When the IT vendor
offloads risk onto the client

A real case from late April 2026

The case below is anonymised and some operational details have been abstracted to avoid identifying the parties involved. The dynamic described is representative of situations we encounter regularly in the Italian market.

An Italian professional services firm. Cloud-first architecture: cloud accounting platform, cloud email, cloud document storage, residual on-premise server. Network and perimeter handled by business-grade managed equipment, IDS and IPS active, no ports published to the internet. In short, a reasonable security posture for 2026.

An external IT vendor arrives on-site to install new on-premise equipment. They do not ask the IP addressing scheme, do not ask whether a dedicated network exists, do not propose their own network infrastructure: the equipment is connected to the same network where accounting and document data flows, with no segmentation. When future remote support is mentioned, the technician closes the discussion with a brief «let’s just set up a VPN» and points to a colleague over email.

From there, five days of exchanges. The proposal shape changes three times: first a site-to-site VPN over TLS in client mode on the customer side to retain control over constraints; then the vendor asks for a client SSL or IKEv2 VPN on the customer firewall; finally, after a discussion with the firm’s owner, the final decision: no permanent VPN, on-demand remote control sessions started by the user when needed, and a function-based VLAN segmentation on the roadmap to reduce risk structurally.

The vendor accepts, but not without objections. Their final email lists four operational concerns about on-demand access (slowdowns, no scheduling, costs, «the proposed solution does not in any way increase security compared to a properly configured client VPN») and closes with «if the client is aware of these issues, no problem». The client is aware. The discussion seems to be over. Actually, this is where the interesting part begins.

The point the vendor misses: whose risk is it?

The vendor reasons as a vendor: their problem is how to access «their» equipment comfortably for maintenance, troubleshooting, updates. A permanent VPN is the workflow that costs them least. From that standpoint their technical argument is not wrong: a client VPN on an enterprise firewall, with source IP restriction, ACLs on ports and protocols, multi-factor authentication, is genuinely a robust solution.

A technical note for more advanced readers: in real enterprise deployments, a client VPN with an identity provider and per-user MFA offers per-person logging and accountability that a site-to-site VPN based on pre-shared key or peer certificate cannot provide. Yet in many SME IT supply chain implementations the client VPN turns into a shared credential installed on the vendor’s working PCs, and that advantage evaporates.

But the security question was not «which VPN do we choose». It was a different one: « who carries the risk this access mode introduces?». And here perspective flips everything. To accept the vendor request, the client would have had to:

• buy and maintain license and configuration of a VPN server on their own firewall;
• integrate an identity provider with MFA to authenticate the vendor;
• create and govern a dedicated vendor account, with provisioning, deprovisioning, credential rotation, access audit;
• define and maintain ACLs, time-based policies, log review on the vendor VPN;
• absorb the supply chain risk: if the vendor is compromised, the attacker inherits a stable channel into the client network.

All this for a 2026 on-premise piece of equipment, in a firm where everything else is in the cloud. The right question the vendor never asked is: «how can I deliver my support service without asking the client to lower their security posture?». The answers existed: cloud-delivered service, reverse call-home tunnel from the vendor system, unattended remote control sessions activatable by the client, vendor-side bastion host. All put operational cost on the side of who delivers the service, which is the right principle.

The right scheme: service → impact → measure → asset

The way the case was solved is not improvisation. It follows the scheme explicitly required by Italian ACN determination 155238/2026 on categorisation of NIS activities and services, and it matches the approach already present in ISO/IEC 27001:2022 (Annex A) and in the GDPR accountability principle. You do not start from the asset, you start from the service and you reach the asset at the end as a derived step.

• 1Service. The firm’s core service is advising clients, not the support function delivered by the vendor. That function is important but not vital. Intrinsic relevance category: low or medium, never high.
• 2Impact. What happens if the vendor is compromised and someone uses the VPN as pivot? Vendor equipment compromised: low impact. Lateral pivot into the data network with client files, personal and financial data: high impact. Exfiltration and ransomware: catastrophic. The real risk is not on the support function, it is on the aggregation of equipment and data in the same network.
• 3Measure. Three complementary layers. Organisational: on-demand access under user control (drastically reduces the attack window). Architectural: function-based VLAN segmentation (confines blast radius to the vendor VLAN whatever happens). Contractual: vendor clauses on MFA, access logs, vulnerability notification, sub-suppliers. The three reinforce each other; none is enough alone.
• 4Asset. Only now we discuss specific equipment, managed switches with 802.1Q support, firewall rules, inter-VLAN ACLs. Tools to apply chosen measures, not the starting point.

The difference is not theoretical. A vendor or consultant starting from assets ends up justifying any vendor request with «client VPN is secure when configured well». A consultant starting from the service asks whether the request is proportionate, and in most cases discovers it is not.

The same principle in three frameworks: GDPR, ISO 27001, NIS2

What this case put into practice is not a NIS2 novelty. It is a principle already written clearly in three regulatory pillars that have coexisted since 2018, each with its own language:

Three versions of the same principle: your supplier’s risk is your risk. What changes with NIS2 is not the principle itself: it is the fact that it becomes public, enforceable and sanctioned. Everything else has been an obligation for at least eight years.

Why the professional services firm is the textbook case

Accountants, lawyers, notaries, payroll consultants, doctors, technical studios. By definition they are data controllers of personal data of others, often special category data (article 9 GDPR for health data, and for accountants and payroll consultants for tax, financial and employment data of their clients).

Translated: the firm is not protecting its own data. It is protecting data its clients entrusted to it. In case of a breach, reputational and legal damage falls significantly on the clients who trusted the firm, beyond the firm itself. For this reason the responsibility on selecting IT suppliers is heavier, not lighter, than for a generic SME.

• GDPR Article 28. The professional firm, as a controller, must select processors offering sufficient guarantees on technical and organisational measures. Accepting whatever the vendor proposes «because that is how it has always been done» is not compliant.
• GDPR Article 32. Measures must be appropriate to the risk. Opening a permanent VPN to an external IT vendor for a non-vital service is a manifestly disproportionate measure if hundreds of client files are on the other side of the network.
• GDPR Article 5(2). The accountability principle requires the ability to demonstrate choices. «I opened the VPN because the vendor asked» is not a documentable defence before the supervisory authority in case of breach.
• ISO/IEC 27001 A.5.19 – A.5.22. Same logic in technical language: supplier registration, formal agreements, security controls in contracts, monitoring. Even those not certified should use it as good practice to document due diligence.

The cascade effect: also for those who are not NIS2 entities

There is a second layer that directly involves professional firms and Italian SMEs, and it is the most underestimated. NIS2 does not apply only to essential and important entities. Through the supply chain security discipline (art. 21(2)(d)), it applies de facto also to their suppliers, through contractual clauses and vendor risk management processes.

Translated: if even a single client of a professional firm is a NIS2 entity (essential or important), the firm is dragged into the client’s obligations contractually, even if as a single entity it does not fall under the NIS scope. The NIS2 client is required to:

• 1register the firm as a relevant supplier (ACN det. 127437/2026 on the obligation to list suppliers on the ACN platform);
• 2assess the risk of its compromise on its own service (the client’s tax data, payroll, contracts are in the firm’s hands);
• 3apply proportionate measures: contractual security clauses, minimum requirements, audit rights, incident notification within strict timeframes;
• 4document these assessments and retain evidence for the authority.

Concretely, the firm will start receiving (if it has not already): supplier security questionnaires, contractual clauses with mandatory MFA on systems processing client data, incident notification obligations, requests for documentary evidence (GDPR record of processing activities, security policies, ISO 27001 certifications where possible, attestations of technical measures). If it cannot respond credibly, the NIS client is obliged to renegotiate or replace it.

Two quick figures show the scale. Among Italian important NIS manufacturing SMEs, utilities, healthcare entities, public administration bodies, critical ICT supply chain providers, more than 21,000 entities are already registered, of which at least 5,000 essential (figure communicated by ACN at the eighth meeting of the NIS Roundtable, April 2026). How many Italian professional firms have not at least one such entity among their clients? Very few.

The paradox that closes the loop

And here is the paradox linking this case to the supply chain theme: the professional firm that, in the name of «this is how it has always been done», accepts from an IT vendor a workflow that implicitly transfers cost and risk from the vendor side to the client side, becomes precisely the kind of non-compliant supplier its NIS2 client will have to register, assess and — if it does not get in line within the agreed timeframe — replace.

The same permissiveness the firm shows to its own IT suppliers will be reflected back from its NIS clients who will assess it under opposite criteria. Staying in the supply chain of a NIS entity requires applying the same standards you demand from your own suppliers. And you cannot demand rigour from your clients if you do not apply it to your suppliers.

What to do today: five concrete moves

You do not need an enterprise programme. You need evidence proportionate to size and risk. For a professional firm or SME, five moves cover 90% of the value:

• 1Map the IT suppliers. A spreadsheet or page listing those who access systems and data: accounting platform, mail, storage, telephony, hardware maintenance, consultants, external developers. For each: what they handle, how they access, from where.
• 2Classify by criticality. Three levels are enough: critical (compromises service continuity or handles sensitive data), relevant, standard. The classification drives the intensity of measures.
• 3Align contracts. For critical suppliers: DPA under GDPR art. 28, minimum clauses on MFA where technically possible, incident notification within reasonable timeframes (24-72 hours), no sub-suppliers without prior notice, documentary audit rights.
• 4Track decisions. If a vendor requests an access mode and you decide to accept it with constraints, or to refuse it for an alternative, write down why. Three lines of text worth gold before a supervisory authority or a client audit. Decision traceability, not bureaucracy.
• 5Apply segmentation and least privilege. Even on a modest budget: separate networks by function (production, management, guest), no published ports to the internet if avoidable, on-demand remote access, MFA everywhere, retained logs. Standard technical measures, not frontier research.

The closing message for a professional firm in 2026

For a professional firm — accountant, lawyer, notary, doctor, payroll consultant — the question in 2026 is no longer «am I a NIS2 entity?». It is four questions:

1. How many of my clients are NIS2 entities (essential or important)?
2. How many of my clients are subcontractors of NIS2 entities, even unknowingly?
3. Am I able to respond to the security questionnaire that will arrive in the coming months?
4. Do my IT suppliers put me in a position to respond well, or do they create risks I will then have to explain to the NIS client auditing me?

If the answer to the fourth is negative, the firm has a real problem, and that problem will manifest as loss of clients and credibility long before any administrative sanction. And in either case it will not be a «NIS2» burden: it will be doing properly what GDPR and ISO 27001 have been asking for years.

A certified partner for the IT supply chain

AtWorkStudio operates from Piacenza since 2000. Certified ISO/IEC 27001:2022, ISO/IEC 27017:2015, ISO/IEC 27018:2019 and UNI EN ISO 9001:2015, with ACN QC1 qualification for cloud services (Email Security Gateway and Microsoft 365 Backup). Member of Clusit (Italian Association for Information Security) and associate of Confindustria Piacenza in the RICT cluster.

We can support professional firms and SMEs in governing the IT supply chain through a proportionate path: supplier mapping, risk assessment, contractual alignment, definition of acceptable access modes, network segmentation, MFA, decision traceability. We do it from the client side, never from the vendor side.

A note of intellectual honesty: AtWorkStudio is itself an IT vendor, and we apply to ourselves the same principles we ask of others. We publish the list of our sub-suppliers, maintain ISO/IEC 27001:2022, ISO/IEC 27017:2015 and ISO/IEC 27018:2019 certifications (handling of personally identifiable information in the cloud), and have obtained ACN QC1 qualification for cloud services on security measures above baseline. You can preach well if you walk coherently, and we are the first to be judged by the same criteria we propose to our clients.