When your biggest IT vendor becomes your biggest risk
In early 2025, Jaguar Land Rover faced a scenario that every business dreads: its largest technology supplier, Tata Consultancy Services (TCS), became the source of severe operational disruption. TCS, holding contracts worth approximately £800 million with JLR, had become so deeply embedded in the automaker’s IT infrastructure that when things went wrong, the ripple effects were immediate and painful.
The incident sent a clear message across European boardrooms. If a global manufacturer with billions in revenue can be brought to its knees by a single vendor dependency, what does that mean for small and medium businesses operating with far fewer resources and fallback options?
What happened between TCS and Jaguar Land Rover
TCS had been managing a vast portion of JLR’s IT estate, from enterprise applications to infrastructure services and digital operations. The relationship was particularly notable because both companies sit under the Tata Group umbrella, which on paper should have made collaboration smoother.
Instead, the deep concentration of IT services with a single provider created a dangerous single point of failure. When system failures and migration problems emerged, JLR found itself unable to quickly pivot or bring in alternative support. Manufacturing processes, dealer systems, and internal operations all felt the impact.
The core lesson is not that TCS is a poor supplier. It is that any organisation placing the majority of its critical IT operations in the hands of one vendor — regardless of that vendor’s size or reputation — is accepting a level of risk that can prove catastrophic.
Why vendor risk matters more than ever for European SMBs
Large enterprises like JLR at least have the financial muscle to recover from major IT disruptions. For European SMBs, especially in the Italian market where businesses often rely heavily on a single managed service provider or software vendor, the stakes are proportionally even higher.
The numbers paint a concerning picture
Research from the Business Continuity Institute consistently shows that over 70% of organisations have experienced at least one supply chain disruption involving a technology vendor in the past year. The European Union Agency for Cybersecurity (ENISA) has flagged IT supply chain attacks and dependencies as one of the top threats facing European businesses through 2030.
Meanwhile, Gartner estimates that by 2025, 60% of organisations would be using cybersecurity risk as a primary factor in determining third-party transactions and business engagements. For SMBs, these are not abstract statistics — they translate directly into lost revenue, damaged client relationships, and in some cases, business closure.
A study by the Ponemon Institute found that the average cost of a third-party data breach or service disruption for mid-sized companies exceeds €250,000, a figure that can represent months of revenue for a typical Italian SMB.
The Italian and EU regulatory context
The situation is further complicated by the EU’s evolving regulatory landscape. The NIS2 Directive, which came into effect in October 2024, explicitly requires organisations to assess and manage supply chain cybersecurity risks. This means that vendor risk management is no longer just a best practice — it is a legal obligation for companies operating in critical and important sectors across the European Union.
Italian businesses in sectors like manufacturing, food production, healthcare, and digital infrastructure are directly affected. Even companies not classified as “essential” or “important” under NIS2 may find themselves subject to vendor risk requirements through their supply chain relationships with larger enterprises.
Practical steps to reduce IT vendor dependency
The JLR-TCS case offers a blueprint of what not to do. Here is what European SMBs can do instead to protect themselves.
Audit your current vendor concentration
Start by mapping every critical IT service to its provider. If one company handles your cloud hosting, email, ERP system, and cybersecurity, you have a concentration problem. The goal is not to eliminate all single-vendor relationships — that is often impractical — but to understand where they exist and what the impact would be if that vendor failed.
Build contractual protections
Ensure your IT contracts include clear service level agreements (SLAs) with meaningful penalties, data portability clauses, and exit strategies. Too many SMBs sign multi-year contracts without considering what happens when they need to leave. Your contract should answer one question clearly: if this vendor disappears tomorrow, how quickly can we recover?
Adopt a multi-vendor strategy for critical systems
For mission-critical operations, consider distributing services across at least two providers. This does not mean doubling your costs. It can be as simple as using a different provider for backup and disaster recovery than the one managing your primary infrastructure. Cloud platforms like AWS, Azure, and Google Cloud make this more accessible than ever, even for smaller businesses.
Test your disaster recovery plan
A disaster recovery plan that has never been tested is not a plan — it is a hope. Run tabletop exercises at least once a year that simulate the loss of your primary IT vendor. Identify gaps before a real crisis forces you to discover them.
Monitor vendor health continuously
Do not wait for a contract renewal to assess your vendor’s stability. Set up simple monitoring: watch for news about financial difficulties, major staff changes, acquisition rumours, or service outages affecting other clients. In the age of AI-powered news monitoring, even small businesses can stay informed with minimal effort.
The real cost of ignoring vendor risk
The TCS and Jaguar Land Rover situation is not an isolated incident. It is part of a growing pattern where businesses of all sizes discover too late that their technology supply chain was more fragile than they assumed.
For European SMBs, the combination of increasing digital dependency, tightening EU regulations, and a volatile global supply chain environment makes vendor risk management an urgent priority. The companies that invest in understanding and diversifying their IT supply chain today will be the ones still operating confidently when the next major vendor disruption hits.
The question is not whether your IT vendor will experience problems. The question is whether your business is prepared when it happens.
Need support on this topic? Contact us for a free consultation — let’s assess your company’s situation together.
Stay updated every week on cybersecurity, AI and technology for SMBs: subscribe to our newsletter.