Splnit.eu
PlatformDemoEU RegulationsBlogEarly accessAboutPricing
||
Sign in
Design partner
← All articles
NIS23 minMay 3, 2026

Vendor risk checklist: what to ask critical suppliers

Supplier risk management is more than a contact spreadsheet. If a vendor touches data, identities, or operations, you need to know what they provide, how risky they are, and when their security posture was last checked.

Autor: Marco Zoratto, founder of Splnit.eu

In this article

Which suppliers to review firstWhat evidence to requestHow it connects to NIS2 and GDPR

Which suppliers to review first

Start with suppliers that access personal data, production systems, identities, logs, or services that matter to customers. For small teams, ten well-reviewed critical suppliers are more useful than fifty stale records.

For each supplier, record the internal owner, access type, data or service affected, and the impact of outage or incident.

  • cloud, hosting, identity provider, and monitoring
  • CRM, support, accounting, and marketing tools
  • external development, IT administration, and security services
  • suppliers you mention in tenders, DPAs, or customer questionnaires

What evidence to request

Not every supplier needs the same evidence pack. For lower risk, a security page and DPA may be enough. For higher risk, ask for certifications, incident response details, subprocessors, data location, and a security contact.

Store not only the document but also the review date, outcome, exceptions, and next review date. Without that, vendor reviews go stale quickly.

How it connects to NIS2 and GDPR

NIS2 pushes supply-chain risk management; GDPR pushes processor and transfer accountability. A practical register should show both: the operational risk of the supplier and the legal relationship around personal data.

Related regulation overview

Open overview: NIS2 →

Turn supplier reviews into recurring controls

Splnit.eu helps track suppliers, risks, contracts, and security evidence as a recurring process instead of a one-off questionnaire.

Open the NIS2 overview
Splnit.eu

Early access platform for EU compliance automation.

Monthly EU regulation briefing

Product

  • Monitoring
  • Integrations
  • Trust Center
  • Security
  • Status
  • Early access
  • About
  • Pricing
  • Compare
  • Partners

Regulations

  • NIS2
  • EU AI Act
  • GDPR
  • ISO 27001

Contact

Splnit.eu — Czech sole-trader operator, Olomouc

Olomouc, Czech Republic

hello@splnit.eu
GDPRNIS2ISO 27001Vyhl. č. 410/2025 Sb.

© 2026 Splnit · Všechna práva vyhrazena

PrivacyTermsCookiesDPA
||