Vendor Risk Assessment

Third-party risk is one of the fastest-growing areas of cybersecurity concern. According to industry research, over 60% of data breaches involve a third-party vendor in some capacity — whether through compromised credentials, vulnerable software, or inadequate security practices at a service provider.

Regulations have responded to this reality. NIS2 Article 21(2)(d) explicitly requires covered entities to address supply chain security, including the security aspects of relationships with direct suppliers and service providers. GDPR Article 28 requires controllers to use only processors that provide sufficient guarantees of appropriate technical and organizational measures. DORA Article 28 goes even further for financial entities, requiring a formal register of all ICT third-party arrangements reported to the competent authority.

Beyond compliance, vendor risk assessment is simply good business practice. A single vendor security failure can disrupt your operations, expose your customers' data, trigger regulatory investigations, and damage your reputation — regardless of whether the fault lies with your organization or the vendor.

1. Classify the Vendor

Not all vendors carry the same risk. The first step is classifying vendors by criticality and data exposure. A cloud provider hosting your customer database requires far more scrutiny than a supplier of office furniture. Our tool uses a three-tier classification (Critical, Important, Standard) that determines the depth of assessment and ongoing monitoring required.

2. Evaluate Security Controls

Core security controls include certifications (ISO 27001, SOC 2 Type II), encryption practices, authentication requirements, vulnerability management, and penetration testing. Certifications provide independent validation but should not be the only measure — ask for specifics about how controls are implemented and maintained.

3. Assess Incident Response Capability

When a vendor suffers a security incident, your organization is affected too. Key questions include: Does the vendor have a documented incident response plan? How quickly will they notify you? Have they been breached before, and what did they learn from it? Under NIS2, your organization may need to report vendor-related incidents to authorities within 24 hours — which means you need rapid notification from your vendors.

4. Verify Compliance and Legal Protections

Ensure the vendor can meet your regulatory obligations. For GDPR, this means a Data Processing Agreement. For NIS2, it means contractual security requirements and incident notification clauses. For DORA-regulated financial entities, specific contractual provisions under Article 30 are mandatory. Right-to-audit clauses are essential for critical vendors.

5. Review Business Continuity

Can the vendor maintain service during disruptions? Evaluate their disaster recovery plans, SLA commitments, geographic redundancy, and financial stability. Also confirm that data can be exported or migrated if you need to switch vendors — exit strategies are a NIS2 and DORA requirement for critical service providers.

6. Examine the Supply Chain

Your vendors have vendors too. Understanding the subprocessor chain is important because a vulnerability anywhere in the chain can affect you. Key concerns include whether the vendor discloses subprocessors, whether you are notified of changes, and whether subprocessors are held to the same security standards.

Assess before you engage. The worst time to discover a vendor's security gaps is after they already have access to your data. Build security assessment into your procurement process, not as an afterthought.

Monitor continuously, not just at onboarding. A vendor that passes an initial assessment can deteriorate over time. Establish ongoing monitoring proportionate to the vendor's tier — quarterly reviews for critical vendors, annual for standard ones.

Document everything. Maintain a vendor risk register with assessment results, contract details, risk ratings, and remediation actions. This is not just good practice — NIS2 and DORA explicitly require documentation of third-party risk management activities.

Have an exit plan. For every critical vendor, document how you would transition away if needed. This includes data migration procedures, alternative providers, and timeline estimates. The best time to negotiate exit terms is before you sign the contract.