits Centralise evidence, assessments, and remediation so audit preparation becomes less ad hoc and more efficient. \ud83d\udc41\ufe0f Continuous Visibility See changes in supplier risk as they emerge \u2014 not when you get to next year&#8217;s annual review. \ud83d\udcc8 Board-Ready Reporting Translate technical findings into priorities, trends, and decision-ready information for management. \ud83d\udee1\ufe0f Lower Exposure Prioritise suppliers with the greatest impact and reduce risk before it becomes an incident. Magic Stone Solution AI-Powered Supply Chain Risk Management \u2014 Powered by Rescana Magic Stone replaces manual TPRM spreadsheets with continuous, AI-driven supplier risk monitoring powered by Rescana. Discover your supplier ecosystem, monitor external exposure, prioritise remediation, and build a demonstrable compliance dossier for NIS2 Article 21(2)(d) and DORA. See the Service &rarr; How Magic Stone Solves TPRM for NIS2 Magic Stone deploys Rescana as part of a practical TPRM programme \u2014 from supplier inventory and risk classification to monitoring, remediation, and management reporting. \ud83e\udd16 Automated Supplier Discovery Map your full supplier ecosystem \u2014 including sub-processors and unknown dependencies not captured in existing spreadsheets. \ud83d\udce1 Continuous Attack Surface Monitoring Monitor external exposure, misconfigurations, vulnerabilities, and signals indicating elevated supplier risk. \ud83d\udcca Real-Time Risk Scoring Prioritise suppliers based on current security posture, criticality, and business impact \u2014 not last year&#8217;s questionnaire. \ud83d\udcc1 Audit-Ready Evidence Centralise assessments, risk scores, monitoring logs, actions, and decisions in one demonstrable compliance dossier. \u26a1 NIS2 &amp; DORA Mapping Map supplier risk findings directly to NIS2 and DORA obligations so compliance efforts remain targeted and traceable. \ud83c\udfc6 Recognised Innovation Rescana was selected by Magic Stone for its AI-driven approach to supplier risk management, chain visibility, continuous monitoring, and support for European regulatory compliance requirements. Why Rescana Instead of Traditional TPRM? Many TPRM processes are built around questionnaires. That remains useful \u2014 but NIS2 demands better evidence, more current insight, and faster follow-up. Capability Rescana \/ Magic Stone Approach Traditional TPRM Supplier discovery \u2713 Automated discovery and enrichment Limited Often manual inventory Continuous monitoring \u2713 Ongoing external risk signals Limited Often annual assessment NIS2 mapping \u2713 Findings mapped to obligations Limited Often manual interpretation Audit evidence \u2713 Central dossier with exports Limited Emails,<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"elementor_header_footer","meta":{"_acf_changed":false,"site-sidebar-layout":"no-sidebar","site-content-layout":"","ast-site-content-layout":"full-width-container","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"disabled","ast-breadcrumbs-content":"","ast-featured-img":"disabled","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"class_list":["post-2348","page","type-page","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.9 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>NIS2 &amp; Third-Party Risk Management | AI Risk Visibility<\/title>\n<meta name=\"description\" content=\"Manage NIS2 third-party risk with AI-driven visibility. Monitor vendors, detect exposure, and stay compliant with evolving cyber regulations.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/magicstone.nl\/en\/nis2-third-party-risk-management\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"NIS2 &amp; Third-Party Risk Management | AI Risk Visibility\" \/>\n<meta property=\"og:description\" content=\"Manage NIS2 third-party risk with AI-driven visibility. Monitor vendors, detect exposure, and stay compliant with evolving cyber regulations.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/magicstone.nl\/en\/nis2-third-party-risk-management\/\" \/>\n<meta property=\"og:site_name\" content=\"Magic Stone\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/MagicStoneNL\" \/>\n<meta property=\"article:modified_time\" content=\"2026-07-08T08:01:24+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@magicstone72\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"23 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/magicstone.nl\\\/en\\\/nis2-third-party-risk-management\\\/\",\"url\":\"https:\\\/\\\/magicstone.nl\\\/en\\\/nis2-third-party-risk-management\\\/\",\"name\":\"NIS2 & Third-Party Risk Management | AI Risk Visibility\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/magicstone.nl\\\/en\\\/#website\"},\"datePublished\":\"2025-07-14T10:31:11+00:00\",\"dateModified\":\"2026-07-08T08:01:24+00:00\",\"description\":\"Manage NIS2 third-party risk with AI-driven visibility. Monitor vendors, detect exposure, and stay compliant with evolving cyber regulations.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/magicstone.nl\\\/en\\\/nis2-third-party-risk-management\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/magicstone.nl\\\/en\\\/nis2-third-party-risk-management\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/magicstone.nl\\\/en\\\/nis2-third-party-risk-management\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/magicstone.nl\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"NIS2 & TPRM\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/magicstone.nl\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/magicstone.nl\\\/en\\\/\",\"name\":\"Magic Stone\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/magicstone.nl\\\/en\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/magicstone.nl\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/magicstone.nl\\\/en\\\/#organization\",\"name\":\"Magic Stone\",\"url\":\"https:\\\/\\\/magicstone.nl\\\/en\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/magicstone.nl\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/magicstone.nl\\\/en\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/MS-logo-txt-1024x683.png\",\"contentUrl\":\"https:\\\/\\\/magicstone.nl\\\/en\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/MS-logo-txt-1024x683.png\",\"width\":1024,\"height\":683,\"caption\":\"Magic Stone\"},\"image\":{\"@id\":\"https:\\\/\\\/magicstone.nl\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/MagicStoneNL\",\"https:\\\/\\\/x.com\\\/magicstone72\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/magicstonecyber\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"NIS2 & Third-Party Risk Management | AI Risk Visibility","description":"Manage NIS2 third-party risk with AI-driven visibility. Monitor vendors, detect exposure, and stay compliant with evolving cyber regulations.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/magicstone.nl\/en\/nis2-third-party-risk-management\/","og_locale":"en_US","og_type":"article","og_title":"NIS2 & Third-Party Risk Management | AI Risk Visibility","og_description":"Manage NIS2 third-party risk with AI-driven visibility. Monitor vendors, detect exposure, and stay compliant with evolving cyber regulations.","og_url":"https:\/\/magicstone.nl\/en\/nis2-third-party-risk-management\/","og_site_name":"Magic Stone","article_publisher":"https:\/\/www.facebook.com\/MagicStoneNL","article_modified_time":"2026-07-08T08:01:24+00:00","twitter_card":"summary_large_image","twitter_site":"@magicstone72","twitter_misc":{"Est. reading time":"23 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/magicstone.nl\/en\/nis2-third-party-risk-management\/","url":"https:\/\/magicstone.nl\/en\/nis2-third-party-risk-management\/","name":"NIS2 & Third-Party Risk Management | AI Risk Visibility","isPartOf":{"@id":"https:\/\/magicstone.nl\/en\/#website"},"datePublished":"2025-07-14T10:31:11+00:00","dateModified":"2026-07-08T08:01:24+00:00","description":"Manage NIS2 third-party risk with AI-driven visibility. Monitor vendors, detect exposure, and stay compliant with evolving cyber regulations.","breadcrumb":{"@id":"https:\/\/magicstone.nl\/en\/nis2-third-party-risk-management\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/magicstone.nl\/en\/nis2-third-party-risk-management\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/magicstone.nl\/en\/nis2-third-party-risk-management\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/magicstone.nl\/en\/"},{"@type":"ListItem","position":2,"name":"NIS2 & TPRM"}]},{"@type":"WebSite","@id":"https:\/\/magicstone.nl\/en\/#website","url":"https:\/\/magicstone.nl\/en\/","name":"Magic Stone","description":"","publisher":{"@id":"https:\/\/magicstone.nl\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/magicstone.nl\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/magicstone.nl\/en\/#organization","name":"Magic Stone","url":"https:\/\/magicstone.nl\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/magicstone.nl\/en\/#\/schema\/logo\/image\/","url":"https:\/\/magicstone.nl\/en\/wp-content\/uploads\/2026\/04\/MS-logo-txt-1024x683.png","contentUrl":"https:\/\/magicstone.nl\/en\/wp-content\/uploads\/2026\/04\/MS-logo-txt-1024x683.png","width":1024,"height":683,"caption":"Magic Stone"},"image":{"@id":"https:\/\/magicstone.nl\/en\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/MagicStoneNL","https:\/\/x.com\/magicstone72","https:\/\/www.linkedin.com\/company\/magicstonecyber"]}]}},"_links":{"self":[{"href":"https:\/\/magicstone.nl\/en\/wp-json\/wp\/v2\/pages\/2348","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/magicstone.nl\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/magicstone.nl\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/magicstone.nl\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/magicstone.nl\/en\/wp-json\/wp\/v2\/comments?post=2348"}],"version-history":[{"count":5,"href":"https:\/\/magicstone.nl\/en\/wp-json\/wp\/v2\/pages\/2348\/revisions"}],"predecessor-version":[{"id":9268,"href":"https:\/\/magicstone.nl\/en\/wp-json\/wp\/v2\/pages\/2348\/revisions\/9268"}],"wp:attachment":[{"href":"https:\/\/magicstone.nl\/en\/wp-json\/wp\/v2\/media?parent=2348"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}