Vendor Risk Assessment
A structured evaluation of the security posture and compliance status of third-party vendors before and during a business relationship. DORA Article 28 mandates specific due diligence requirements for ICT service providers used by financial entities.
Vendor risk assessment is a critical component of third-party risk management. It involves systematically evaluating potential and existing vendors across multiple dimensions: information security controls, regulatory compliance, financial stability, business continuity capabilities, and data protection practices.
Under DORA, financial entities must conduct pre-contractual assessments of ICT providers, including evaluating their security measures, incident response capabilities, and business continuity plans. Ongoing assessments must also be performed, with the frequency and depth proportionate to the criticality of the services provided.
Modern vendor risk assessment platforms automate much of this process through standardized questionnaires, continuous monitoring of vendor security postures, and risk scoring. This enables organizations to manage large vendor portfolios efficiently while maintaining appropriate oversight of critical providers.
Related Terms
Third-Party Risk Management
The process of identifying, assessing, and controlling risks arising from outsourcing to third-party service providers. Under DORA Article 28, financial entities must maintain a register of all ICT third-party providers and conduct thorough due diligence on critical providers.
Supply Chain Security
The management of cybersecurity risks throughout the supply chain, including all third-party vendors, software providers, and service partners. Both DORA and NIS2 mandate supply chain security measures to protect against cascading failures and targeted attacks.
DORA (Digital Operational Resilience Act)
An EU regulation that establishes uniform requirements for the security of network and information systems in the financial sector. DORA became mandatory on January 17, 2025, and applies to banks, insurance companies, investment firms, and their critical ICT service providers.
Due Diligence
A comprehensive investigation or assessment conducted before entering into a business relationship or transaction. In compliance contexts, due diligence refers to the thorough evaluation of third-party providers, business partners, or acquisition targets for regulatory and security risks.
Automate compliance with Matproof
DORA, SOC 2, ISO 27001 — get audit-ready in weeks, not months.
Request a demo