A critical supplier is a third party whose products, services, or support are important enough that a failure or compromise could materially disrupt an essential service. The label is about dependency, not just contract size: a small provider can still be critical if the organization cannot deliver without it.
In cyber security, critical suppliers matter because attackers often target the weakest link in a service chain. Compromised software updates, exposed managed service providers, and unavailable cloud or telecom dependencies can interrupt operations, leak data, or open paths into larger networks. Defenders reduce this risk by mapping supplier dependencies, classifying which vendors are critical, setting security requirements in contracts, monitoring access and updates, and testing continuity plans. The key question is not whether a supplier exists, but what happens to the service if that supplier is down, breached, or no longer trustworthy.