IT supply chains are complex today: organizations that outsource cloud backup, backup software, hardware maintenance and monitoring to third-party providers depend on their security, availability and compliance. Supply chain security refers to the structured engagement with this dependency risk.

NIS2 explicitly requires supply chain security measures: assessment of security practices of ICT third-party providers, minimum contractual cybersecurity requirements and risk-based prioritization of critical suppliers. goes further: financial entities must inventory, assess and contractually obligate all critical ICT third-party providers — with clauses on audit rights, availability SLAs, exit strategies and data localization.

A structural risk: according to EU supervisory authority analyses (EBA, ESMA, EIOPA), the top 10 ICT third-party providers in the financial sector hold over 85% of critical contracts. Three quarters of these providers originate from third countries — predominantly the US. This concentration creates systemic risks: a failure at one of the large cloud providers can simultaneously affect dozens of financial institutions.

For backup and storage, this means concretely: anyone storing critical backup data with an external cloud provider must verify whether that provider is a critical ICT third-party provider under , whether the contract contains -compliant clauses and whether data localization (physical server location, provider’s legal framework) is ensured. The transition period for existing contracts runs until 31 December 2026.

Frequently asked questions

A provider is critical if its failure would impair critical or important functions of the financial entity. For backup and storage: a provider operating the primary backup infrastructure is generally critical. Cloud backup providers, managed backup services and backup software vendors should be assessed for criticality. The determination follows a risk analysis.
Contracts with critical ICT third-party providers must include at minimum: description of services to be provided, data localization (where data is processed and stored), availability SLAs, audit rights (the financial entity must be permitted to audit the provider) and an exit plan (how data is transferred and deleted at the provider when the contract ends).