EuroComply
Créer un compte

For Procurement and Vendor Risk Teams

Your DORA Art. 28 third-party register, generated in 30 minutes.

Procurement teams at 100+ EU companies use EuroComply

EuroComply gives procurement and vendor risk teams a DORA Article 28-formatted third-party register — with sub-processor chains, sovereignty scores, DPA status, and renewal alerts — importable via CSV and exportable as PDF in under 30 minutes.

What EU compliance tools do procurement teams need?

EuroComply gives procurement and vendor risk teams a DORA Article 28-formatted third-party register — with sub-processor chains, sovereignty scores, DPA status, and renewal alerts — importable via CSV and exportable as PDF in under 30 minutes.

  • DORA Article 28 / NIS2 Article 21(d) third-party register with CSV import and PDF export
  • Vendor sovereignty scores covering EU data residency, Cloud Act exposure, sub-processor chain, and DPA existence
  • Side-by-side vendor comparison on residency, certifications, sub-processors, risk rating, and renewal date
  • Per-vendor due-diligence PDF packets for audit trails, legal review, and internal procurement approvals
Source: DORA — EUR-LexReviewed:

Why procurement teams use EuroComply

  • DORA Article 28 / NIS2 Article 21(d) third-party register with CSV import and PDF export
  • Vendor sovereignty scores covering EU data residency, Cloud Act exposure, sub-processor chain, and DPA existence
  • Side-by-side vendor comparison on residency, certifications, sub-processors, risk rating, and renewal date
  • Per-vendor due-diligence PDF packets for audit trails, legal review, and internal procurement approvals

Get the weekly EU compliance briefing — 2 minutes, every Thursday.

Next step — classify

Generate DORA register →

No card required. EU-hosted. Import up to 200 vendors from CSV on the free plan.

Generate DORA register →

Frequently asked questions

What does DORA Article 28 require for third-party ICT registers?

DORA Article 28 requires financial entities to maintain a register of all contractual arrangements with ICT third-party service providers. The register must include: all ICT services and functions provided by each third party; the type of ICT services; the criticality of the services; the countries where the services are provided from; and relevant contractual information. Competent authorities (EBA, ESMA, EIOPA) can require financial entities to submit the register or a summary at any time. The register must be kept current and reflect supply chain changes.

What must a GDPR Data Processing Agreement (DPA) include?

GDPR Article 28(3) specifies that a DPA must commit the processor to: processing only on documented instructions; ensuring confidentiality obligations on all authorised staff; implementing appropriate technical and organisational security measures (Article 32); sub-contracting only with controller authorisation and on equivalent terms; assisting the controller with data subject rights requests, security incident notifications, DPIAs, and supervisory authority consultations; deleting or returning all personal data after the service ends; and providing all information necessary to demonstrate compliance and allow audits.

How do NIS2 supply chain security requirements affect vendor contracts?

NIS2 Article 21(d) requires essential and important entities to include supply chain security in their cybersecurity risk management. Procurement contracts with ICT service providers should include: minimum security requirements the provider must maintain; incident notification obligations (provider notifies covered entity promptly); audit rights or third-party audit reports such as ISO 27001 or SOC 2 Type II; sub-processor notification and approval rights; security standards for software development under Article 21(e); and the ability to terminate if the provider fails to meet security requirements.

What is CLOUD Act exposure and how does it affect vendor due diligence?

The US CLOUD Act (2018) gives US law enforcement authority to compel US-based cloud providers to disclose customer data regardless of where that data is stored. Vendors with CLOUD Act exposure are those incorporated in the US or controlled by a US parent company. For EU procurement teams, this affects GDPR Chapter V data transfer compliance, NIS2 supply chain sovereignty obligations, and client contractual requirements for EU data residency. The EuroComply sovereignty classification is: EU-Sovereign (EU-incorporated, no US control), Mixed (EU-US structure with some risk), US-Dominant (EU-incorporated but US-controlled or with major US sub-processors), and US-Only.

What procurement obligations apply under the EU AI Act?

When procuring AI systems classified as high-risk under EU AI Act Annex III, deployer organisations must: verify the system has a CE mark and is registered in the EU AI database; review the instructions for use, conformity assessment, and technical documentation; conduct a fundamental rights impact assessment if operating as a public authority (Article 27); designate a human oversight function; and ensure relevant staff have AI literacy. Procurement contracts for high-risk AI systems should include obligations on the provider to maintain CE marking, notify of significant modifications, and provide updated technical documentation.

How must procurement teams handle GDPR sub-processor chains?

GDPR Article 28(4) requires that when a processor engages a sub-processor, the same data protection obligations imposed on the processor by the controller must be imposed on the sub-processor by contract. Processors must notify controllers before adding or replacing sub-processors, and controllers have the right to object within the agreed notice period. Procurement teams should: maintain a sub-processor register for each significant vendor; ensure the DPA covers sub-processor notification obligations; review the vendor's sub-processor list at contract signing and at each renewal; and confirm that sub-processors in third countries are covered by adequacy decisions or Standard Contractual Clauses.

What is the difference between a DORA critical ICT provider and a standard provider?

DORA Article 31 designates certain ICT third-party providers as 'Critical ICT Third-Party Providers' (CTPPs) through an EU-level oversight regime led by EBA, ESMA, or EIOPA. Designation is based on systemic importance, substitutability, and interdependence. CTPPs are subject to direct oversight by a Lead Overseer. For procurement teams, knowing whether a vendor is a designated CTPP affects required contractual obligations and concentration risk assessment under DORA Article 29. Financial entities must report their use of CTPPs and cannot sub-delegate critical functions to non-designated CTPPs.

How should procurement handle vendor certifications under NIS2 and the CRA?

NIS2 Article 24 allows Member State authorities and the Commission to require use of specific ICT products, services, or processes certified under the EU Cybersecurity Act (CSA) certification schemes. The CRA (Cyber Resilience Act) introduces mandatory CE marking for products with digital elements covering security requirements for the entire product lifecycle. Procurement teams should: request ISO 27001 certificates, SOC 2 Type II reports, or CSA scheme certificates where available; include security certification maintenance obligations in contracts; and monitor for CRA compliance deadlines (product CE marking obligations phase in from 2027).

For informational purposes only. This is not legal advice — consult qualified legal counsel.

Last reviewed: · Editorial policy