Stop Managing Spreadsheets.
Start Managing Supply Chain Risk.
Enterprise-grade Third-Party Risk Management for DORA and NIS2-regulated organisations. We act as your external Vendor Security Office — verifying evidence, not collecting checkboxes.
Are you the supplier being audited? → See our Vendor Security Compliance service
| Vendor | Tier | Score | Status |
|---|---|---|---|
| Cloud Infrastructure Provider | Critical | B | Evidence pending |
| Core SaaS Platform | High | A | Compliant |
| Managed IT Support | High | C | Review required |
| Data Processing Partner | Medium | D | Critical finding |
The Spreadsheet Illusion Is Your Biggest Compliance Risk
Most organisations believe they are compliant because they send an annual Excel questionnaire to vendors. Regulators are starting to call this out.
Zero Real Visibility
You may have 50, 100, or 200+ vendors in your supply chain. Do you know which one was breached last week? Annual questionnaires capture a snapshot. Risk moves daily.
DORA & NIS2 Have Raised the Bar
Under DORA Article 28, collecting a "Yes" on a form is no longer a legal defence. You must demonstrate that you have actively verified vendor claims and maintained a live Register of Information.
Your Team Is Drowning in Admin
Internal staff lose hundreds of hours chasing vendors for documents, certificates, and overdue responses — time taken directly from securing your own infrastructure.
Third-Party Breaches Cost 13× More
The average incident stemming from a supplier failure costs significantly more than a direct breach — in financial losses, regulatory penalties, and reputational damage.
A Complete TPRM Lifecycle — From Onboarding to Ongoing Oversight
Senior consultants who interpret the risk, validate the evidence, and tell you what actually matters.
Vendor Tiering & Criticality Classification
Not all vendors carry the same risk. We classify your supply chain by data sensitivity, business continuity impact, and regulatory exposure — so your budget goes where the risk is real.
- •Risk-proportionate oversight model
- •DORA/NIS2 criticality mapping
- •Concentration risk identification
DORA & NIS2 Register of Information
We build and maintain your mandatory Register of Information: critical ICT providers, concentration risks, and audit-ready documentation at a moment's notice.
- •DORA Article 28 compliance
- •ICT contractual clause review
- •Exit strategy documentation
Evidence-Based Vendor Auditing
We go beyond tick-box compliance. We review SOC 2 reports, ISO 27001 certificates, penetration test results, and sub-processor agreements.
- •SOC 2 & ISO 27001 review
- •Sub-processor chain audit
- •SIG/CAIQ questionnaire management
Continuous Dark Web Monitoring
Questionnaires are static. Risk is not. Using SOCRadar, we monitor your critical vendors continuously across the surface, deep, and dark web.
- •SOCRadar threat intelligence
- •Compromised credential alerts
- •Surface, deep & dark web coverage
Quarterly Executive Risk Reporting
No technical jargon delivered to a board that cannot act on it. A–F risk scores per vendor, Go/No-Go status, and a prioritised remediation list.
- •A–F vendor risk scores
- •Executive supply chain brief
- •Prioritised remediation list
Vendor Incident Response Support
When a supplier is breached, you have hours to act. We prepare your response procedures in advance — so decisions are made with a plan, not under pressure.
- •Pre-built response playbooks
- •Regulatory notification support
- •Business continuity decisions
We Filter the Noise.
We Deliver the Signal.
We have sat in your chair. We understand that 90% of vendor risk management is administrative noise. We filter that noise and bring you the signal — the risks that actually matter to your regulatory position and business continuity.
| Subject | Standard Approach | NPS TPRM |
|---|---|---|
| Evidence verification | Questionnaire responses accepted | ✓ Independently verified |
| Dark web monitoring | ✕ Not included | ✓ SOCRadar real-time |
| DORA RoI maintenance | ✕ Client responsibility | ✓ Maintained & audit-ready |
| Fourth-party visibility | ✕ Not covered | ✓ Full sub-contractor chain |
| Board reporting | Raw data, no interpretation | ✓ Executive-ready briefings |
Frequently Asked Questions
DORA Article 28 requires financial entities to maintain a comprehensive Register of Information covering all ICT third-party arrangements — including services, criticality assessments, and subcontracting chains. Contracts must include specific audit rights, exit strategy provisions, and termination clauses. Non-compliance is subject to direct supervisory action by the ESAs.
Third-party risk comes from vendors you have a direct contract with. Fourth-party risk comes from your vendors' own suppliers — organisations you have no direct relationship with but who can still impact your operations. If your cloud provider uses a data centre that experiences a breach, you are exposed to fourth-party risk. Modern TPRM must address both levels.
Both. We use SOCRadar for continuous threat intelligence and automated vendor scoring, and we overlay that with human expert analysis. A platform can flag a risk. Only an experienced consultant can tell you whether that risk matters to your specific business, what your regulatory obligation is in response, and what to do about it.
This depends on your risk tiering. Your top 5–10% of critical vendors warrant continuous real-time monitoring; the next 15–20% need monthly reviews; the remainder can operate on quarterly or annual cycles. We typically configure continuous monitoring for 50–100 vendors, covering the majority of your meaningful exposure.
Initial programme setup — including vendor inventory, tiering, and framework design — starts from €15,000–€25,000 for mid-market organisations. Ongoing managed services depend on vendor count and scope. We are happy to scope a fixed-price engagement during an initial strategy call.
Your Supply Chain Is Your Perimeter.
Whether you are preparing for a DORA audit, responding to a NIS2 supervisory inquiry, or recognising that your current spreadsheet approach will not hold up to scrutiny — we are ready to help.
Book Your Vendor Risk AssessmentNo obligation. Senior consultant-led assessment.