Supply Chain Risk Management
Annual vendor questionnaires are not enough. NIS2 and DORA demand continuous supply chain oversight. Fig provides real-time vendor risk scoring, shared control mapping, and automated monitoring across your entire supplier base.
Why Annual Questionnaires Fall Short
Point-in-time assessments create a false sense of security
Most organisations still rely on annual security questionnaires - a vendor self-assesses, someone reviews the responses, the results are filed away for 12 months. The approach has three fundamental problems.
01
Stale data
A vendor's security posture can change dramatically in the weeks and months following a questionnaire. Certifications expire, staff leave, new vulnerabilities emerge, and breaches occur. Your annual assessment captures none of it.
02
Unverified by design
Vendors have every incentive to present their security programme in the best possible light. Without independent verification or continuous evidence, you are relying on trust rather than data.
03
Does not scale
An organisation with 50 vendors might manage annual questionnaires manually. An MSP with 200 clients, each managing their own vendor relationships, simply cannot - and critical vendors end up with the same scrutiny as low-risk ones.
NIS2 Supply Chain Requirements
What the directive requires and how Fig helps you comply
What NIS2 Mandates
Article 21(2)(d) requires essential and important entities to implement "supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers."
Maximum penalty for non-compliance
2%
of global annual turnover for essential entities
1.4%
of global annual turnover for important entities
Regulators expect documented evidence of supply chain activity, not just policies. The directive requires vendor-specific risk assessment - organisations must consider "the vulnerabilities specific to each direct supplier and service provider", not rely on generic questionnaires.
How Fig Helps
The Shared Control Model
Security responsibilities are divided between you and each vendor. Map them explicitly.
Every vendor relationship involves a division of security responsibilities. Some controls belong entirely to your organisation: managing user access to vendor systems, configuring integration security settings, and monitoring data flows. Other controls belong entirely to the vendor: securing their internal infrastructure, patching their systems, and managing their own staff. And some controls are shared: data encryption, incident response coordination, and business continuity planning.
Your Controls
Access management, integration configuration, data classification, usage monitoring
Shared Controls
Data encryption, incident response, business continuity, compliance reporting
Vendor Controls
Infrastructure security, patch management, staff vetting, physical security
Fig maps these responsibilities explicitly for each vendor relationship. The platform ensures that every control has a clear owner and that shared responsibilities have documented expectations on both sides. This prevents the most common supply chain risk failure: controls that both parties assume the other is handling.
Vendor Risk Scoring Methodology
A transparent, weighted approach to quantifying third-party risk
Fig evaluates each vendor across eight risk dimensions. Each dimension is weighted according to its potential impact on your security posture. The resulting score provides a clear, comparable measure of vendor risk that updates continuously as new information becomes available.
| Factor | Weight | What We Evaluate |
|---|---|---|
| Security certifications held | High | ISO 27001, SOC 2, Cyber Essentials Plus, and other recognised certifications indicate a mature security programme. |
| Patch management cadence | High | How quickly does the vendor apply critical patches? Vendors with defined SLAs and evidence of compliance score higher. |
| Incident history and response | High | Past breach disclosures, response times, and remediation actions reveal operational resilience. |
| Data handling practices | Medium | Encryption standards, data residency, retention policies, and access controls applied to your data. |
| Business continuity planning | Medium | Documented and tested disaster recovery and business continuity plans with defined RPO and RTO targets. |
| Sub-processor management | Medium | How does the vendor manage its own supply chain? Fourth-party risk is increasingly important under NIS2. |
| Contractual security commitments | Medium | Security SLAs, breach notification timelines, audit rights, and liability provisions in vendor contracts. |
| Financial stability | Low | Vendor financial health affects their ability to invest in security and maintain service continuity. |
Frequently Asked Questions
Common questions about supply chain risk management and regulatory compliance
What is supply chain risk management?
Supply chain risk management (SCRM) is the practice of identifying, assessing, and mitigating the security risks introduced by third-party vendors, suppliers, and service providers. Every organisation depends on external parties for software, infrastructure, data processing, and professional services. Each of these relationships creates a potential attack vector that must be managed systematically.
What does NIS2 require for supply chain security?
NIS2 (the Network and Information Systems Directive 2) requires essential and important entities to address supply chain security as part of their risk management obligations. Specifically, Article 21(2)(d) mandates "supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers." This means organisations must assess vendor risk, include security requirements in contracts, and monitor third-party compliance on an ongoing basis.
How does Fig differ from annual vendor questionnaires?
Annual questionnaires capture a single point-in-time snapshot that is outdated within weeks. Fig provides continuous monitoring of vendor risk posture through automated evidence collection, real-time certification tracking, and ongoing risk scoring. When a vendor's security posture changes (a new breach, an expired certification, a failed compliance check), Fig updates the risk score automatically and alerts you.
What is the shared control model for supply chain risk?
The shared control model recognises that security responsibilities are divided between your organisation and each vendor. Some controls are entirely your responsibility (access management for vendor systems), some are entirely the vendor's responsibility (their internal infrastructure security), and some are shared (data encryption, incident response coordination). Fig maps these shared responsibilities explicitly for each vendor relationship, ensuring nothing falls through the gaps.
How does Fig score vendor risk?
Fig uses a weighted scoring methodology that evaluates vendors across multiple dimensions: security certifications, patch management cadence, incident history, data handling practices, business continuity planning, sub-processor management, contractual commitments, and financial stability. Each factor is weighted by its impact on your risk posture, and the resulting score is continuously updated as new information becomes available.
Can Fig help us comply with NIS2 Article 21 supply chain requirements?
Yes. Fig maps directly to NIS2 Article 21(2)(d) requirements. The platform helps you maintain a register of critical suppliers, assess their security posture, document security requirements in contracts, monitor compliance on an ongoing basis, and generate evidence of supply chain due diligence for regulators. Fig also tracks the NIS2-specific requirement to consider sub-processor (fourth-party) risk.
How do we handle vendors who refuse to complete security assessments?
Fig provides multiple assessment methods. For cooperative vendors, automated questionnaires with evidence upload work well. For less cooperative vendors, Fig can assess risk using publicly available information: security certifications on record, known breach history, published security practices, and technical indicators. The platform flags unresponsive vendors as higher risk and recommends compensating controls.
What is fourth-party risk and why does it matter?
Fourth-party risk refers to the risk introduced by your vendors' vendors. If your cloud provider relies on a sub-processor that suffers a breach, your data may be affected even though you have no direct relationship with that sub-processor. NIS2 explicitly requires organisations to consider these downstream dependencies. Fig helps you map and monitor these relationships where possible.
How often should vendor risk assessments be updated?
Best practice is continuous monitoring supplemented by formal reassessment at least annually. Critical vendors (those with access to sensitive data or essential services) should be formally reassessed quarterly. Fig automates the continuous monitoring element and sends alerts when a vendor's risk score changes, so you can focus formal review effort where it matters most.
Does Fig support DORA supply chain requirements as well as NIS2?
Yes. DORA (the Digital Operational Resilience Act) has specific requirements for ICT third-party risk management in financial services. Fig maps controls to both NIS2 and DORA supply chain requirements, making it suitable for organisations that fall under both regulatory regimes. The platform helps you maintain the register of ICT third-party providers that DORA mandates.
Take Control of Your Supply Chain Risk
Move beyond annual questionnaires to continuous vendor risk monitoring. Fig helps you meet NIS2 and DORA requirements with automated evidence collection and real-time risk scoring.