Survey data published in early 2026 reveals that 65% of large organisations now identify third-party and supply-chain vulnerabilities as their single greatest cybersecurity challenge, up from 54% in 2025. The eleven-percentage-point jump reflects not a shift in perception but a response to lived experience: supply-chain attacks have moved from theoretical risk to operational reality for a growing number of enterprises and public bodies across Europe.
The data is consistent with the pattern of incidents observed in the first quarter of 2026. Of the nine major breaches reported across Europe in March 2026, five entered through third-party vectors — compromised vendors, software dependencies, or managed service providers. The most prominent example was the European Commission's own cloud breach, which originated through a supply-chain compromise of the open-source Trivy container scanner and resulted in the exfiltration of over 350GB of sensitive data from the Commission's AWS environment.
The regulatory response is converging around this risk. The NIS2 Directive requires essential and important entities to address supply-chain security within their risk management measures, including assessing the security practices of their direct suppliers. The Cyber Resilience Act, whose reporting obligations take effect in September 2026, places obligations on manufacturers to maintain vulnerability handling processes that cover components sourced from third parties. And under the GDPR, controllers remain responsible for the processing activities of their processors — meaning that a breach originating through a supplier's compromised software does not reduce the controller's notification obligations or its accountability to data subjects.
For compliance teams, the implication is that third-party risk management can no longer be a procurement-stage checkbox. It requires continuous monitoring, contractual provisions for incident notification, and — crucially — the ability to rapidly assess the impact of a supplier compromise on the organisation's own data processing activities.
Acompli perspective: When a breach enters through a third party, the regulatory obligations remain with you. The question regulators will ask is not whether you could have prevented the supplier's compromise, but whether you understood the risk, managed it proportionately, and responded effectively when it materialised. That requires third-party risk assessments that are current, records of processing that identify which suppliers process personal data and on what basis, and a risk management framework that treats supply-chain exposure as a standing item rather than an annual review.