Third-party risk management
VendorGuard tracks every third-party vendor, runs risk assessments against DORA, NIS2, and ISO 27001:2022, and keeps a register of information, incidents, contracts, and follow-up tasks in one place.
Track every vendor with legal entity, country, category, criticality, business owner, and status from onboarding through offboarding.
Send questionnaires built on DORA, NIS2, and ISO 27001:2022 supplier controls, capture answers per vendor, and get a per-domain and overall score.
A working view over your vendor and contract data shaped like the Article 28 register, with a one-click CSV export.
Log vendor-linked incidents with severity, status, and follow-up actions, so a supplier failure never lives only in someone's inbox.
Store contract dates, annual value, and DPA status per vendor, with document upload so the signed agreement sits next to the record.
Assign due-dated follow-ups tied to a vendor, assessment, or incident, so remediation items do not fall through.
VendorGuard ships with the DORA ICT Third-Party Provider Assessment, the NIS2 Supplier Security Assessment, and the ISO 27001:2022 Supplier Set. Each question cites the article or control it is grounded in where that reference is certain, so an assessor can trace every answer back to the source regulation. Answers score 0 to 100 per question; VendorGuard rolls that up into a weighted score per domain and an overall score for the assessment.
Article 28(3) of DORA requires financial entities to maintain a register of information on contractual arrangements with ICT third-party providers. VendorGuard's register view pulls provider identity, criticality, and contract terms into that shape and exports it as CSV. It covers the fields most commonly requested — it is not a substitute for the full RTS templates required for submission to a competent authority.
VendorGuard is part of the Spot Suite. Sign in with your Spot Suite identity once it is provisioned for your organisation.