GDPR, NIS 2, and DORA converge on one problem: Third-party risk
Regulators no longer ask whether you manage vendor risk—they assume you do. And if you don’t, you pay for it.
Three independent EU regulations—the GDPR, NIS 2 directive, and Digital Operations Resilience Act (DORA)—stress that it’s your responsibility to manage third-party risk. These regulations offer security frameworks that support different industries and risk profiles, but they all lead with strict fines and pressure to enforce third-party risk management.
Under the GDPR, gaps in core security and operational controls drove 25% of the fines in 2025, up 40% year over year. DORA emphasizes third-party oversight, too, with 34% of financial firms calling its requirements the hardest to meet. NIS 2 has also explicitly expanded its requirements to introduce mandatory cybersecurity obligations across the supply chain.
When three separate regulations align on a shared expectation, it signals a structural business risk and makes vendor management an “always on” activity. This is…
