GDPR, NIS 2, and DORA converge on one problem: Third-party risk

GDPR, NIS 2, and DORA converge on one problem: Third-party risk

Regulators no longer ask whether you manage vendor risk—they assume you do. And if you don’t, you pay for it.

Three independent EU regulations—the GDPR, NIS 2 directive, and Digital Operations Resilience Act (DORA)—stress that it’s your responsibility to manage third-party risk. These regulations offer security frameworks that support different industries and risk profiles, but they all lead with strict fines and pressure to enforce third-party risk management.

Under the GDPR, gaps in core security and operational controls drove 25% of the fines in 2025, up 40% year over year. DORA emphasizes third-party oversight, too, with 34% of financial firms calling its requirements the hardest to meet. NIS 2 has also explicitly expanded its requirements to introduce mandatory cybersecurity obligations across the supply chain.

When three separate regulations align on a shared expectation, it signals a structural business risk and makes vendor management an “always on” activity. This is reflected in Vanta’s 2025 State of Trust Report, with more than two-thirds of organizations spending significant time on security reviews and worrying about vendor breaches.

Third-party risk is more regulated now

About five years ago, third-party risk management (TPRM) was mostly treated as a best practice, but repeated large-scale vendor security incidents have since turned it into an enforced obligation.

In 2023, MOVEit experienced an exploited, undetected zero-day vulnerability, resulting in breaches affecting more than 2,700 organizations. Because the software was used in workflows involving sensitive data, the impact didn’t stop with the vendor: It created downstream liability for many organizations, triggering regulatory scrutiny and over $10 billion in remediation costs across sectors.

MOVEit is only one of several vendor-related breaches in recent years. Regulators have responded accordingly by formalizing TPRM requirements across frameworks across the EU regulatory space, where vendor risk accountability is enforced:

• GDPR: Under Article 28, controllers are responsible for ensuring their processors implement appropriate security measures, and remain liable if they don’t.
• NIS 2: Article 21 requires organizations to assess and manage cybersecurity risks across their vendor ecosystem.
• DORA: ICT third-party risk management is a standalone pillar with thorough oversight requirements.

‍Vendor risk management is a visibility problem

For many teams, vendor risk is still mostly invisible. This is concerning because you cannot manage what you can’t see.

Vanta’s State of Trust Report (2025) found that organizations spend nine working weeks a year on vendor risk assessments and security reviews. Yet 56% still experienced a vendor breach in the past year. In the EU, a PwC Luxembourg survey found that 58% of firms believe that their third-party providers still have major compliance gaps between effort and outcomes.

Plainly, most organizations don't have enough continuous visibility into third-party threats, which shows up in several ways:

• No centralized inventory of third parties and their access.
• Compliance is assessed at onboarding, then rarely revisited.
• Reliance on static questionnaires and self-reported attestations.
• No real-time overview of vendor security posture.

Outdated, manual-heavy vendor risk management practices can create issues. While third-party risk changes continuously, many teams still rely on point-in-time, fragmented reviews, which limit their ability to make time-sensitive risk decisions. EU regulations updated requirements around ongoing monitoring, incident reporting, and more to address these gaps in existing TPRM models.

More from this section

+4

New tech offers 24/7 monitoring for high-risk pregnancies

GDPR, NIS 2, and DORA converge on one problem: Third-party risk

Nostalgia can cloud your judgment online, and scammers know it

TPRM obligations: How GDPR, NIS 2, and DORA overlap

While the three regulations differ in scope and terminology, their third-party risk obligations align:

• GDPR. Data processing agreements, processor due diligence, and breach notification obligations (the 72-hour window applies to the controller even if the processor is breached)
• NIS 2. Supply chain risk assessments, security criteria in vendor contracts, and incident reporting across downstream dependencies
• DORA. ICT third-party risk registers, ongoing monitoring for critical service providers, vendor offboarding procedures, and concentration risk management (e.g., avoiding over-reliance of key vendors)

All three require continuous vendor assessments, security obligations built into contracts, and incident reporting across the entire vendor ecosystem.

Third-party risk management work shouldn’t be siloed across frameworks. Managing controls for each in isolation can effectively triple the effort for the same results. Streamlining the efforts also reduces the oversight risk that can trigger compounding violations. The leading compliance solutions for European organizations address this by mapping controls across frameworks, eliminating redundant work while maintaining full regulatory coverage.

How much a GDPR, NIS 2, or DORA violation can cost

Third-party breaches under EU regulations can result in significant penalties:

• GDPR. Up to €20M or 4% of global turnover for the previous fiscal year. Since 2018, cumulative fines have exceeded €7.1B
• NIS 2. Up to €10M or 2% of global turnover for essential entities, with potential personal liability for senior management.
• DORA. Up to 2% of global annual turnover for organizations, or up to €1M for individuals. Critical ICT providers may face fines of up to €5M, plus an additional daily penalty of 1% of average daily turnover.

The actual impact on your organization balloons when a single violation results in compounded liability with serious financial and operational consequences. That financial liability can scale rapidly if you face DORA penalties, as the regulation’s daily accrued penalties of up to 5 million euros create a “burn rate” that few balance sheets can sustain. Beyond the fines, organizations face a contractual indemnity gap. Vendors typically cap their liability at a fixed amount, which rarely reflects the true cost of a failure, leaving your organization to absorb most of the regulatory and financial impact.

Furthermore, the reputational damage is permanent. Customers don’t always know the difference between your breach and a vendor’s. Meanwhile, B2B buyers now view a lack of vendor visibility as a disqualifying security failure.

When regulators—and customers—hold you accountable for your vendors’ security, trust just has to be continuously verified, not annually.

Three regulators, one common direction for third-party risks

GDPR, NIS 2, and DORA all reinforce the same expectation: 24/7 vendor risk accountability. Traditional TPRM approaches can’t offer this level of assurance. Static evidence and point-in-time reviews from a month ago have no value if you have to answer for real-time risks in your supply chain.

That brings us to the most obvious question: If regulators by default think your vendors are a problem, do you have the visibility to prove otherwise?

Organizations navigating Europe’s regulatory landscape must be able to adapt to this shift quickly and treat vendor risk as a continuous discipline instead of a procurement checkbox.

This story was produced by Vanta and reviewed and distributed by Stacker.