Managing third-party risks under EU data protection, cybersecurity laws

For years, third-party and supply chain risks have been among the most significant cybersecurity and legal threats to organizations.

The European Union Agency for Cybersecurity highlights supply chain risks as "prime threats," predicting the leading cybersecurity issue by 2023 will be the "supply chain compromise of software dependencies" carrying the highest risk score. This arises from increased reliance on third-party suppliers, introducing new vulnerabilities and attack vectors.

ENISA's March 2024 threat foresight report stresses these concerns, followed by the global disruptions caused by CrowdStrike-related outages in July.

Throughout the years, EU lawmakers have implemented legislation focusing on enhancing supply-chain security and resilience, addressing third-party risks explicitly to protect against evolving cyber threats.

GDPR

Under the EU General Data Protection Regulation, effective third-party risk management requires implementing data protection measures that align with accountability standards based on a risk-based approach.

Before outsourcing any data processing activities, proper planning and thorough risk assessments are crucial. The data controller must evaluate potential risks in the third party's processing operations, considering the nature of the personal data involved and the specific processing activities. This helps identify vulnerabilities and ensures appropriate safeguards are put in place as needed.

It is essential to correctly define the roles of all parties — whether as data controllers, processors or joint controllers — to ensure each one fully understands its obligations under the GDPR. As per Article 28(1), a data controller can only engage processors that provide adequate guarantees to implement the necessary technical and organizational measures.

In cases involving joint controllers, Article 26 mandates a joint controller agreement that clarifies each party's responsibilities, particularly regarding transparency and the rights of data subjects. For data transfers outside the EU, appropriate mechanisms like standard contractual clauses or other recognized agreements must be used to maintain accountability and data protection.