Managing third-party cyber risk: Insights from PwC’s Digital Trust Insights Survey

Building Cyber resilience against third-party risk

PwC’s Global Digital Trust Insights Survey 2026 reveals third-party breaches are critical cyber threats to Irish organisations. 

With regulations such as the DORA, the NIS 2 Directive and CERD reshaping the landscape, businesses must move beyond compliance to embed proactive resilience. 

In this article, we examine how firms can safeguard operations and enable sustainable growth by:

• strengthening third-party risk management

• aligning with evolving regulations

• building comprehensive cyber resilience.

Third-party breaches: the fastest- rising cyber threat

Third-party breaches have surged to the forefront of Irish organisations’ cyber threat landscape, with 48% of respondents identifying them as their most significant exposure. 

This reflects a global shift. As digital supply chains and ecosystems grow increasingly interconnected, threat actors are exploiting vulnerabilities beyond company firewalls. They’re targeting suppliers, vendors and partners to gain entry. 

Despite the escalating risk, only 28% of organisations worldwide feel adequately prepared to address these exposures, highlighting a critical readiness gap.

Firms adapt vendor strategies, but need to do more

In response to the growing threat, 32% of Irish organisations are actively changing vendors or suppliers to reduce risk linked to third-party locations. This exceeds our global (26%) and Western European (27%) counterparts. 

This shift signals growing recognition that effective cyber defence extends beyond organisational borders into a wider ecosystem. But changing vendors is insufficient without rigorous and continuous oversight to manage evolving threats effectively.

Formalising third-party risk management is critical 

Many organisations still lack mature third-party risk management (TPRM) programmes capable of continuously identifying and mitigating evolving supplier risks. 

Among Irish firms, 35% plan to adopt managed security services that provide specialist expertise and continuous monitoring. But most have yet to deploy scalable internal frameworks to manage these risks proactively. 

Without continuous due diligence, monitoring and integrated incident response across the supply chain, critical blind spots remain. As ecosystems become more interconnected and complex, embedding formal TPRM is no longer optional. It’s essential for sustainable cyber resilience.

The strategic imperative: proactive ecosystem governance

Staying ahead of rapidly evolving third-party cyber threats is vital. Success requires breaking down silos, integrating TPRM into enterprise risk frameworks and driving continuous improvement.

These insights outline a clear path for Irish organisations: 

1. implement rigorous third-party risk governance
2. gain real-time ecosystem visibility
3. align insurance with comprehensive mitigation strategies. 

Regulations demand resilience, not just compliance

European regulations such as DORA, NIS 2 and CERD signal a profound shift from compliance-focused to strategic, operational cyber resilience. 

These frameworks require organisations to embed resilience into their operations, not just to comply, but to survive and thrive in a volatile threat landscape.

Yet readiness remains low. Only 2% of organisations globally have implemented all 12 recommended resilience actions. Many still lean on reactive measures such as incident response and recovery, rather than investing in proactive capabilities. These include continuous monitoring, scenario testing, and workforce training. 

This imbalance leaves organisations exposed to significant operational, regulatory, and reputational risks.

Cyber talent is a foundation of resilience

Cyber resilience depends not just on technology but on people.

Irish organisations face ongoing challenges in cyber skills availability. Our survey reveals 54% prioritise upskilling and reskilling programs. While 43% are investing in continuous employee training to build internal capabilities that strengthen defence across the organisation.

Proactive investment for long-term resilience

While cybersecurity is fundamentally about readiness, only 24% of organisations globally prioritise proactive investment in threat detection and prevention. 

In Ireland, just 8% significantly prioritise proactive measures, while 83% maintain an even split between proactive and reactive approaches. This reactive-heavy posture risks higher long-term costs, including:

• breach recovery

• litigation

• reputational damage

• regulatory penalties.

The opportunity is clear

Shifting the focus towards proactive defence through monitoring, testing, training and governance isn’t just smarter, it’s more sustainable. With 78% of global respondents planning to increase their cyber budgets in 2026, now’ is the time to invest in forward-thinking strategies that protect operations against third-party threats and enable growth.

Key actions businesses can take today

1. Embed third-party risk governance into your enterprise strategy. 

Move beyond vendor checklists. Develop a dynamic TPRM programme integrating:

• risk segmentation

• continuous monitoring

• strong contractual requirements. 

Embedding cyber resilience into enterprise risk management allows decisive action and reduces blind spots across your complex ecosystem.

2. Align your operational resilience roadmap with evolving TPRM regulations. 

Map your critical assets and business dependencies to translate DORA, NIS 2 and CERD requirements into tailored governance and incident response capabilities. 

Early alignment reduces compliance friction and strengthens your ability to sustain operations during cyber incidents.

3. Build agile TPRM capabilities by combining talent development with managed services. 

Close critical TPRM skills gaps by combining targeted upskilling of internal teams and strategic partnerships with managed service providers. 

This dual approach accelerates expert access while growing internal capabilities for rapid risk adaptation.

4. Integrate TPRM risk analytics into decision-making to drive resilience. 

Use data-driven insights to continuously monitor third-party risk exposures and operational performance. 

Embedding third-party risk into strategic decision-making enables timely risk mitigation and informs effective resource allocation.

We’re here to help you

Cyber resilience is key to confident growth in today’s complex risk environment. At PwC Ireland, we help organisations: 

• build robust third-party risk frameworks

• navigate evolving regulatory demands

• shift toward proactive cyber strategies. 

Whether enhancing supply chain visibility or preparing for DORA and NIS 2 compliance, our team is ready to support your journey. Let’s work together to strengthen your resilience and safeguard your future.