Processor contracts with named clauses.
A controller must use processors that provide sufficient guarantees. The data processing agreement covers subject matter, duration, nature, purpose, data types and the controller's instructions.
SERVICE PRACTICE · VENDOR RISK
Third-party risk management.
Due diligence, contract clauses, ongoing monitoring and exit planning for the vendors that touch your data, your ICT or your operating model. GDPR Art. 28, NIS2 supply-chain, DORA Art. 28 to 30, LkSG.
VENDOR.DESK · LAST 12 MONTHS● LIVE
Vendors assessed1,184
DPAs reviewed627
Critical ICT third parties mapped143
Exit strategies drafted38
Concentration-risk flags raised21
Vendor audits run29
TRUSTED BY 300+ EU ORGANISATIONS
ROCHESIEMENSIKEAASTRAZENECAVODAFONEPHILIPSJUST EAT
FREE 30-MIN CONSULTATION
Talk to a senior advisor.
One business day reply. Clear next steps and indicative pricing.
1 BUSINESS DAY REPLY·NDA ON REQUEST·NO OBLIGATION
§ 01 / PRIMER
Vendor risk obligations.
ICT third-party register and critical mapping.
Financial entities must register every ICT third-party arrangement, identify the ones supporting critical functions and assess concentration risk.
Supply-chain security in the risk-management measures.
Essential and important entities must address supply-chain risks, including the security of supplier relationships and the protection of information shared with them.
GDPR FINES
Up to 4% of turnover
Failure to put adequate processor arrangements in place attracts the higher tier of GDPR Article 83 fines.
DORA SANCTIONS
Up to 1% of daily turnover
Periodic penalty payments for ICT third-party register and concentration-risk failings under the implementing acts.
§ 02 / WHERE IT BITES
Core regulations.
REGIME · WHAT IT REQUIRES
GDPR ART. 28Data processing agreementMandatory clauses for every processor and sub-processor. Sub-processor authorisation, audit rights, transfer mechanism.
GDPR ART. 32Security of processingAppropriate technical and organisational measures, vendor confirmation, evidence on file.
DORA ART. 28ICT third-party registerIdentifier, function supported, criticality, location, sub-contracting, exit strategy. Reported to the supervisor.
NIS2 ART. 21Supply-chain measuresRisk-management measures for the security of the supply chain and the supplier relationships.
REGIME · WHAT IT REQUIRES
DORA ART. 30Contractual provisionsMandatory contract content for ICT services supporting critical functions, including audit, sub-contracting and exit clauses.
LKSGSupply-chain due diligenceRisk analysis, preventive measures, remedial action and reporting for German entities above the threshold.
CSDDDSustainability due diligenceEU-wide due-diligence duty across the value chain, phased application from 2027.
SCC 2021International transfersStandard contractual clauses for third-country transfers, plus transfer impact assessment under Schrems II.
§ 03 / ENGAGEMENT MODELS
Engagement models.
MODEL ARETAINER
Vendor risk retainer
Ongoing programme support: register maintenance, intake reviews, monitoring, board reporting.
- →Vendor register and tiering kept current
- →Intake reviews for new vendors
- →Quarterly monitoring cycle
- →Board and risk-committee reporting
MODEL BBUILD
Programme build
Fixed-scope build for a new programme: register, tiering, DPAs, contract templates, monitoring playbook.
- →Vendor register and tiering
- →DORA Art. 28 register where applicable
- →DPA and ICT contract pack
- →Monitoring playbook and KPIs
MODEL CAUDIT
Vendor audit
Independent audit of a specific vendor or vendor portfolio against contract, regulation and security baseline.
- →Pre-contract due diligence
- →Post-contract audit
- →Concentration-risk review
- →Exit-strategy test
§ 04 / SCOPE
Scope of work.
01 / 04
Intake & due diligence
- Vendor risk questionnaire and scoring
- Security and privacy due diligence
- Sub-processor and sub-contractor mapping
- Transfer-impact assessment for non-EU vendors
02 / 04
Contracts
- GDPR Article 28 data processing agreement
- DORA Article 30 ICT contract terms
- Standard contractual clauses (2021)
- Audit, sub-contracting and exit clauses
03 / 04
Monitoring
- Quarterly monitoring cycle and KPI tracker
- Annual reattestation and SOC 2 / ISO 27001 review
- Vendor incident handling
- Sanctions and beneficial-owner screening
04 / 04
Critical & exit
- DORA criticality assessment
- Concentration-risk review
- Exit-strategy design and test
- Supervisory reporting where required
§ 05 / IN PRACTICEBook a review30 MIN
How we run the programme.
Vendor risk works when the intake, the register and the monitoring are one connected process. We define ownership, design the workflow, write the contract pack and run the monthly status. The register matches what the regulator asks for, and the contract pack matches what the legal team can sign.
Median vendor intake review
5 days
DORA register accepted at first review
94%
DPA library coverage
98%
Active concentration-risk flags closed
100%
FIRM · VENDOR REGISTER STATUSQ2 2026
Active vendors412
Critical ICT vendors (DORA)18
Reattestations on time100%
Open SCC reviews3
Concentration flags0
Vision Compliance · vendor risk practice
§ 06 / SELECTED WORK
See all case studies →Recent engagements.
VR-19INSURANCE
DORA register accepted at first supervisory review.
412
VENDORS
18
CRITICAL
Passed
REVIEW
SCOPERegister build, criticality, exit strategies, contract pack
VR-14SAAS
Processor and sub-processor mapping for 1,100 vendors.
1,100
VENDORS
740
DPAS
47
TIA
SCOPEDPA library, sub-processor inventory, transfer-impact assessment
VR-11RETAIL
LkSG programme rolled out across the European supply base.
T1 + T2
TIERS
286
ASSESSED
62
RISK ACTIONS
SCOPERisk analysis, supplier code, remediation tracker
§ 07 / LANDSCAPE
Vendor risk landscape.
62%
of EU breaches involve a third party
143
ICT third parties in a typical mid-sized bank's DORA register
€4.6M
average cost of a third-party-caused breach
T+15
days to file a DORA register update on a major change
TREND 01
DORA concentration risk in focus
Supervisors flag concentration on a handful of hyperscalers and core providers. Exit strategies and substitutability come into review.
TREND 02
Supply-chain security in NIS2
Essential and important entities must address supplier risk in the risk-management measures. Audits now include supplier evidence.
TREND 03
Sustainability due diligence is next
LkSG already in force in Germany, CSDDD phased application from 2027 across the EU.
§ 08 / FAQ
Common questions.
01Do we need a DORA third-party register if we are not a bank?+
Yes if you are a financial entity under DORA scope. That covers banks, payment institutions, e-money institutions, investment firms, asset managers, insurers and crypto-asset service providers. The register applies to every ICT third-party arrangement, not only the critical ones.
02Can you run the vendor-risk function for us as a service?+
Yes for second-line support. We run intake, register maintenance, monitoring and board reporting under a monthly retainer. The first-line accountability stays with the business owner of each vendor.
03How do you handle international transfers and Schrems II?+
We build the transfer-impact assessment library, apply the 2021 SCCs, add supplementary measures where needed and track non-EU vendors in the register. Reattestation is annual or sooner if the destination country position changes.
04What about LkSG and CSDDD?+
We build the risk-analysis methodology, the supplier code, the preventive and remedial measures, and the annual report. CSDDD readiness is part of the same workstream where the entity is in scope.
05Can you audit a single critical vendor in advance of a supervisory exam?+
Yes. A targeted vendor audit on a single critical provider takes 4 to 6 weeks. Output: a report, a finding list, a remediation tracker and a board-ready summary.
06What if a vendor refuses to sign our DPA?+
We negotiate. The most common cause is overreach on rights that the vendor cannot fulfil. We align the DPA to the realistic operating model and document the residual risk in the register.
§ 09 / RESOURCES
Templates and guides.
TEMPLATE12 PAGES
DORA third-party register starter
Columns, criticality rubric, exit-strategy fields and supervisory reporting mapping.
Open ↓PDF / TEMPLATE
GUIDE22 PAGES
GDPR Article 28 DPA library
Controller, processor and sub-processor templates with annex starter and SCC bridge.
Open ↓PDF / TEMPLATE
CHECKLIST9 PAGES
Vendor intake questionnaire
70-question intake form, scoring rubric and reviewer notes for security and privacy.
Open ↓PDF / TEMPLATE
§ 10 / RELATED
Related practices.
Data Protection (DPO)
GDPR programme, DPIA library and supervisory authority liaison.
Open practice →Cybersecurity & DORA
IKT risk framework, ISMS and supervisory readiness for financial entities.
Open practice →Financial Compliance
Compliance officer support, regulator filings and SREP preparation for financial firms.
Open practice →11 / GET STARTED
Talk to a senior advisor.
Send the brief. We respond with a scoped agenda for the first call.