**5.1 Methods to assess the cyber risk across chains**

Due to the specific characteristics, there is a need to perform RM not only at the company level but also perform a collaborative assessment across CI/CII service chains. There have been some studies that aim to establish a method for assessing the cyber-security risk across chains of CI/CII operations [38, 39].

The Dutch chain analysis method [39] has been developed by a set of CI operators in the energy sector. It was their believe that organizations in a supply chain together are in the best position to define and deploy appropriate controls and initiatives to reduce any cyber security risk themselves. The method aims to provide insight into the cyber security risk within a supply chain. It uses a layered approach to provide insight into the risk that arise from the ICT/OT systems and their interconnections as well as the potential risk that may pose to the chain of business processes of organizations. The identified risk in the business processes can ultimately disrupt the continuity of the entire supply chain of one or more critical or essential CI/CII services. By combining and merging the identified risk in business processes per organization, which should include their own third-party risk to these processes, the overall risk to the supply chain can be assessed (see **Figure 4**).

The aforementioned EURAM/EURACOM method uses a similar approach by combining three components to assess risk at an aggregated level, based on RAs by the individual organizations and is based on embedding lower level RA results by mapping the identified risk at the higher level [38].

Note that due to the hidden nature of ICT and OT within CI and CII, RM across the chain requires a large effort and a combination of expertise by all stakeholders

**Figure 4.** *Visualization of the Dutch supply chain risk management method (from [39]).*

to assess this risk and define appropriate mitigating measures as is highlighted by the aforementioned Dutch supply chain RA pilot [39]: "*Providing insight into the cyber security risk within a supply chain requires a level of commitment of all organizations involved. It is paramount that in addition to the availability of adequate resources sufficient trust exists between organizations to share sensitive information among each other*."
