Your Vendors’ Security Problem Is Your Compliance Problem
Under NIS2, you’re legally responsible for the cybersecurity posture of your supply chain. Not morally responsible. Legally. Fines-on-your-balance-sheet legally.
GDPR has always required data processing agreements with sub-processors. But NIS2 and DORA go further. They demand formal risk assessments of your vendors’ security practices, contractual security requirements, and ongoing monitoring.
The average organization uses 130+ SaaS tools. Each one is a potential compliance liability. How many have you actually vetted?
Most SMBs answer honestly: zero. Possibly the CRM. Possibly the cloud provider. But the project management tool, the email marketing platform, the analytics service, the dozen micro-SaaS tools your team signed up for with a credit card? Nobody checked.
Why Third-Party Risk Matters Now
Three regulatory drivers converged in 2025-2026:
NIS2 supply chain requirements. Article 21 mandates supply chain security for all in-scope entities. You must assess the cybersecurity practices of your direct suppliers, ensure contractual security requirements are in place, and monitor compliance. The 29,000 organizations now in scope for NIS2 in Germany need to cascade these requirements down their supply chains.
GDPR sub-processor obligations. When you share personal data with a vendor (your CRM, email provider, analytics tool), you need a Data Processing Agreement (DPA) under Article 28. You’re responsible for ensuring the processor implements appropriate security measures. If they have a breach, your obligation to report it doesn’t disappear because it happened at a third party.
DORA third-party ICT risk. For financial sector organizations, DORA requires detailed ICT third-party risk management. Concentration risk assessments, exit strategies, contractual resilience requirements. This is the strictest framework and a preview of where other sectors are heading.
The Vendor Assessment Framework
Not every vendor needs the same level of scrutiny. Tier them based on data access and criticality.
Tier 1: Critical vendors (full assessment)
Vendors that process sensitive personal data, have access to your production systems, or whose failure would disrupt your operations. Your cloud provider, your primary SaaS platform, your payment processor.
For these, you need: security questionnaire or audit report (SOC 2 Type II, ISO 27001, or equivalent), DPA review and execution, penetration test results or vulnerability management evidence, incident response procedures, business continuity plans, data residency and sub-processor documentation.
Tier 2: Significant vendors (standard assessment)
Vendors that process some personal data or have network access but aren’t critical to operations. Your email marketing tool, project management platform, analytics service.
For these: security questionnaire, DPA execution, basic certification check (SOC 2 or ISO 27001), and sub-processor list review.
Tier 3: Minor vendors (light assessment)
Vendors with minimal data access and no production system integration. Design tools, documentation platforms, internal communication tools.
For these: confirm DPA is available, check their security page for certifications, review their privacy policy.
The Security Questionnaire
Don’t use a 200-question enterprise questionnaire for an SMB vendor. You’ll wait months and get useless answers. Focus on what actually matters.
Ask about: data encryption (at rest and in transit), access controls and authentication (MFA for admin access?), vulnerability management (patch timelines for critical CVEs?), incident response (do they have a process? what’s their notification timeline?), data residency (where is data stored? EU or non-EU?), sub-processors (who else touches your data?), certifications (SOC 2, ISO 27001, C5?), backup and recovery (what are their RPOs and RTOs?).
Accept SOC 2 Type II or ISO 27001 certification as a substitute for most of these questions. If a vendor has a current SOC 2 Type II report, they’ve already demonstrated these controls to an auditor.
Red Flags That Should Stop a Procurement
No DPA available. If a vendor processing personal data can’t provide a Data Processing Agreement, walk away. This is a GDPR basic.
No information on data residency. “We use AWS” isn’t sufficient. Which region? What’s the sub-processor chain? Where do backups live?
No breach notification commitment. Your DPA should include a breach notification timeline (ideally 24-48 hours). If the vendor won’t commit to timely notification, you can’t meet your own NIS2 or GDPR reporting obligations.
No SOC 2, ISO 27001, or equivalent. For Tier 1 vendors processing sensitive data, some form of independent security assessment is non-negotiable.
Excessive sub-processor chain. If your vendor shares data with 15 sub-processors, each with their own sub-processors, your risk surface is enormous. Ask for the list. Review it. Push back on unnecessary sharing.
US-only data storage for EU data. This isn’t automatically disqualifying (the EU-US Data Privacy Framework exists), but it adds complexity.
For sensitive data, EU residency is simpler. See our data residency guide for the full analysis.
Contractual Security Requirements
Your vendor contracts (or DPAs) should include these minimum clauses:
Data processing limited to documented purposes. Security measures appropriate to the risk level. Breach notification within a defined timeline (24-48 hours).
Right to audit (or accept independent audit reports as substitute). Sub-processor notification and approval rights. Data return and deletion on contract termination.
For NIS2 in-scope organizations, contracts should also cover: supply chain security requirements, incident cooperation obligations, and access to security documentation.
Ongoing Monitoring
Assessment isn’t a one-time event. Vendors change. Their security posture changes. Their ownership changes. Their sub-processors change.
Review Tier 1 vendors annually. Request updated SOC 2 reports or security questionnaires. Monitor for breach disclosures. Track sub-processor changes.
Review Tier 2 vendors every two years or when a significant change occurs (acquisition, major breach, regulatory action).
Set up alerts for vendor security incidents. Services like SecurityScorecard, BitSight, or UpGuard provide continuous monitoring of vendor security postures. For SMBs, even a simple Google Alert for “[vendor name] data breach” is better than nothing.
Managing the Vendor Lifecycle
Onboarding. Assessment before procurement. DPA execution before data sharing begins. Documented approval at the appropriate level.
Operation. Regular review cycles. Sub-processor change notifications. Incident collaboration.
Offboarding. Data return or deletion confirmation. Access revocation. Certificate of destruction for sensitive data.
The most commonly missed step: offboarding. When you stop using a vendor, confirm they’ve deleted your data. In writing. GDPR gives you the right to demand this.
For the broader regulatory framework, see our pillar guide on EU compliance for software teams. The NIS2 compliance guide details supply chain security requirements. And if you’re assessing where your vendors store data, our data residency guide helps navigate the sovereignty landscape.
Need help assessing your vendor risk exposure? Let’s review your supply chain together. We help teams build practical third-party risk processes that satisfy NIS2 and GDPR without drowning in paperwork.
