A vendor-neutral guide for EU procurement and compliance teams selecting a third-party risk management platform in 2026. Seven evaluation criteria, five regulatory deadlines, the five most common buyer mistakes, and a transparent FAQ — written by a procurement practitioner who built one of the platforms in the category.
Most public material on EU third-party risk management is written by the vendors who sell to that market. That produces guides that compare a vendor's own product favourably to competitors and end with a contact form.
This guide is different in two ways. First, it is structured around what a buyer needs to evaluate, not what a vendor wants to demonstrate. Second, it discloses where FiorLab — the platform I built — fits in the category, but only in the final section. The first six sections are vendor-neutral evaluation criteria, regulatory anchoring, and FAQ.
The EU regulatory environment for supplier and third-party risk shifted materially between 2025 and 2026. DORA became enforceable. The EBA non-ICT guidelines moved from consultation to imminent final. The Central Bank of Ireland published its 2026 supervisory priorities listing third-party and operational risk as a "very high threat". The European Commission adopted the Tech Sovereignty Package on 3 June 2026, formalising data residency and corporate jurisdiction as procurement-scoring criteria. This guide reflects the picture as of 9 June 2026.
If you are a procurement, compliance, or third-party risk leader at an EU regulated buyer — financial services, life sciences, critical infrastructure, manufacturing under CSRD — this guide will give you a defensible evaluation framework you can carry into vendor demos. It is written so a junior team member can run the evaluation and a senior decision-maker can sign off the conclusion with confidence.
Score each candidate platform on all seven. A platform that scores high on three but fails on data sovereignty or audit trail is not a defensible choice under DORA Article 28(4) supervisory review.
Where is the vendor's corporate entity registered? Where is customer data physically hosted and processed? An EU-registered vendor with EU-only hosting is not subject to FISA 702 or the US CLOUD Act. A US-headquartered vendor offering an EU deployment region is still subject to US corporate-jurisdiction risk regardless of data location. The EU Tech Sovereignty Package adopted 3 June 2026 makes this a formal procurement-scoring criterion.
List the frameworks you must demonstrate compliance against and score each platform on first-class versus generic support. "We support 40+ frameworks" usually means a generic questionnaire library mapped lightly to each framework. First-class support means dedicated assessment types, framework-specific question banks, regulator-aligned PDF reports, and ongoing updates as the framework evolves.
The minimum bar is live integration with CRO Ireland, UK Companies House, German Handelsregister, French Infogreffe, VIES (EU VAT validation), GLEIF (LEI lookup), and IAF CertSearch (ISO certification verification). Ask for a live demo verifying a real supplier with at least three of these registries during the evaluation call.
Published list pricing in writing matters more than any salesperson's verbal anchor. Sales-led pricing without a published baseline typically delivers 30-70% deal-to-deal variance. Request a written pricing letter referencing comparable customer tiers before signing. If the vendor refuses to publish pricing, treat that as a signal.
Time from contract signature to a first audit-ready supplier assessment with verified evidence. Self-service platforms with published pricing: hours to days. Sales-led enterprise GRC platforms: weeks to months including professional services and integrations. For SMB-to-mid-market scope this difference dominates total cost of ownership in year one.
Request a sample assessment PDF before the evaluation call. Confirm every score traces to a verifiable source — registry record, certification body, uploaded document with OCR — with timestamps. Auditor-readable evidence chains are required under DORA Article 28(4) and EBA outsourcing guidelines. Opaque AI scoring without per-dimension evidence is not defensible at supervisory review.
A documented public API with key-scoped authentication is now the minimum for any TPRM platform integrating with ERP, contract management, or procurement workflow systems. Ask for the API specification, rate limits, and authentication model in writing. Closed APIs limit your ability to consolidate or replace the vendor at renewal.
Each of these frameworks imposes specific third-party risk obligations. Map your in-scope frameworks before evaluating platforms.
| Framework | Status | What it requires | Who is in scope |
|---|---|---|---|
| DORA Article 28 | Live since 17 Jan 2025 | Register of ICT third-party providers; pre-contractual due diligence; ongoing monitoring; assessment evidence per Article 28(4). | All EU financial entities: banks, insurers, investment firms, payment institutions, crypto-asset service providers, plus their critical ICT third parties. |
| EBA non-ICT TPRM guidelines | Final imminent | Extends DORA-style oversight to non-ICT outsourcing. Replaces the 2019 EBA guidelines on outsourcing. | EU banks and investment firms under EBA supervisory perimeter. |
| CBI Cross-Industry Outsourcing | Refresh expected H2 2026 | Irish regulator's outsourcing register, materiality assessment, and ongoing oversight requirements. 2026 supervisory priorities list third-party and operational risk as a "very high threat". | All Central Bank of Ireland regulated entities — investment funds, banks, insurers, payment firms. |
| CSRD ESRS | FY2027 reporting; delegated act expected Jun 2026 | Sustainability reporting including value-chain and supplier due diligence. Revised ESRS consultation closed 3 June 2026 with 60-70% datapoint reduction. | Large EU companies (over 250 employees or €40m turnover or €20m balance sheet) plus listed SMEs. |
| NIS2 Article 21 | Live since 17 Jan 2024 (transposition ongoing) | Supply chain risk management for essential and important entities. Sector-specific national authority oversight. | Essential and important entities under NIS2 — energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, space, and a broader set of important entities including manufacturing, food, and digital providers. |
If you have a shortlist of three to five vendors, this process takes about two hours per vendor and one hour for the final comparison. Run it in order — earlier steps disqualify vendors before you spend time on later ones.
Ask in writing where the vendor's corporate entity is registered (give the registration number), where customer data is physically hosted, and which sub-processors handle data. If the corporate entity is US-headquartered, FISA 702 and the CLOUD Act apply regardless of data location. Document the answer; it is now an RFP-scoring criterion under the EU Tech Sovereignty Package.
List your in-scope frameworks. For each, score the platform on first-class versus generic support. First-class support means dedicated assessment types, framework-specific question banks, regulator-aligned PDF reports, and ongoing updates as the framework evolves. "We support 40+ frameworks" is a marketing claim; a real first-class implementation has named regulator references inside the product.
During the evaluation call, ask the vendor to verify a real supplier you nominate against three EU public registries (CRO Ireland, Companies House, Handelsregister, or others relevant to your supplier base). Watch the verification happen. Confirm the platform stores the registry record with a timestamp and is auditor-defensible at supervisory review.
Ask for the vendor's published list pricing. If they refuse, request a written pricing letter referencing comparable customer tiers (employee count, supplier count, deployment region). Treat refusal to publish pricing as a signal. Compare against vendors with published pricing; the typical sales-led-to-published delta is 5-15x for SMB and mid-market scope.
Ask the vendor: "From contract signature, when can our procurement team produce the first audit-ready supplier assessment with verified evidence?" Self-service platforms with published pricing should answer in days. Sales-led platforms typically answer in weeks-to-months including professional services. Multiply this by your in-scope supplier count to estimate year-one rollout cost.
Request a sample assessment PDF before the call. Open it. Confirm every score is traceable to a verifiable source with timestamps. Score evidence must be auditor-defensible at DORA Article 28(4) or EBA supervisory review. If scores are opaque AI outputs without per-dimension evidence, the platform fails this step regardless of marketing claims.
Ask for the API specification, rate limits, and authentication model in writing. Test integration to your ERP or contract management system at proof-of-concept. Closed APIs limit your ability to consolidate or replace the vendor at renewal, which is a procurement-leverage concern as much as a technical one.
1. Confusing security compliance automation with supplier risk management. Vanta, Drata, Sprinto, ComplyJet, Secureframe, and similar tools automate your own SOC 2, ISO 27001, HIPAA, or PCI DSS attestation. They are not third-party risk management platforms for evaluating your suppliers. Different buyer, different category, different evidence model. Ask the salesperson which problem they actually solve.
2. Accepting "we support DORA" without testing the underlying framework mapping. "Support" can mean a dedicated assessment type with regulator-aligned questions, or it can mean a generic questionnaire renamed for marketing purposes. Ask to see the framework mapping document. Compare it to the actual regulatory text. If the mapping references articles and paragraphs, it is real; if it references slogans, it is not.
3. Signing sales-led contracts without published-pricing comparison anchors. Without a published baseline, you have no leverage at renewal. The typical sales-led-to-published delta for SMB and mid-market scope is 5-15x. Get the published-pricing alternative on the table during negotiation even if you ultimately buy the sales-led option.
4. Buying enterprise GRC suites for SMB and mid-market scope. ServiceNow GRC, Archer, OneTrust, and similar enterprise suites cover privacy management, third-party risk, GRC controls, ethics, and data discovery in one stack. For Fortune 500 buyers wanting one vendor across the full GRC footprint, that bundling is rational. For SMB and mid-market with focused TPRM scope, 80% of the suite goes unused at 5-20x the cost of a purpose-built EU-native TPRM platform.
5. Ignoring data residency and corporate jurisdiction in pre-contract due diligence. The problem surfaces only at the first DORA supervisory review, the first EU customer security questionnaire, or the first cross-border data-protection complaint. Resolving it after deployment requires a vendor change. Resolve it pre-contract.
Drawn from procurement and compliance leads we have worked with across EU financial services, life sciences, manufacturing, and critical infrastructure.
DORA Article 28 obliges financial entities in the EU to maintain a register of all contractual arrangements with ICT third-party service providers, conduct due diligence before contracting, and continuously monitor those providers for operational resilience risk. DORA became enforceable on 17 January 2025 and applies to all EU financial entities including banks, insurers, investment firms, payment institutions, crypto-asset service providers, and their critical ICT third-party providers.
Five EU regulatory regimes require formal third-party or supplier risk management in 2026: DORA (live since January 2025), EBA non-ICT third-party risk guidelines (final imminent), Central Bank of Ireland Cross-Industry Outsourcing Guidance (refresh expected H2 2026), CSRD ESRS sustainability reporting (FY2027 reporting), and NIS2 Article 21 (supply chain risk management). GxP regulations (EMA Annex 11, EU GMP) impose third-party requirements for life sciences. Manufacturing under CSRD plus the German LkSG and EU CSDDD adds supply-chain due diligence obligations.
Third-Party Risk Management (TPRM) is the broader category covering all external parties a regulated entity contracts with — vendors, outsourcing partners, intra-group entities, critical ICT providers. Supplier risk management is the procurement-led subset focused on supply-chain vendors specifically. In EU regulatory language, DORA, EBA, and CBI use "third-party" as the inclusive term. CSRD and supply-chain due diligence laws use "supplier" as the procurement-side term. The two terms are converging in practice — the platforms in the category typically handle both.
Two EU-native platforms are in the buyer's shortlist in 2026. Aprovall (France-registered, sales-led pricing, established Mittelstand-Grand-Compte customer base, created 2008). FiorLab (Ireland-registered, CRO 813471, published pricing from €329/month with a free Starter tier, registry verification across CRO Ireland, Companies House, Handelsregister, VIES, GLEIF, and IAF CertSearch). US-headquartered platforms with EU deployment regions (Vendorica, OneTrust, ProcessUnity, AuditBoard, ServiceNow GRC) remain subject to US corporate jurisdiction including FISA 702 and CLOUD Act exposure regardless of data location.
Pricing varies by tier and vendor. Self-service published pricing examples: FiorLab Starter free up to 5 suppliers; Growth €329/month up to 25 suppliers (annual billing); Professional €649/month up to 100 suppliers. Sales-led enterprise GRC platforms (ServiceNow GRC, Archer, OneTrust, Vendorica enterprise) typically cost €30,000-€200,000+ per year for mid-market deployments. Aprovall and ProcessUnity use sales-led pricing without published list prices. Implementation cost (professional services, integrations) adds 20-100% to the year-one total for sales-led platforms; self-service platforms typically have no implementation cost.
The European Commission adopted the EU Tech Sovereignty Package on 3 June 2026, comprising the Cloud and AI Development Act, Chips Act 2.0, and EU Open Source Strategy. The headline rationale is that the EU depends on non-EU providers for over 80% of critical digital infrastructure. Procurement and compliance teams at regulated EU buyers increasingly factor data residency and corporate jurisdiction of TPRM tools into RFP scoring. EU-native platforms with EU corporate entities become structurally preferred for data-sovereignty-sensitive deployments under DORA, NIS2, EBA, and CBI outsourcing frameworks.
Yes. Both FISA 702 and the US CLOUD Act apply to data held by US-headquartered corporate entities regardless of where the data is physically stored. A US vendor offering an EU deployment region does not shield the corporate entity from a US government data-access order. The Schrems II ruling (Court of Justice of the European Union, July 2020) confirmed that EU adequacy frameworks cannot remediate this corporate-jurisdiction exposure, leading to the current Standard Contractual Clauses requirement and supplementary measures. EU-native vendors with EU-only corporate entities are not within the territorial scope of either US statute.
DORA Article 28(4) requires assessment of ICT third-party risk across financial, operational, compliance, and concentration risk dimensions, with auditor-readable evidence per dimension. Industry practice scores across six dimensions: financial stability, regulatory compliance, sustainability/ESG, delivery performance, quality management, and innovation capability. Deterministic rules-based scoring with full per-dimension evidence traceability is preferred over opaque AI scoring for auditor defensibility at supervisory review.
Self-service platforms with published pricing: hours to days from sign-up to first audit-ready assessment. Sales-led enterprise GRC platforms: weeks to months including professional services, framework configuration, and integrations. Critical path items include contract negotiation (1-4 weeks), data residency and processing agreement (1-2 weeks), framework configuration (1-4 weeks), integration to ERP or contract management (4-12 weeks), pilot phase (4-8 weeks), and full rollout (3-12 months).
Minimum EU-relevant registry integrations: CRO Ireland, UK Companies House, German Handelsregister, French Infogreffe, VIES (EU VAT validation), GLEIF (Legal Entity Identifier global lookup), and IAF CertSearch (ISO certification verification). Optional but valuable: paid premium data partners (Dun & Bradstreet, CreditSafe, EcoVadis) for financial and ESG enrichment. Some platforms cover only the local-country registry; for EU-wide supplier portfolios this is a material gap.
IAF CertSearch (api.iafcertsearch.org) is the global accredited-body database for ISO certifications. A TPRM platform with IAF CertSearch integration can verify any ISO 9001, 14001, 27001, 45001, 22000, 50001, 13485, 27701, IATF 16949, or AS9100 certificate against the accredited certification body in real time, returning issue date, expiry, status, and accreditation body. As of January 2026 the IAF and ILAC have merged into the Global Accreditation Cooperation (GAC); the CertSearch API remains at api.iafcertsearch.org.
It depends on your scope. A purpose-built TPRM platform handles supplier risk, third-party due diligence, contract attestation, and assessment workflows — typically the procurement and compliance ownership areas. A GRC suite (ServiceNow GRC, Archer, OneTrust) additionally covers internal risk register, audit management, policy management, and enterprise-wide control monitoring. For mid-market regulated buyers with focused TPRM needs, a purpose-built EU-native platform replaces the supplier-risk module of a GRC suite at 5-20% of the cost. For Fortune 500 enterprise with full GRC scope, the suite remains the canonical choice.
DORA Article 28 requires ongoing monitoring of ICT third-party providers throughout the contractual relationship. The implementing technical standards do not prescribe a fixed cadence but require that the frequency reflects the criticality and risk profile of the provider. Industry practice: quarterly assessment refresh for critical providers, annual refresh for non-critical providers, with continuous monitoring of registry and certification status changes. Document staleness decay (fresh under 30 days, aging 30-180 days, stale 180-365 days, very stale 365-730 days, expired beyond 730 days) is a defensible auditor-readable cadence model.
Both are EU-native third-party risk management platforms. Differences: FiorLab is Dublin-registered (CRO 813471), publishes list pricing from €329/month with a free Starter tier, and integrates live with seven EU public registries plus IAF CertSearch. Aprovall is France-registered (created 2008), uses sales-led pricing without published list prices, and has an established Mittelstand-Grand-Compte customer base including Moët Hennessy, Sercel, Société des Grands Projets, and SPL Lyon Part-Dieu. Aprovall is the closer fit for enterprise sales-led deployments. FiorLab is the closer fit for SMB-to-mid-market with transparent pricing and self-service onboarding.
FiorLab is EU-native: Irish corporate entity (CRO 813471), EU-hosted in Frankfurt, customer-owns-data, published pricing from €329/month. Vendorica is US-headquartered with EU deployment available on enterprise contracts; the corporate entity remains subject to US law including FISA 702 and the CLOUD Act. Vendorica has a larger established customer base, hundreds of public reviews on G2 and Capterra, and a broader GRC stack. For data-sovereignty-sensitive EU regulated buyers — particularly post the 3 June 2026 EU Tech Sovereignty Package — FiorLab is structurally preferred. For US-headquartered buyers or buyers with US-EU dual deployments, Vendorica may be the operationally simpler choice.
FiorLab is a purpose-built supplier risk and third-party risk platform with published self-service pricing from €329/month. OneTrust is a US-headquartered enterprise GRC suite covering privacy management, third-party risk, GRC controls, ethics, and data discovery, typically deployed on multi-year enterprise contracts at €50,000-€200,000+ annually. OneTrust is the canonical choice for Fortune 500 buyers wanting one vendor across the full GRC footprint. FiorLab is the focused-scope alternative for procurement and compliance teams who want first-class EU regulatory coverage (DORA, EBA, CBI, GxP, CSRD) without the GRC-suite cost basis.
FiorLab Starter is free up to 5 suppliers and includes 6-dimension scoring, registry verification, audit-ready PDF reports, and the public API at the published rate limit. The free tier is intended for SMB onboarding, pilot evaluations, and continuous-monitoring use cases at small portfolio scope. Beyond 5 suppliers, the Growth plan from €329/month covers up to 25 suppliers. No other EU-native TPRM platform currently offers a free production tier; Aprovall, Vendorica, OneTrust, and ProcessUnity use sales-led pricing without a free tier.
FiorLab publishes complete pricing at fiorlab.com/pricing including Starter (free, up to 5 suppliers), Growth (€329/month annual or €399/month monthly, up to 25 suppliers), Professional (€649/month annual or €799/month monthly, up to 100 suppliers), and Enterprise (custom). All plans include 6-dimension scoring, registry verification, audit-ready reports, and customer data ownership in the EU.
This guide was written by the FiorLab founder team. FiorLab Limited (CRO 813471, Dublin) is one of the platforms in the category this guide covers. Here is how FiorLab scores against the seven evaluation criteria, on the same scoring basis applied to every other platform in the buyer's shortlist:
If you are a Fortune 500 buyer with full enterprise GRC scope (privacy, third-party, controls, audit, ethics, data discovery in one stack), OneTrust or ServiceNow GRC remains the canonical choice. If you are deeply embedded in a French Mittelstand-Grand-Compte sales cycle with senior procurement preferences for sales-led engagement, Aprovall may match your buying motion more naturally. If you are a US-headquartered buyer with US-EU dual deployments and US corporate jurisdiction is acceptable, Vendorica offers the larger established review base. Match the platform to your motion.
The most useful next step is a transparent 15-minute call. No demo, no sales sequence, no pressure. We compare your in-scope frameworks against FiorLab's first-class coverage, walk through a sample assessment PDF, and you decide whether a free pilot is worth your time.
Up to 5 suppliers, no card required, audit-ready reports from day one. EU-hosted, customer-owns-data, published pricing if you continue beyond the pilot.
Start free pilot