DORA-ready
ICT vendor register and criticality
Complete inventory, criticality classification, dependency map and register ready for DORA article 28 and the competent supervisor.
TPRM · DORA · NIS2 · ISO 27001 · ENS
ENS HIGH · ISO 27001
Third-party risk management (TPRM): your digital supply chain under control
An operational, auditable TPRM programme: vendor inventory and criticality, technical due diligence, contractual clauses, continuous monitoring and exit plan. Designed to pass DORA, NIS2, ISO 27001 and ENS reviews.
Hard2bit is a Spain-based cybersecurity firm that runs its own ISMS audited against ENS HIGH category and ISO/IEC 27001:2022. We deliver the TPRM programme with the same evidence discipline we apply internally.
NIS2
Supply chain under control
We meet NIS2 article 21.2.d with technical due diligence, homogeneous questionnaires and traceable evidence of periodic review.
Continuous
Monitoring between reviews
Vendor posture surveillance with external signals, material-change alerts and an executive dashboard.
Audit-ready
Evidence for audit and regulators
Procedures, questionnaires, contracts, review records and exit plans structured for ISO 27001, ENS and banking/DORA audits.
What's included
An operational, auditable TPRM programme — not a spreadsheet
We cover the full cycle: from initial inventory to documented exit plan, through technical due diligence, contracts and continuous monitoring between formal reviews.
- Consolidated inventory of vendors and sub-processors with criticality by service.
- Third-party risk taxonomy adapted to the sector and regulatory profile.
- Initial technical due diligence: questionnaires, evidence, control validation and certifications.
- Contractual clauses and SLAs aligned with DORA, NIS2, ISO 27001 and ENS.
- Continuous monitoring between reviews with alerts for material changes.
- Exit plan and technology dependency assessment for critical vendors.
- Executive and operational dashboard with KPIs and evidence log.
- Coordination with procurement, legal, risk, DPO and leadership.
How we deliver
Four phases with clear deliverables
Each phase ends with actionable artefacts and audit traceability. We adapt cadence to the client's regulatory profile.
Phase 01
Inventory, criticality and operating model
We build the consolidated inventory of vendors and sub-processors, classify each relationship by criticality (service provided, data processed, operational dependency) and define the operating model: owners, review cycle, escalation and committee inputs.
Phase 02
Technical due diligence and questionnaires
We apply a homogeneous questionnaire by criticality level (based on ISO 27001 Annex A 5.19-5.22, DORA and, where applicable, PCI-DSS), validate real certifications (not just declared ones) and request evidence proportional to risk.
Phase 03
Contracts, clauses and exit plan
We review or draft the critical clauses: audit rights, incident notification deadlines, subcontracting, data location, international transfers, termination, portability and exit plan for critical vendors.
Phase 04
Continuous monitoring and governed review
We operate vigilance between formal reviews: material changes, public breaches, end of support, certification expirations. The committee reviews indicators and decides reclassifications, improvement plans or vendor change when needed.
Main deliverables
What you receive when contracting the programme
Master vendor inventory
Consolidated register with criticality, data processed, contracts, sub-processors and key dependencies.
Due diligence report per vendor
Technical analysis with findings, evidence, maturity rating and prioritised recommendations.
Reference contractual package
DORA/NIS2/ISO 27001/ENS template clauses, security annexes and templates adaptable by criticality level.
Executive dashboard
KPIs on coverage, residual risk, vendors out of SLA and vendors with open improvement plan.
Exit plan for critical vendors
Portability procedure, viable alternatives, timelines and owners documented before signing.
Value by role
Who uses the TPRM programme inside the organisation
CISO / Head of Security
Real visibility into third-party risk, not an outdated spreadsheet. Measurable coverage, actionable alerts and a data-driven conversation with leadership.
DPO / Privacy Lead
Complete register of processors and sub-processors, verified GDPR clauses and traceability of international transfers without repeated manual work.
Procurement and Legal
Homogeneous criteria to onboard vendors, approved template clauses and a process that integrates with the existing contracting flow.
Leadership / Risk Committee
Executive reading of supply chain risk, indicators comparable across vendors and decision support for renewals and replacements.
Typical use cases
When the TPRM programme is activated
DORA compliance at a financial entity
Complete inventory of ICT vendors, criticality classification, detailed register, reinforced due diligence for critical ones and documented exit plan before 17 January 2026.
NIS2 at an essential or important entity
TPRM programme proportional to the organisation's profile with homogeneous questionnaires, annual review evidence and mapping to NIS2 controls usable in audit.
ISO 27001:2022 — controls 5.19 to 5.22
Vendors treated as a managed asset: policy, due diligence, contractual clauses, periodic review and response to changes. Evidence ready for certification audit.
Cyber due diligence in M&A
Rapid assessment of third-party risk at the target company within a corporate transaction: inherited critical vendors, contractual exposures and post-closing mitigation plans.
Vendor incident response
When a vendor suffers a breach, we activate the procedure: impact assessment, coordinated communication, evidence for the regulator and, where applicable, migration or replacement plan.
100%
Critical vendors with current due diligence
≤48h
Internal notification of material vendor changes
1 year
Minimum review cadence for critical vendors
Plans & pricing
Four tiers with "from" pricing
From a one-off assessment on a critical vendor to a full programme with continuous monitoring. Explanation workshop included in every tier.
| Tier | Scope | Includes | Price |
|---|---|---|---|
| TPRM Assessment | 1 critical vendor (point-in-time review) | Full technical due diligence on one critical vendor: questionnaire, evidence, certification validation, contractual analysis and improvement plan. Delivered in 2-3 weeks. | from €2,450 |
| TPRM Programme Top | Full programme rollout (up to 25 vendors) | Policy, risk taxonomy, operating model, homogeneous questionnaires, initial due diligence of up to 25 vendors, contractual package and dashboard. | from €6,900 |
| TPRM Continuous | Monitoring + annual review + committee | Continuous surveillance between reviews, material-change alerts, third-party risk committee and annual re-assessment of critical vendors. Recurring fee. | from €950/mo |
| TPRM Enterprise | Multi-national or multi-unit programme | Programmes with several business units, multiple jurisdictions, more than 100 vendors or integration with a corporate GRC platform. Sized in proposal. | Custom |
All prices shown excluding VAT. Indicative "from" amounts. Final terms — scope, number of vendors, criticality, integration with the client's GRC platform, timelines and contractual conditions — will be set out in the signed commercial proposal.
Provider's operating framework
We run the TPRM programme inside our own ISMS audited against ENS HIGH category and ISO/IEC 27001:2022, plus four additional ISOs (22301, 20000-1, 9001, 14001). Templates, questionnaires and records remain aligned with international frameworks and are reusable by clients subject to DORA, NIS2 or ENS in their own audits. The ENS HIGH certification belongs to Hard2bit as a provider; it does not replace the client's own certification.
Scope and exclusions
What the service does not include (by default)
The following exclusions can be contracted separately or combined with other Hard2bit services. Making them explicit avoids misunderstandings and sizes the engagement correctly.
- On-site audit of the vendor at their premises (separate service, requires prior agreement with the vendor).
- Implementation or licences of third-party GRC platforms (Archer, ServiceNow GRC, OneTrust, etc.) — integrated if the client operates them.
- Legal defence or litigation arising from vendor incidents (legal service out of scope).
- Pentesting or offensive exercises on vendor infrastructure (require their formal prior authorisation).
- Technical vendor substitution (separate migration project, available as a follow-on engagement if applicable).
Related services
Pairs well with the rest of the GRC cluster
The TPRM programme works best when integrated with the broader regulatory framework. These are the services it cross-links with most.
Pillar · Compliance & GRC
GRC cluster this service belongs to.
View serviceDORA — ICT Regulation
End-to-end DORA support for financial entities.
View serviceNIS2 — NIS2 Directive
NIS2 readiness for essential and important entities.
View serviceISO 27001:2022
Full ISMS with controls 5.19-5.22 on suppliers.
View serviceENS
Spanish National Security Framework for public administrations and providers.
View serviceVulnerability management
Complementary technical layer to TPRM.
View serviceTechnical complement
A passive external snapshot of your vendor in 60 seconds
Before starting the formal due diligence, you can run Hard2bit Scanner against the vendor's domain to get a passive external snapshot (DNS/TLS posture, public exposure, known leaks). It does not replace the full questionnaire, but saves work in the first phase.
Frequently asked questions
Common questions about the TPRM programme
What exactly does DORA require on third-party risk?
Article 28 of the DORA Regulation sets specific obligations: maintain a detailed register of ICT vendors, classify the criticality of each arrangement, assess concentration and dependencies, apply minimum contractual clauses, guarantee audit rights and have documented exit plans for critical vendors. The entity remains responsible even when outsourcing, and must be able to demonstrate it to the competent supervisor.
How is TPRM different from traditional vendor management?
Traditional vendor management focuses on operational SLAs, billing and performance. TPRM adds the cybersecurity and regulatory risk dimension: what data the vendor processes, what controls it applies, what sub-processors it uses, what happens if it suffers a breach, how to exit the contract if needed. They are complementary disciplines and a mature programme integrates both.
How many vendors must be covered as a minimum?
It depends on the applicable framework. DORA requires complete coverage of the ICT inventory with reinforced focus on critical ones. NIS2 asks for proportionality to the organisation's profile. ISO 27001 requires treating all vendors relevant to information security. In practice, an honest first sweep usually uncovers 30 to 60 per cent more vendors than the organisation formally inventoried.
Is a GRC tool required, or does a well-structured spreadsheet do the job?
To start and for mid-sized programmes, a well-structured spreadsheet can sustain the programme for the first months. When the inventory exceeds 50-80 vendors, when there are several business units or when audits require granular traceability, a GRC platform helps to scale. What matters is the operating model, not the tool.
What does an exit plan include and why does DORA require it?
An exit plan documents how to end the relationship with a critical vendor without service disruption: viable technical alternatives, realistic timelines, data portability, information ownership, associated costs and owners. DORA requires it because technological dependency is a systemic risk: without a credible exit plan, a financial entity can be trapped with a vendor that fails or stops complying.
What if a critical vendor refuses to sign the clauses we require?
It is a frequent situation with large hyperscalers and mass-market SaaS providers. The real options are: accept the limitation by documenting the residual risk and applying compensating controls, negotiate specific addenda, evaluate vendor substitution or, in regulated sectors, escalate the decision to the governance body with impact analysis.
Can the vendor's certifications (ISO 27001, SOC 2, ENS) replace due diligence?
They reduce the effort but do not replace it. A certification verifies that a management system exists, not that it applies to the specific service you are contracting. Due diligence must confirm scope, data processed, specific configuration and incident response — aspects the certification does not detail on its own.
How is the effectiveness of a TPRM programme measured?
The most useful metrics are inventory coverage, percentage of critical vendors with current due diligence, mean review time, number of material findings detected, vendors with open improvement plan and vendors with documented exit plan. Comparable indicators over time that the committee understands without technical translation.
Ready to professionalise your vendor management?
Request a TPRM proposal with scope tailored to your regulatory framework (DORA, NIS2, ISO 27001, ENS) and real vendor count.