When a Donegal-based accountancy firm suffered a data breach in 2025, the initial investigation pointed not to their own systems but to a small cloud software provider they had used for client document management. The provider had experienced a breach months earlier but had not notified clients, and the accountancy firm's customer data had been sitting in an exposed state for eleven weeks before anyone noticed. The firm faced a DPC notification requirement, a client relations crisis, and the cost of forensic investigation — all arising from a vendor they had signed up with by clicking "I Agree" on a website, without a single security question asked.
The story is increasingly common across Irish businesses. Supply chain and third-party vendor risk has become one of the fastest-growing attack vectors, and NIS2 now places specific obligations on Irish businesses to address it formally rather than by assumption.
Why Third-Party Risk Matters More Than Ever
Your cybersecurity posture is not bounded by your own systems and staff. Every vendor who has access to your data, every SaaS platform your business relies on, every IT provider who connects to your network — each one extends your attack surface beyond what you can directly control. A breach at any of them can cascade into your business without any action on your part.
The NCSC Ireland has flagged supply chain attacks as a significant and growing threat to Irish organisations, particularly for SMEs that may not have the resources to conduct thorough vendor due diligence without a structured approach.[^1] NIS2 makes this a legal obligation: businesses in scope must implement measures to assess and manage the cybersecurity risks arising from their direct suppliers and service providers. The Data Protection Commission also expects businesses to conduct due diligence on third-party processors handling personal data on their behalf, with appropriate contractual protections in place.[^3]
Could you name, right now, which of your vendors have access to personal data — and when you last checked their security posture? Book a free 20-minute strategy call — we can help you build a proportionate vendor risk programme without turning it into a compliance burden.
What a Vendor Risk Programme Covers
Effective vendor risk management does not require enterprise-scale resources. For an Irish SME, it requires a clear, consistent process applied to the vendors who actually matter most.
Step one: inventory your vendors. Start with a complete list of every third party that has access to your systems or data, or that provides a service critical to your operations. Categorise them by risk level — a payroll processor handling employee data sits in a different risk tier from the supplier of your office coffee machine. Focus your due diligence effort on the top tier: those with access to personal data, those with privileged access to your systems, and those whose unavailability would materially affect your operations.
Step two: ask the right questions before onboarding. For any new vendor in your top tier, a short security questionnaire before signing a contract is standard practice and proportionate effort. The questions do not need to be technical. Ask whether they have a named data protection or security contact, whether they are ISO 27001 certified or equivalent, how they would notify you in the event of a breach, and what subprocessors they use. A vendor that cannot answer these basic questions is a vendor worth reconsidering.
Step three: put security obligations in contracts. A data processing agreement is legally required under GDPR for any vendor processing personal data on your behalf. But your contracts should also include a minimum security standard clause, a breach notification timeline that aligns with your own 72-hour DPC obligation, and a right to request evidence of compliance. If you have not reviewed existing vendor contracts for these clauses, assume they are missing.
Step four: monitor continuously. Due diligence at onboarding is not sufficient if your vendor's circumstances change. Schedule an annual security review for your top-tier vendors, include a "notify us of any material security changes" obligation in contracts, and check whether your critical vendors' security certifications remain current. An Garda Síochána's National Cyber Crime Bureau notes that businesses are often the last to know when a supplier has suffered a breach — proactive notification obligations help close that gap.[^2]
Step five: plan for vendor incidents. Your incident response plan should explicitly cover third-party breach scenarios. If your key cloud provider is breached, what is your immediate response? Who contacts them, using what channel? What data was exposed and what are your notification obligations to the DPC? Running a tabletop exercise that includes a supplier breach scenario surfaces the gaps in this planning before a real incident does.
The NIS2 Dimension
For Irish businesses in scope of NIS2, supply chain security is not optional — it is an Article 21 obligation. You must assess the security practices of your direct suppliers and service providers, and you must include security requirements in contracts. The specific controls required are proportionate to the risk, but the obligation to have a process exists regardless of whether a supplier has ever experienced an incident.
This creates a useful forcing function. A vendor risk programme built to satisfy NIS2 also satisfies GDPR accountability requirements and provides the kind of documented due diligence that cyber insurers increasingly ask for in their applications. One structured process, three compliance outputs.
Your vendor risk posture is what insurers, regulators, and enterprise clients will scrutinise after an incident. Build it now, not then.
What to Do Next
Three actions you can take this month:
Build your vendor inventory. Open a spreadsheet and list every vendor with access to your data or systems. Add columns for data type, access level, and contract review date. For businesses without an existing list, the exercise itself typically reveals two or three vendors that have been forgotten about entirely — and whose access should probably have been revoked.
Review your top five vendors' contracts. Pull the contracts for your highest-risk vendors and check for data processing agreements, breach notification clauses, and security obligations. If they are missing, that is your starting point for renegotiation or at minimum a supplementary security agreement.
Send a short security questionnaire to your two or three most critical vendors. It does not need to be elaborate — five questions about their security practices and breach notification procedures. Their willingness to respond tells you something important on its own.
Related Reading
- Top 5 Cybersecurity Threats Facing Irish SMEs in 2026
- Building a NIS2 Compliance Roadmap: A 12-Month Plan for Irish SMEs
- The Cyber Insurance Application Your Insurer Hopes You Don't Read Carefully
[^1]: NCSC Ireland — Advice for Organisations: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána — Cyber Crime: https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.