GDPR requires DPA agreements with processors. NIS2 requires supply chain security. DORA mandates ICT vendor oversight. We help organizations systematically manage third-party risks across all regulations.

Assessment of vendor security measures, compliance posture, and reliability before and during engagement.
Drafting and review of data processing agreements with processors — security measures, sub-processors, and audit rights.
Technical and organizational measures review, certifications, vulnerability testing, and risk scoring for each vendor.
Supply chain risk assessments per NIS2 requirements — security controls, incident coordination, and continuity.
ICT vendor register, exit strategies, continuous monitoring, and reporting per DORA requirements.
Periodic vendor audits, incident tracking, certification renewal monitoring, and re-assessment upon changes.
Your vendors are part of your regulatory obligation framework — failures in third-party oversight lead to serious consequences:
Controllers are liable for processor actions. Without DPA agreements and oversight, the DPA can fine you up to €10M or 2% of turnover (Art. 83(4)) — not the vendor.
62% of data breaches involve third parties. A vendor incident triggers your obligation to notify the DPA within 72 hours and inform affected individuals.
NIS2 requires supply chain security management. Inadequate vendor assessments mean non-compliance with the directive and potential sanctions.
A critical vendor failure or incident can halt your operations. Without exit strategies and continuity plans, recovery can take weeks.
Three key regulations set requirements for vendor and third-party risk management across the EU.
We map all vendors that process personal data, provide IT services, or have access to your systems. We classify them by risk level: critical, high, medium, low.
For high-risk and critical vendors, we conduct detailed assessments: security measures, certifications, data protection policies, incident plans, and financial stability.
We draft DPA agreements per GDPR Art. 28, define security requirements in contracts, establish audit rights, and set up vendor incident procedures.
We establish a system for periodic vendor reviews, incident tracking, certification renewal monitoring, and re-assessment upon significant changes.

A Data Processing Agreement (DPA) is a mandatory contract under GDPR Art. 28 between a controller and a processor. It's required for all vendors that process personal data on your behalf — cloud hosting, payroll providers, CRM, email marketing, analytics, and similar services.
Under GDPR, the controller (your organization) is liable for the processor's actions. If a vendor causes a data breach, you are responsible for notifying the DPA within 72 hours and informing affected individuals. That's why DPA agreements and vendor oversight are critical.
Risk is assessed based on: type of data processed (personal, special categories), criticality of the service to your operations, access to your systems, security measures in place, and certifications (ISO 27001, SOC 2). Critical vendors require detailed due diligence.
NIS2 Art. 21 requires entities to assess supply chain security, including: identifying critical vendors, assessing their security practices, setting contractual security requirements, and coordinating incident reporting. This particularly affects entities in energy, transport, healthcare, and digital infrastructure.
DORA sets strict requirements: pre-contract due diligence for ICT vendors, continuous monitoring of ICT providers, a register of all ICT contractual arrangements for the regulator, exit strategies for critical ICT services, and resilience testing including vendor dependencies.
Recommended cadence: annual review for critical vendors, every 2 years for high-risk, every 3 years for others. Additional review is needed upon significant changes — new sub-processor, security incident, service change, or certification expiry.
An exit strategy defines how to terminate a vendor relationship without data loss or service interruption. DORA requires it for critical ICT vendors. It includes: data migration plan, transition timelines, alternative vendors, and procedures for data return or deletion.
GDPR Art. 28 requires that processors obtain your prior approval for sub-processor engagement. Your DPA should define the approval process and obligation to notify about new sub-processors. For critical data, we recommend assessing key sub-processors directly.
Cloud vendors (AWS, Azure, Google Cloud) require special attention: verify data location (EU/EEA), DPA agreement with adequate standard contractual clauses, certification review (ISO 27001, SOC 2), understanding the shared responsibility model, and evaluating sub-processors.
Vendor inventory and classification: 2-4 weeks. Due diligence for critical vendors: 4-6 weeks. DPA agreements: 2-4 weeks per group. Continuous monitoring system setup: 2-3 weeks. We start immediately with critical vendors and DPA agreements.
Free initial meeting to assess your third-party risks. Vendor inventory, DPA agreements, and assessments — we start immediately.