Vendor Risk Management
See your supply chain risk. Before regulators do.
NIS2 Article 21(2)(d) and DORA Chapter V make supply chain security mandatory. Automated vendor security scanning with A-F grades, risk-tiered assessment workflows, DORA ICT register generation, concentration risk analysis, and continuous monitoring keep your supply chain compliant.
What you get
Automated Security Scanning
Every vendor in your inventory is continuously scanned across 40+ security signals including SSL configuration, DNS security, email authentication (SPF/DKIM/DMARC), exposed services, and known vulnerability exposure. Results are distilled into an A-F security grade updated weekly.
Risk-Tiered Questionnaires
Vendors are automatically classified into risk tiers (Critical, High, Medium, Low) based on data access, service criticality, and regulatory exposure. Each tier triggers an appropriately scoped assessment questionnaire — from a lightweight 20-question form for low-risk vendors to a comprehensive 150-question deep dive for critical ICT providers.
DORA ICT Third-Party Register
Automatically generates and maintains the Register of Information required by DORA Article 28(3) for all ICT third-party service providers. The register captures contractual details, service descriptions, data locations, subcontracting chains, and exit strategy assessments in the format prescribed by the ESA regulatory technical standards.
Concentration Risk Dashboard
Visualises dependency concentration across your vendor portfolio, identifying single points of failure and over-reliance on individual providers or jurisdictions. DORA Article 29 explicitly requires ICT concentration risk assessment — FortisEU maps your vendor graph to detect systemic exposure before regulators flag it.
Continuous Vendor Monitoring
Beyond point-in-time assessments, continuous monitoring tracks vendor security posture changes, financial stability signals, regulatory actions, and breach disclosures. Alerts trigger reassessment workflows when a vendor's risk profile materially changes.
Contractual Clause Library
Pre-built contractual clause templates aligned to DORA Article 30 requirements for ICT service contracts, GDPR Article 28 processor agreements, and NIS2 supply chain security obligations. Clauses cover audit rights, incident notification, subcontracting restrictions, and exit provisions.
How it works
Import Vendors
Bulk import your vendor inventory via CSV, or sync from procurement systems. Each vendor is automatically classified by service type, data access level, and criticality to trigger the appropriate risk tier.
Auto-Scan
FortisEU runs automated security scans across 40+ signals for every vendor, generating an initial security grade within 24 hours. No vendor cooperation is required for the external scan — results are available immediately.
Assess
Risk-tiered questionnaires are dispatched to vendor contacts via the built-in portal. Vendors complete assessments in a branded interface, and responses are automatically scored against your risk criteria and regulatory requirements.
Monitor
Continuous monitoring tracks changes in vendor security posture, triggering reassessment workflows and alerts when risk thresholds are breached. The DORA ICT register and concentration risk dashboard update in real time.
Built for your team
Supply Chain Risk Oversight
A CISO preparing for NIS2 enforcement uses the vendor risk dashboard to identify that 4 of their 12 critical vendors have security grades below C and lack contractual incident notification clauses required by Article 21(2)(d). They initiate remediation workflows with contract amendments and alternative vendor evaluations before the supervisory authority review.
Vendor Onboarding Due Diligence
When procurement requests a new cloud infrastructure provider, the compliance officer triggers a full assessment workflow. The automated scan returns a B grade, the risk-tiered questionnaire reveals gaps in data residency commitments, and the DORA ICT register pre-populates with the proposed service details for review before contract execution.
Data Processor Management
The DPO uses vendor risk management to maintain an up-to-date inventory of all GDPR Article 28 data processors. Each processor's data processing agreement is tracked for completeness, sub-processor notifications are monitored, and transfer impact assessments are linked when processors operate outside the EEA.
Supports your compliance stack
Common questions
What does DORA require for ICT third-party risk management?
DORA Regulation 2022/2554 Chapter V (Articles 28-44) establishes comprehensive requirements for ICT third-party risk management. Financial entities must maintain a Register of Information for all ICT third-party service providers (Article 28(3)), conduct pre-contractual due diligence, include mandatory contractual provisions (Article 30), and assess ICT concentration risk (Article 29). FortisEU automates the register generation, maps contractual clauses to Article 30 requirements, and provides concentration risk analysis aligned to the ESA regulatory technical standards.
How does the vendor security scoring methodology work?
Vendor security grades (A-F) are calculated from 40+ externally observable signals across five domains: network security (SSL/TLS configuration, exposed services, DNS security), email security (SPF, DKIM, DMARC), application security (headers, cookie flags, content security policy), reputation (blocklist presence, abuse reports), and vulnerability exposure (known CVEs in detected software). Each signal is weighted by severity and combined into a composite score. Grades are recalculated weekly, and material changes trigger immediate notifications.
How does FortisEU address NIS2 Article 21(2)(d) supply chain requirements?
NIS2 Directive 2022/2555 Article 21(2)(d) requires essential and important entities to address supply chain security, including security-related aspects of relationships with direct suppliers and service providers. FortisEU maps this requirement to concrete controls: vendor inventory management, security assessment workflows, continuous monitoring, contractual security clauses, and incident notification requirements. The platform tracks compliance with Article 21(2)(d) as part of the overall NIS2 compliance score.
Can FortisEU integrate with existing procurement workflows?
Yes. FortisEU integrates with procurement systems via API and CSV import to sync vendor master data automatically. New vendor requests in procurement trigger risk assessment workflows in FortisEU, and assessment results flow back as approval signals. The platform supports webhook-based integration for real-time sync with SAP Ariba, Coupa, and custom procurement portals. DORA ICT register data is maintained regardless of which system initiates the vendor onboarding.
Related features
See Vendor Risk Management in Action
Create an account and explore the platform, or talk to our team about enterprise deployment.