Compliance Intelligence · Supplier Shield

Third-Party Compliance: DORA, NIS2, ISO 27001, GDPR and Swiss FADP

Plain-language explanations of every framework that governs how you manage vendors, suppliers, and ICT third parties, with the exact articles, what auditors expect, and how Supplier Shield automates the evidence.

Book a free demoTalk to a compliance expert
DORANIS2Swiss FADPISO 27001SOC 2GDPR
§ Quick reference

Which frameworks apply to your organization?

Jurisdiction and sector determine your mandatory baseline. Use this as your starting point before reading the full framework entries below.

Your organizationMandatoryCommonly requiredKey third-party obligation
EU financial entity
Bank, insurer, investment firm, payment institution
NIS2ISO 27001
Written ICT contracts, exit strategy, concentration risk (DORA Art. 28-44)
EU essential entity
Energy, transport, health, water, digital infrastructure
ISO 27001
Supply chain security measures for direct suppliers (NIS2 Art. 21)
EU important entity
Manufacturing, postal, food, research, digital providers
ISO 27001
Supply chain security measures; lighter enforcement regime than essential entities
Swiss organization
Any entity processing data of Swiss residents
GDPRISO 27001
Written processor agreements and sub-processor authorization (FADP Art. 9)
US cloud or SaaS provider
Serving enterprise or regulated clients
GDPRISO 27001
Vendor management program and subservice organization monitoring (CC9.2)
Any organization, any sector
Seeking independent certification of security controls
SOC 2
Supplier security policy, agreements, ICT supply chain, monitoring (Annex A 5.19-5.22)

Mandatory = legally required. Commonly required = expected by clients, auditors, or regulators in practice. Not legal advice.

§ Framework reference

Six frameworks. Every third-party obligation, explained.

Each entry covers who it applies to, which article governs third-party risk, what auditors and regulators specifically expect, and where to read the full guide.

🏦
DORAEuropean Union

Digital Operational Resilience Act

Regulation (EU) 2022/2554
Applies to

Banks, insurers, investment firms, payment institutions, crypto-asset service providers, and their critical ICT third-party providers.

In force: January 17, 2025
Key requirements
  • ·ICT risk management framework (Art. 5-16)
  • ·ICT-related incident classification and reporting (Art. 17-23)
  • ·Digital operational resilience testing (Art. 24-27)
  • ·ICT third-party risk management (Art. 28-44)
  • ·Concentration risk monitoring across critical providers
Third-party clauseArticles 28-44

DORA mandates written contracts with all ICT providers, enhanced requirements for Critical Third-Party Providers (CTPPs) designated by the ESAs, exit strategies for each critical provider, and full sub-contracting chain transparency.

🔐
NIS2European Union

Network and Information Security Directive 2

Directive (EU) 2022/2555
Applies to

Essential entities (energy, transport, banking, health, water, digital infrastructure, space) and important entities (postal, manufacturing, food, digital providers, research).

In force: October 17, 2024 (national transposition)
Key requirements
  • ·Supply chain security measures (Art. 21)
  • ·Incident reporting: 24h early warning, 72h notification, 1-month final report
  • ·Multi-factor authentication and encryption
  • ·Business continuity and crisis management
  • ·Management body accountability with personal liability
Third-party clauseArticle 21(2)(d)

Art. 21(2)(d) explicitly requires supply chain security covering relationships with direct suppliers. Organizations must assess ICT supplier security practices and propagate requirements down the chain. Fines up to €10 million or 2% of global turnover.

🇨🇭
Swiss FADPSwitzerland

Federal Act on Data Protection

nDSG / Bundesgesetz über den Datenschutz
Applies to

Any organization, Swiss or foreign, that processes personal data of Swiss residents.

In force: September 1, 2023
Key requirements
  • ·Record of processing activities
  • ·Data Protection Impact Assessments (DPIA) for high-risk processing
  • ·Written data processing agreements with all processors
  • ·Cross-border transfer safeguards (adequacy or standard clauses)
  • ·72-hour breach notification to FDPIC for high-risk incidents
Third-party clauseArticle 9 (processors)

Art. 9 requires third-party processors to be authorized by written contract and to provide sufficient guarantees on technical and organizational measures. Sub-processing requires explicit authorization and equivalent guarantees.

📘
ISO 27001International standard

ISO/IEC 27001:2022

Information Security Management System
Applies to

Any organization seeking a certified Information Security Management System (ISMS), regardless of size or sector.

In force: 2022 revision; migration deadline October 31, 2025
Key requirements
  • ·ISMS scope and context (Clause 4)
  • ·Risk assessment and treatment plan (Clause 6)
  • ·Statement of Applicability (SoA)
  • ·Supplier relationships: Annex A 5.19-5.22
  • ·Continuous monitoring and improvement (Clause 10)
Third-party clauseAnnex A 5.19-5.22

Controls 5.19 (supplier policy), 5.20 (supplier agreements), 5.21 (ICT supply chain security), and 5.22 (monitoring and review of supplier services) together form the supplier management control set within a certified ISMS.

🧾
SOC 2United States

SOC 2 Type II

System and Organization Controls 2 — AICPA
Applies to

Service organizations storing, processing, or transmitting customer data: SaaS, cloud providers, managed service providers, data centers.

In force: Annual audit cycle; no regulatory mandate
Key requirements
  • ·Security Trust Service Criterion (CC) is mandatory
  • ·Optional: Availability, Confidentiality, Processing Integrity, Privacy
  • ·Vendor management program (CC9.2)
  • ·Subservice organization monitoring: SOC reports or carve-out
  • ·Complementary user entity controls (CUECs)
Third-party clauseCC9.2 — Vendor Management

CC9.2 requires service organizations to assess risks from vendors and business partners, obtain their SOC 2 reports or equivalent evidence, and conduct ongoing monitoring. Reliance on subservice organizations must be disclosed and covered by a carve-out or inclusive approach.

🛡️
GDPREuropean Union

General Data Protection Regulation

Regulation (EU) 2016/679
Applies to

Any organization processing personal data of EU/EEA residents, including non-EU companies targeting EU data subjects.

In force: May 25, 2018
Key requirements
  • ·Lawful basis for every processing activity
  • ·Data subject rights: access, erasure, portability, objection
  • ·Data Protection Impact Assessments (DPIA) for high-risk processing
  • ·Data Processing Agreements (DPA) with every processor (Art. 28)
  • ·Standard Contractual Clauses (SCCs) for international transfers
Third-party clauseArticle 28

Art. 28 mandates that controllers only use processors providing sufficient guarantees on technical and organizational measures. A written DPA is required covering processing subject-matter, duration, nature, purpose, and categories of data. Sub-processors require prior written authorization.

§ Comparison

Which frameworks require what?

A compliance obligation matrix across the six frameworks to help you identify gaps in your third-party risk program.

ObligationDORANIS2FADPISO 27001SOC 2GDPR
Mandatory for regulated entities--
Explicit third-party / supply chain article
Written contract required with vendors--
Vendor risk tiering / criticality required--
Incident notification to regulator--
Exit strategy / concentration risk-----
Periodic vendor assessment required--
Sub-contractor / sub-processor oversight-

✓ = explicit obligation in the framework text. Not legal advice; consult your compliance counsel.

§ How we help

From regulation to evidence, automated.

Supplier Shield maps every third-party obligation across your active frameworks to a concrete workflow: vendor inventory, risk tier, assessment, evidence, finding, audit report.

STEP 01

Vendor inventory and tiering

Import your full supplier list via CSV, API, or manual entry. The platform auto-proposes risk tiers based on data access, financial exposure, and regulatory scope, including DORA criticality classification.

DORANIS2ISO 27001SOC 2
STEP 02

Adaptive questionnaires

Vendors answer once. Responses feed every applicable framework automatically; the same evidence satisfies ISO 27001 Annex A 5.19, DORA Art. 28, GDPR Art. 28, and SOC 2 CC9.2 without re-asking.

DORAGDPRISO 27001SOC 2FADP
STEP 03

Evidence library and expiry tracking

Upload SOC 2 reports, ISO certificates, pen-test results, and DPAs once. The platform tracks expiry dates and generates renewal requests automatically before they lapse.

DORANIS2ISO 27001SOC 2GDPRFADP
STEP 04

Contract requirement checklists

For each vendor, the platform generates a contract checklist mapped to applicable frameworks: DORA Art. 30 mandatory clauses, GDPR Art. 28 DPA requirements, Swiss FADP Art. 9 processor terms.

DORAGDPRFADPISO 27001
STEP 05

Concentration risk monitoring

Identify and monitor dependency concentration across critical ICT providers. Essential for DORA, which requires financial entities to assess systemic risk from single-provider dependencies.

DORA
STEP 06

Audit-ready reports

Generate framework-specific reports for regulators (ECB, BaFin, FINMA, ACPR, FDPIC) and auditors. Board-level risk summaries are drafted automatically from live vendor data.

DORANIS2ISO 27001SOC 2GDPRFADP
§ Go deeper

Related guides and pages

Platform

The TPRM Platform

Supplier Shield inside Acuna GRC: vendor tiering, adaptive assessments, evidence library, and audit reports.

Read more →DORA

DORA for Financial Institutions

How to meet Articles 28-44, build your ICT vendor register, and prepare for ECB, BaFin, and FINMA supervisors.

Read more →Pricing

Plans and Pricing

From CHF 5,388 per year. Transparent pricing by vendor count and module.

Read more →
§ FAQ

Common compliance questions, answered.

Plain-language answers to the questions risk managers, procurement teams, and auditors ask most often.

01What is third-party compliance?+

Third-party compliance is the process of ensuring that vendors, suppliers, and partners who access your systems, data, or processes meet the same regulatory and security standards you are required to uphold. Regulations like DORA, NIS2, ISO 27001, and GDPR all impose specific obligations on how you manage, monitor, and contractually bind these external relationships.

02What is DORA and who does it apply to?+

DORA (Digital Operational Resilience Act, Regulation EU 2022/2554) has been in force since January 17, 2025. It applies to financial entities operating in the EU: banks, insurers, investment firms, payment institutions, crypto-asset service providers. Articles 28-44 govern ICT third-party risk management, requiring mandatory contractual provisions, concentration risk assessment, and exit strategies for each critical provider.

03What does NIS2 require for supply chain security?+

NIS2 Directive Article 21(2)(d) requires essential and important entities to implement supply chain security measures covering relationships with direct suppliers or service providers. Organizations must assess the overall security posture of their suppliers' products and practices and propagate security requirements through their supply chain. Non-compliance can result in administrative fines up to 10 million euros or 2% of global annual turnover for essential entities.

04What is the difference between GDPR Article 28 and DORA third-party requirements?+

GDPR Article 28 applies whenever a third party processes personal data on your behalf, requiring a Data Processing Agreement covering security measures, sub-processing rules, and audit rights. DORA Articles 28-44 apply specifically to ICT service providers for EU financial entities, adding mandatory contract clauses, exit strategies, concentration risk analysis, and regulatory oversight of Critical Third-Party Providers (CTPPs). Both obligations can apply simultaneously to the same vendor; for example, a cloud provider processing customer data for a bank.

05How does ISO 27001 address supplier risk?+

ISO/IEC 27001:2022 dedicates four Annex A controls to supplier relationships: 5.19 (information security policy for suppliers), 5.20 (addressing information security within supplier agreements), 5.21 (managing information security in the ICT supply chain), and 5.22 (monitoring, review, and change management of supplier services). These controls require organizations to identify, assess, and continuously monitor supplier-related risks as part of a certified ISMS.

06Do I need to comply with both NIS2 and DORA?+

Possibly yes. For financial entities, DORA operates as lex specialis, meaning it takes precedence over NIS2 for ICT risk management. However, NIS2 may still apply to your ICT providers that serve critical infrastructure sectors beyond finance. Your compliance program should map both regulations and identify where they overlap or diverge; for example, incident reporting timelines differ: DORA requires a 4-hour initial report, while NIS2 requires a 24-hour early warning.

07How does Supplier Shield help with DORA compliance?+

Supplier Shield (part of Acuna GRC) provides a TPRM module that maps directly to DORA Articles 28-44. It automates vendor tiering by ICT criticality, generates DORA-aligned contract requirement checklists, tracks mandatory evidence (SOC 2 reports, penetration test results, ISO certificates), monitors concentration risk across critical ICT providers, and produces audit-ready reports for regulators including the ECB, BaFin, FINMA, and ACPR.

08What is Swiss FADP and how does it differ from GDPR?+

The Swiss Federal Act on Data Protection (nDSG / FADP), in force since September 1, 2023, protects personal data of Swiss residents. Key differences from GDPR: it does not require a specific lawful basis (processing is permitted unless unlawful exceptions apply), its supervisory authority is the FDPIC, and it has slightly different breach notification thresholds. Organizations that are GDPR-compliant are typically close to FADP-compliant with minor adjustments, particularly around processor agreement language and the FDPIC notification threshold.

09What is a Critical Third-Party Provider (CTPP) under DORA?+

A Critical Third-Party Provider (CTPP) under DORA is an ICT service provider formally designated by the Joint Committee of the European Supervisory Authorities (ESAs) based on systemic importance to EU financial stability. CTPPs are subject to direct regulatory oversight, including on-site inspections by the lead overseer and binding recommendations. Financial entities using a CTPP have enhanced contractual and monitoring obligations and must develop robust exit strategies to reduce dependency.

10What evidence does an auditor expect for third-party compliance?+

Auditors and regulators typically expect: a vendor inventory (all third parties with access to systems or data), risk tier classification (criticality and data access level), signed contracts meeting framework-specific requirements (DPAs for GDPR/FADP; ICT contracts for DORA), evidence of vendor assessments (questionnaires, SOC 2 reports, ISO certificates), a findings log with remediation status and SLAs, concentration risk analysis (especially for DORA), and a record of ongoing monitoring including contract renewals and evidence expiry dates.

Ready to operationalize compliance?

Map your vendors to every framework, in one platform.

We walk through your specific regulatory perimeter: DORA, NIS2, ISO 27001, or all of them, and show you exactly where the gaps are and how to close them.

Book a free demoTalk to a compliance expert