Vendor & Third-Party Risk Management

Due diligence, DPA agreements, and ongoing assessments under GDPR, NIS2, and DORA

Service overview

Third-party risk management per GDPR (Art. 28), NIS2 (supply chain security), and DORA (ICT third parties). Due diligence, data processing agreements, and continuous assessments.

Our vendor risk services

Vendor due diligence

Assessment of supplier security and compliance capabilities, questionnaires, on-site audits, certification review, and risk scoring.

Data Processing Agreements (DPA)

Drafting and review of DPA contracts with processors per GDPR Art. 28, defining security measures and reporting obligations.

Vendor security assessment

Assessment of supplier technical and organizational measures, penetration testing, vulnerability scanning, and compliance certification review.

Continuous monitoring

Periodic supplier reviews, incident tracking, certification renewal tracking, and re-assessment upon changes.

Vendor incident management

Procedures for supplier incidents, communication protocols, response SLAs, and coordination with your incident response plan.

Regulatory requirements

GDPR Art. 28

Processor agreement

DPA, security measures, sub-processor approval, audit rights

NIS2 Supply Chain

Supply chain security

Vendor risk assessment, security controls, incident reporting

DORA ICT Third-Party

ICT third parties for financial institutions

Due diligence, continuous monitoring, exit strategies, regulatory register

Our process

1

Vendor inventory

Mapping all suppliers processing data or providing critical services.

2

Risk classification

Supplier classification by risk (critical, high, medium, low).

3

Due diligence

Security and compliance assessment for high-risk suppliers.

4

Contractual protection

DPA agreements and security requirements in contracts.

5

Ongoing monitoring

Continuous tracking and periodic reviews.

Frequently asked questions

What is a DPA agreement and when is it required?

A Data Processing Agreement (DPA) is a contract between the controller and processor under GDPR Art. 28. It's mandatory for all suppliers processing personal data on your behalf (e.g., cloud hosting, payroll, CRM).

How do I assess vendor risk?

Risk depends on the type of data they process, service criticality, access to your systems, and their security measures. Critical suppliers require detailed due diligence and audits.

What does DORA require for ICT third parties?

DORA (Digital Operational Resilience Act) sets strict requirements for financial institutions: pre-contract due diligence, continuous monitoring, exit strategies, register of critical ICT suppliers, and regulator reporting.

How often should I review suppliers?

GDPR doesn't specify exact timelines, but best practice is annual review for critical suppliers, every 2-3 years for less critical ones. DORA requires continuous monitoring of critical ICT suppliers.

Related services

GDPRNIS2DORA

Manage vendor risks systematically

Typical outcomes: vendor inventory, risk scoring, DPAs ready, critical supplier assessments.

Schedule Consultation
Vendor & Third-Party Risk Management | Vision Compliance