GDPR, NIS 2, and DORA converge on one problem: Third-party risk

Regulators no longer ask whether you manage vendor risk—they assume you do. And if you don’t, you pay for it.

‍

Three independent EU regulations—the GDPR, NIS 2 directive, and Digital Operations Resilience Act (DORA)—stress that it’s your responsibility to manage third-party risk. These regulations offer security frameworks that support different industries and risk profiles, but they all lead with strict fines and pressure to enforce third-party risk management.

‍

Under the GDPR, gaps in core security and operational controls drove 25% of the fines in 2025, up 40% year over year. DORA emphasizes third-party oversight, too, with 34% of financial firms calling its requirements among the hardest to meet. NIS 2 has also explicitly expanded its requirements to introduce mandatory cybersecurity obligations across the supply chain.

‍

When three separate regulations align on a shared expectation, it signals a structural business risk and makes vendor management an “always on” activity. This reflects in Vanta’s 2025 State of Trust Report, with more than two thirds of organizations spending significant time on security reviews and worrying about vendor breaches.

‍

Third-party risk is more regulated now

About five years ago, third-party risk management (TPRM) was mostly treated as a best practice, but repeated large-scale vendor security incidents have since turned it into an enforced obligation.

‍

In 2023, MOVEit suffered from an exploited, undetected zero-day vulnerability, resulting in breaches for more than 2,700 organizations. Because the software was used in workflows involving sensitive data, the impact didn’t stop with the vendor: it created downstream liability for many organizations, triggering regulatory scrutiny and $10B+ in remediation costs across sectors.

‍

MOVEit is only one of several vendor-related breaches in recent years. Regulators have responded accordingly by formalizing TPRM requirements across frameworks across the EU regulatory space, where vendor risk accountability is enforced:

‍

• GDPR: Under Article 28, controllers are responsible for ensuring their processors implement appropriate security measures, and remain liable if they don’t
• NIS 2: Article 21 requires organizations to assess and manage cybersecurity risks across their vendor ecosystem
• DORA: ICT third-party risk management is a standalone pillar with thorough oversight requirements

‍

{{cta_withimage14="/cta-blocks"}} | GDPR compliance checklist

‍

Vendor risk management is a visibility problem

For many teams, vendor risk is still mostly invisible. This is concerning because you cannot manage what you can’t see.

‍

Vanta’s State of Trust Report (2025) found that organizations spend nine working weeks a year on vendor risk assessments and security reviews. Yet 56% still experienced a vendor breach in the past year. In the EU, a PwC Luxembourg survey found that 58% of firms believe that their third-party providers still have major compliance gaps between effort and outcomes.

‍

Plainly, most organizations don't have enough continuous visibility into third-party threats, which shows up in several ways:

‍

• No centralized inventory of third parties and their access
• Compliance assessed at onboarding, then rarely revisited
• Reliance on static questionnaires and self-reported attestations
• No real-time overview of vendor security posture

‍

Outdated, manual-heavy vendor risk management practices can create issues. While third-party risk changes continuously, many teams still rely on point-in-time, fragmented reviews which limit their ability to make time-sensitive risk decisions. EU regulations updated requirements around ongoing monitoring, incident reporting, and more to address these gaps in existing TPRM models.

‍

{{cta_withimage20="/cta-modules"}} | Vendor Risk Assessment Checklist

‍

TPRM obligations: How GDPR, NIS 2, and DORA overlap

While the three regulations differ in scope and terminology, their third-party risk obligations align:

‍

‍

All three require continuous vendor assessments, security obligations built into contracts, and incident reporting across the entire vendor ecosystem.

‍

Third-party risk management work shouldn’t be siloed across frameworks. Managing controls for each in isolation can effectively triple the effort for the same results. Streamlining the efforts also reduces the oversight risk that can trigger compounding violations.

‍

Bonus resource: Check out the NIS 2 compliance checklist.

‍

How much a GDPR, NIS 2, or DORA violation can cost

Third-party breaches under EU regulations can result in significant penalties:

‍

‍

The actual impact on your organization balloons when a single violation results in compounded liability with serious financial and operational consequences. That financial liability can scale rapidly if you face DORA penalties, as the regulation’s daily accrued penalties of up to €5M create a “burn rate” that few balance sheets can sustain. Beyond the fines, organizations face a contractual indemnity gap. Vendors typically cap their liability at a fixed amount, which rarely reflects the true cost of a failure—leaving your organization to absorb most of the regulatory and financial impact.

‍

Furthermore, the reputational damage is permanent. Customers don’t always know the difference between your breach and a vendor’s. Meanwhile, B2B buyers now view a lack of vendor visibility as a disqualifying security failure.

‍

When regulators—and customers—hold you accountable for your vendors’ security, trust just has to be continuously verified, not annually.

‍

Effective vendor risk management

If the core vendor management challenge is visibility, then your goal shouldn’t be more assessments or reports. Instead, consider switching from a static program to a more systemic one—where continuous, integrated oversight is systemized, and you get better risk signals with less manual effort.

‍

Vanta, the agentic trust management platform, is designed to support the shift to automated, ongoing oversight of your third-party risks. Some of Vanta’s core TPRM features you can use to build an effective third-party risk management program include:

‍

• Centralized vendor inventory for risk tiering and classification. 
• Automated evidence collection that replaces static and time-consuming vendor assessment questionnaires.
• Continuous monitoring of vendor security posture over outdated, point-in-time reviews. 
• Control mapping across GDPR, NIS 2, and DORA to eliminate redundant work.
• Templates and policies to help you embed contractual security expectations into vendor agreements.

‍

As one of today’s leading vendor risk management solutions, Vanta can help you operationalize your TPRM program within a unified platform powered by 400+ integrations for continuous risk detection and vendor oversight. Your dedicated, always-on Vanta TPRM Agent can also help you with remediation, evidence management, follow-ups, and more.

‍

Request a demo to see how it works.

‍

Three regulators, one common direction for third-party risks

GDPR, NIS 2, and DORA all reinforce the same expectation: 24/7 vendor risk accountability. Traditional TPRM approaches can’t offer this level of assurance. Static evidence and point-in-time reviews from a month ago have no value if you have to answer for real-time risks in your supply chain.

‍

That brings us to the most obvious question: if regulators by default think your vendors are a problem, do you have the visibility to prove otherwise?

‍

Organizations navigating Europe’s regulatory landscape must be able to adapt to this shift quickly and treat vendor risk as a continuous discipline instead of a procurement checkbox. Platforms like Vanta are playing an integral role in integrating faster system-driven visibility into third-party risk in a way you can show stakeholders.

‍

{{cta_simple5="/cta-blocks"}} | TPRM product page‍