Why DORA and NIS2 Make Vendor Risk a Daily Job in Europe

Third-party risk management, the work of vetting and watching the outside vendors a company depends on, has turned from an annual chore into a standing duty for European enterprises. Two EU rules drive the change: DORA, the Digital Operational Resilience Act (DORA), in force since 17 January 2025, and NIS2, the bloc’s updated network-security directive. Both write audit rights and breach-reporting clauses into law, so a business is now answerable for its suppliers’ security failures.

The cost of that shift is landing on security teams right now. Most already spend more hours proving they are secure than making themselves secure, and AI has sped up both the attacks they face and the software sold to fight those attacks. The open question for 2026 is whether vendor risk can be watched in real time without burying stretched staff in more paperwork.

Why the EU Rulebook Made Vendor Risk a Standing Duty

For years, checking a supplier meant emailing a questionnaire once, filing the answers, and forgetting about it until the next certification cycle. EU law has shut that gap. Regulators no longer accept a point-in-time tick; they want evidence that a company knows, and keeps knowing, how its vendors handle data and respond to incidents.

What DORA Demands of Financial Firms

DORA covers banks, insurers and investment firms alongside the cloud and software suppliers they lean on. Each financial entity has to keep a live register of every information and communications technology provider, flag concentration risk where too much rides on a single cloud or vendor, and write audit and exit rights into its contracts. The ISACA professional body, in its guidance on navigating NIS2 and DORA requirements, notes that suppliers used by an ICT provider must themselves be disclosed up the chain to the financial firm.

How NIS2 Pushes Risk Down the Chain

NIS2 widens the 2016 original to many more sectors and forces security obligations into supplier agreements. A small vendor serving an energy or hospital operator can be contractually bound to meet the same controls as its client, including incident notification and audit access. For essential entities, non-compliance can draw fines reaching 10 million euros or 2% of global turnover, whichever is higher. That penalty is what moved vendor security from the procurement team’s to-do list to the boardroom’s.

The Assurance Tax Security Teams Now Pay

Proving security is eating the time that used to go into doing it. Teams gather evidence, fill out questionnaires, and answer the same vendor reviews their own customers send them, week after week. Vanta, the trust-management company whose annual survey is one of the more cited reads in the field, calls this the assurance tax: the hours burned demonstrating safety rather than building it.

The pressure is rising on every axis at once, according to figures from Vanta’s State of Trust Report, which surveyed about 3,500 business and IT leaders globally:

• 72% of security decision-makers say overall risk has never been higher, up from 55% the year before.
• 61% say they spend more time posturing, the work of proving security, than actually protecting their systems.
• 56% reported a vendor-related breach in the past 6 to 12 months, a reminder that the weak link is often someone else’s network.

For a security lead, every hour spent assembling proof for one customer is an hour not spent closing a real gap. Multiply that across dozens of vendors and dozens of frameworks, and the assurance tax becomes a budget line nobody planned for.

AI Rewrote the Threat and the Response

The thing changing fastest is also the hardest to govern. Attacks that once took weeks can now run in hours, and generative tools are mass-producing phishing, malware and fraud that look convincing. A wave of European startups has grown up to counter exactly this, including those built around phish-back tactics against AI-generated phishing campaigns. The defenders are not winning the speed race outright.

Inside security teams, the skills gap is open and admitted. 59% of organisations say AI-related security threats are outpacing their team’s expertise. The same survey notes that 95% of AI adopters believe the technology makes their teams more effective, so the picture is genuinely two-sided: real productivity gains sit next to a knowledge deficit that vendors are racing to fill, a tension that mirrors the wider AI adoption gap across European business.

AI also reshapes due diligence itself. Vendors are embedding models into their products at speed, often without clear governance, which means a supplier review is now partly a privacy review: how the vendor processes, stores and transfers data, and what its AI features do with it. In Europe, where trust and data protection are tied tightly together, that scrutiny is no longer optional.

From Annual Checkbox to Always-On Monitoring

The industry response is to drop the once-a-year review for continuous visibility, and the tooling now reflects that. Instead of a snapshot taken at onboarding, platforms scan vendor assets on a rolling basis and feed what they find into the wider governance, risk and compliance (GRC) programme. The pitch lands with leaders who are already under scale-or-fail pressure to expand AI use while keeping risk in check.

What an always-on TPRM (third-party risk management) setup typically automates:

• Continuous monitoring that scans vendor assets and surfaces new threats as they appear, replacing the static yearly assessment.
• Shadow IT and shadow AI discovery, which flags unapproved tools that staff have signed up for without telling security.
• AI pre-fill of questionnaire answers, so a vendor’s existing documentation drafts most responses instead of a human typing them out.
• Integration into compliance registers, keeping evidence current and mapped to frameworks such as ISO 27001, SOC 2 and NIS2.

The promise is a single source of truth: one place where automated tests, manual checks, policies and vendor assessments all live, ready to hand to an auditor or a prospective customer. That last point matters commercially, because a faster security answer can shorten a sales cycle.

The Numbers Vendors Attach to Automation

Automation claims in this market are bold, and worth reading with the source in mind. The figures come from the suppliers themselves, so treat them as marketing benchmarks rather than audited results.

What Vanta Claims It Saves

Vanta says its AI agent collects vendor evidence, checks security documentation against questionnaires, flags risks and writes prioritised summaries, cutting review cycles by up to 50% and reducing evidence-gathering time by 62%. The company is betting heavily on this product line; its $150 million Series D round in July 2025 valued the firm at $4.15 billion and earmarked capital for third-party risk and government compliance. Vanta now reports more than 12,000 customers across 58 countries.

What the Customers Report

Two named customers give the case studies a face. Planning-software firm Pigment uses the platform to keep a running view of every vendor’s security status and answer buyer security requests faster.

Vanta alleviated a lot of tedious work … so I could focus on building our security programme and raising our posture.

That is Quentin Berdugo, Chief Information Security Officer at Pigment. At Duolingo, Mandy Matthew, the company’s lead security risk programme manager, says the same consolidation helps her team “express our posture to external parties and communicate our programme internally.” Neither testimonial is independent verification of the percentage savings, but both point to the underlying shift teams are buying: less manual assembly, more standing oversight.

Does Continuous Monitoring Close the Risk Gap?

Not on its own. A platform that scans assets and pre-fills forms removes friction, yet it cannot decide a company’s risk appetite or fix a vendor’s weak control. The hardest part of third-party risk stays human: judging which suppliers matter most, what concentration is tolerable, and when to walk away from a partner that will not improve.

There is a confidence trap, too. Vanta’s survey found that while a large majority of organisations assume their vendors would disclose a breach, that assumption is exactly the kind of unverified trust the new rules are meant to stamp out. AI governance widens the same gap, since models get embedded into vendor products faster than buyers can assess what those models touch. Continuous tooling makes the watching cheaper and constant; it does not make the watching optional, and regulators reading a DORA register will want to see judgement behind the dashboards. The reckoning EU lawmakers set in motion years ago has arrived, and the bill is paid in attention as much as in software licences.

Frequently Asked Questions

What is third-party risk management (TPRM)?

Third-party risk management is the process of identifying, assessing and continuously monitoring the security and privacy risks that outside vendors, SaaS tools and technology partners introduce to an organisation. It covers how those suppliers handle data, respond to incidents and meet contractual security standards, not just whether they have suffered a breach.

How do DORA and NIS2 change vendor risk requirements?

DORA, applicable since 17 January 2025, requires financial firms to keep a register of all ICT providers and assess concentration risk. NIS2 pushes named security standards into supplier contracts across roughly 18 sectors. Both move companies from one-off reviews to documented, ongoing oversight, with penalties for essential entities under NIS2 reaching 10 million euros or 2% of global turnover.

What is the assurance tax in security?

The assurance tax is the time security teams spend proving they are secure rather than improving security. In Vanta’s State of Trust Report, 61% of leaders said they spend more time posturing than protecting, as they gather evidence, complete questionnaires and answer repeated vendor reviews.

Does AI make vendor risk easier or harder to manage?

Both. AI speeds up attacks and floods inboxes with convincing phishing, and 59% of organisations say AI threats outpace their team’s expertise. At the same time, AI tools automate evidence gathering and questionnaire responses, which cuts manual workload. The catch is that vendors embed AI into products faster than buyers can govern it.

What does continuous TPRM replace?

It replaces the point-in-time vendor review, usually an annual questionnaire, with rolling scans of vendor assets, shadow IT and AI discovery, and live integration into compliance registers. The goal is current evidence mapped to frameworks like ISO 27001, SOC 2 and NIS2 at any moment, rather than a snapshot that ages the day after it is filed.

Is Vanta the only TPRM platform on the market?

No. TPRM is a competitive category that includes several GRC and security vendors. Vanta is one of the larger players, valued at $4.15 billion after its July 2025 Series D and serving more than 12,000 customers, but enterprises evaluating continuous vendor monitoring should compare multiple platforms against their own frameworks and risk appetite.