The Third-Party Risk Manager (TPRM) is responsible for setting up, managing, overseeing and mitigating the information security risks associated with third-party vendors, suppliers, service providers, and contractors, and this in alignment with the NIS2 Directive. This role ensures that external partners meet Belnet’s security standards and policies, comply with NIS2 obligations, and do not introduce unacceptable risks to business operations.

The manager will build and maintain strong relationships with third parties, facilitate risk assessments, and collaborate with internal stakeholders to enhance business resilience against information security threats.

We are only looking for candidates who have actually performed in this role as described here.

Key responsibilities

Third party supplier security governance: Define and build the necessary governance and processes for managing third party supplier information security risks. Evaluate and classify third parties based on criticality and risk to essential or services. Assist the CISO and Procurement in the development and maintenance of security policies and procedures for supplier security.

NIS2 Compliance: Ensure all third-party relationships adhere to the cybersecurity requirements set out in the NIS2 Directive, including risk management, incident reporting, and supply chain security.

Third-Party Risk Assessment & Management:

• Conduct thorough security due diligence and risk assessments of existing and prospective third-party vendors, focusing on their ability to meet NIS2 standards.
• Maintain an up-to-date risk register and treatment plans of third parties and their risk status as required by NIS2.
• Establish risk scoring methodologies and criteria for vendor categorisation.
• Establish and monitor security performance metrics for key vendors.
• Manage the complete third-party risk lifecycle from onboarding to contract termination.

Contract and Procurement support:

• Collaborate with Procurement and CISO to ensure contracts with third parties include robust cybersecurity clauses, clear incident notification requirements, and audit rights as mandated by NIS2.
• Review and approve cybersecurity clauses in third-party agreements.
• Ensure data protection and privacy requirements are incorporated into vendor contracts.
• Support contract negotiations on security terms and risk allocation.
• Manage security-related service level agreements and penalties.

Supply Chain Security: Develop and maintain processes to identify, monitor, and mitigate risks in the supply chain cyber resilience, ensuring that vendors implement appropriate technical and organisational measures. This includes continuous monitoring of vendor dependencies.

Monitoring & Reporting: Oversee the continuous monitoring of third-party compliance, including KPIs, SLAs, regular reviews, audits, and follow-up on remediation actions:

• Develop and maintain third-party risk dashboards and reporting mechanisms.
• Prepare regular reports for Management, Risk Office and Procurement on third-party risk posture, compliance status, and remediation progress, highlighting any NIS2-related issues.
• Track and report on risk mitigation activities and effectiveness.

Incident Management and Notification: Coordinate with third parties to ensure timely reporting and effective management of security incidents or breach notifications, in line with NIS2 incident notification timelines.

Stakeholder Engagement: Liaise with internal teams (ICT, Risk, Procurement) and external partners to promote a shared understanding of NIS2 requirements and best practices in third-party risk management. Facilitate regular security review meetings with critical suppliers.

Awareness & Training: Oversee the development and delivery of training and awareness programs for third parties on NIS2 obligations and supply chain security, as well as awareness around Belnet’s relevant information security policies.

Qualifications and Experience

• Bachelor’s or Master’s degree in Information Security, Risk Management, Law, or a related field.
• At least 4 years of experience in third-party risk management, cybersecurity, or compliance, preferably in a regulated or governmental environment.
• Familiarity with the NIS2 Directive and its requirements for essential entities.
• Familiarity with ISO/IEC 27001 standard clauses regarding supplier relationship security is strongly desired.
• Experience with supply chain security in general, vendor assessments, and contract negotiations.
• Good knowledge of other information security standards is also an advantage (e.g., NIST, CIS Controls, CCB CyberFundamentals).
• Relevant certifications (e.g., CISM, CISSP, CRISC, ISO 27001 Lead Implementer) or Third-Party Risk Management certifications are advantageous.
• Experience with public tenders is a strong advantage.
• Familiarity with critical infrastructure protection is nice to have, or the EU Cyber Resilience Act.
• Experience with GRC platforms is an asset, in particular ServiceNow.
• Excellent communication, negotiation, and stakeholder management skills.

Key Competencies

• Deep understanding of regulatory compliance, especially NIS2.
• Strong analytical and risk assessment skills.
• Experience with conducting and maintaining supplier risk assessments.
• Translate information security requirements into contractual clauses.
• Ability to influence and collaborate with internal and external stakeholders.
• Proactive, detail-oriented, and committed to continuous improvement.