Home / The Long Read / Research
Long Read

Vendor due diligence: the 2026 checklist for regulated teams

A practical vendor due diligence checklist for 2026, tiered by risk and mapped to what DORA, NIS2, and GDPR now expect, including the fourth-party checks most teams skip.

Vendor due diligence: the 2026 checklist for regulated teams
TL;DR

A practical vendor due diligence checklist for 2026, tiered by risk and mapped to what DORA, NIS2, and GDPR now expect, including the fourth-party checks most teams skip.

Vendor due diligence is the process of verifying a supplier's security, financial, legal, data-protection, and subcontractor risk before you sign, and at a depth that matches how critical that supplier is to you. In 2026 it is no longer just good practice. Under DORA and NIS2, evidence of ongoing third-party diligence is something EU supervisors now ask to see. Do it well and you prevent a supplier's failure from becoming yours.

Why this matters more in 2026 than it did last year

In June 2026, attackers did not breach Apple. They breached one of Apple's suppliers, Tata Electronics, and walked away with detailed manufacturing data on an unreleased product. Apple's own defenses were never the point. The weak link was one tier down, inside a vendor's environment.

That pattern defined the year. Supply-chain compromises moved through software packages, cloud tools, and analytics vendors, and the damage landed on the organisations downstream. Your attack surface now includes every vendor's attack surface, and the moment you can still act is before you sign. For the wider framing, start with our guide to third-party risk management. This article is the practical layer underneath it: exactly what to check, in what order, and to what depth.

What vendor due diligence is, and one honest caveat

Vendor due diligence is the evidence-gathering and evaluation you do to decide whether a supplier is safe to onboard, and on what terms. It covers who the company is, whether it is financially stable, how it protects data and systems, whether it meets your regulatory obligations, and who it depends on in turn.

The honest caveat: a checklist is a starting point, not a finish line. Collecting a SOC 2 report proves a vendor has one. It does not prove the report is current, in scope for the service you are buying, or free of exceptions that matter to you. Every item below has to be reviewed, not just received.

Step one: tier before you assess

The most common mistake is running every vendor through the same heavy process. A cleaning-supplies vendor and a cloud provider that will hold your customer data do not warrant the same scrutiny, and treating them the same wastes effort on the low-risk vendor while under-serving the critical one.

Tier each vendor first, using three questions. What data will this vendor touch, and how sensitive is it? If the vendor went dark tomorrow, would a critical business function stop? And does the relationship fall under a regime such as DORA, NIS2, or GDPR? The answers set the depth of everything that follows.

Tier before you assess Due diligence depth should match how critical the vendor is. Tier first, then assess. New vendor intake Score three questions 1. Data access 2. Operational dependence 3. Regulatory scope Tier 3 baseline checks Tier 2 standard due diligence Tier 1 (critical) deep due diligence + continuous monitoring Decision onboard, condition, or reject Re-assess on a cadence set by tier. Critical vendors move to continuous monitoring rather than an annual refresh. Diagram for Supplier Shield.

The vendor due diligence checklist

Grouped by category. For each group we note what it protects against and, where relevant, which 2026 obligation expects it. Scale the depth to the tier you set above.

1. Corporate legitimacy and integrity

Confirm the vendor is a real, licensed entity: incorporation documents, beneficial ownership, and key personnel. Screen the company and its principals against sanctions, watch, and politically-exposed-person lists, and check for material litigation or regulatory actions. This protects against fraud, sanctions exposure, and reputational contagion.

2. Financial health

Review solvency signals, credit standing, and any dependence that would make the vendor fragile. A vendor that fails financially is an availability risk, not just a commercial one. This protects against sudden service loss and rushed migrations.

3. Security posture

Request current attestations such as SOC 2 Type II or an ISO 27001 certificate with its Statement of Applicability, then read them for scope and exceptions rather than filing them. Pair self-reported answers with an outside-in signal where you can, because self-attestation and observed reality often differ. Both DORA and NIS2 expect demonstrable, evidence-backed security oversight of suppliers.

4. Data protection and cross-border transfer

Establish what personal data the vendor processes, where it is stored, which sub-processors are involved, and how it moves across borders. For EU and Swiss data, confirm the lawful transfer mechanism and whether a transfer impact assessment is needed. This is core GDPR and, for Swiss data, FADP territory; Acuna's GDPR guide covers the obligation detail.

5. Operational resilience and continuity

Ask for business-continuity and disaster-recovery evidence, tested recovery objectives, and incident-response commitments including how quickly the vendor will notify you. This protects against a vendor outage cascading into your own downtime, and it is central to DORA.

6. Subcontractors (fourth parties)

Identify who the vendor relies on to deliver your service, especially for anything supporting a critical function. This is the check most programs still treat as optional. In 2026 it is where the damage came from. DORA's register of information expects you to trace subcontractor chains for critical functions; see what the DORA register requires.

Fourth-party due diligence: the check most teams skip

Here is the gap in almost every competing checklist. They stop at the vendor. Attackers do not.

When your vendor is compromised through their supplier, a tool in their pipeline, or an open-source component they depend on, the exposure still flows to you. The 2026 wave of software supply-chain attacks worked exactly this way: compromise a widely used package or a security tool, and reach every organisation downstream of it. If your due diligence stopped at your direct vendor, you never saw it coming.

For your Tier 1 vendors, take three concrete steps. Ask each critical vendor to name the subcontractors and major technology providers behind your service. Require notification when those dependencies change for anything supporting a critical function. And map concentration: if several of your vendors quietly rely on the same underlying provider, that provider is a single point of failure you did not choose.

The fourth-party exposure chain Due diligence that stops at your direct vendor misses the tier where 2026's breaches began. Attacker finds the weak link Fourth party shared tool or subcontractor Your vendor Your organisation Customers and data Diagram for Supplier Shield.

Where manual due diligence breaks down

Everything above assumes you can gather this evidence, read it properly, and keep it current across a growing vendor list. In practice, two things break.

The first is scale. Questionnaires, document chasing, and manual review do not keep pace as the vendor count climbs, and diligence quietly slips from thorough to token. The second is time. A due diligence pass is a photograph taken on one day. A vendor that was solid at onboarding can drift, suffer an incident, or change subcontractors the week after you approved them, and a point-in-time review will never show it.

This is where the manual approach gives way to tooling. Continuous, outside-in vendor monitoring in Acuna GRC turns due diligence from a once-a-year document exercise into a live signal: automated risk scoring, breach-exposure checks, and alerts when a vendor's posture changes between reviews.

Do it, automate it, or get help

Three honest paths, depending on where your team is. To build the capability in-house, structured training helps: Abilene Academy, Switzerland's only PECB Titanium partner, runs certified courses on ISO 27001, NIS2, and DORA. For high-criticality vendors or a first DORA programme, a specialist advisor such as Abilene Advisors can run the diligence with you. And to automate the ongoing work at scale, the Supplier Shield module in Acuna GRC handles assessment, scoring, and monitoring in one place.

Related reading

Start with the pillar this sits inside, what is third-party risk management. For the regulatory obligations behind the checklist, see Acuna's guides to DORA, NIS2, and GDPR.

FAQ

What is the difference between vendor due diligence and a vendor risk assessment?

Due diligence is the evidence-gathering and verification you do to decide whether to work with a vendor, usually before you sign. A risk assessment is the evaluation and scoring of the risk that relationship carries. Due diligence feeds the assessment.

How often should you re-run vendor due diligence?

By tier. Critical vendors warrant continuous monitoring plus a formal review at least annually; lower-tier vendors can be reviewed less often. The trigger is not only the calendar: a vendor incident, a change of subcontractor, or a shift in what data they hold should all prompt a fresh look.

What documents should you request from a vendor?

At minimum: proof of incorporation, a current security attestation such as SOC 2 Type II or ISO 27001 with its Statement of Applicability, a data-processing summary listing sub-processors and data locations, and business-continuity evidence. Scale the list up for critical vendors.

Is a SOC 2 report enough on its own?

No. A SOC 2 report proves a vendor was assessed, but you still need to check it is current, in scope for the service you are buying, and free of exceptions that matter to you. Read it, do not just collect it.

What is fourth-party due diligence?

It is extending your checks to your vendor's own suppliers and critical dependencies. Because a compromise one tier below your direct vendor still reaches you, fourth-party visibility is now a core part of diligence for critical relationships, not an optional extra.

What to do next

Want this applied to your supplier ecosystem? See the platform in action and map your top vendor risks live in one walkthrough.

Read next

KDDI email breach: how one shared email platform exposed up to 14.2 million logins across six ISPs

KDDI email breach: how one shared email platform exposed up to 14.2 million logins across six ISPs

One email platform run by KDDI exposed the logins of up to 14.2 million customers across six Japanese internet providers. The lesson for third-party risk teams is concentration and fourth-party risk: many brands on one shared supplier system, breached through a third-party software flaw.

Read article
iRhythm breach: how patient data left through third-party-hosted business apps

iRhythm breach: how patient data left through third-party-hosted business apps

Cardiac-monitoring firm iRhythm says attackers took patient health data, proprietary data and personal information from third-party-hosted business applications, not from its clinical systems. For third-party risk teams the lesson is that regulated data often lives with a vendor, and that is where it leaves.

Read article
Klue OAuth breach: how one connected app exposed CRM data at Huntress, Jamf and other customers

Klue OAuth breach: how one connected app exposed CRM data at Huntress, Jamf and other customers

The Icarus extortion group stole the OAuth tokens Klue held for its customers and used them to take data from those customers' own Salesforce and Gong accounts. For third-party risk teams the lesson is fourth-party risk: a connected SaaS app can turn a supplier's breach into your data loss.

Read article
Vendor Due Diligence: The 2026 Checklist (DORA & NIS2 Ready) | Supplier Shield