Doing Your Third-Party Risk Due Diligence Under DORA

While third-party vendors can be a huge asset to your business or organization, they also bring serious risks. If a vendor drops the ball on security or compliance, you’re the one who takes the hit. That’s why the Digital Operational Resilience Act (DORA) puts third-party risk due diligence front and center.

With tools like Graphite Connect, managing vendor risks becomes simpler and less stressful. In this guide, we’ll break down what you need to know about third-party risk due diligence under DORA and how to build a framework that protects your operations while keeping you compliant.

What is third-party risk due diligence?

Third-party risk due diligence means creating a system to assess vendors when the relationship begins and keeping a close eye on them as the partnership grows. It’s how you uncover risks—whether tied to cybersecurity, operational reliability, or regulatory compliance—and decide how to handle them before they become bigger problems.

This isn’t something you can do once and forget about. It’s an ongoing effort. By developing a strong framework, you can spot risks early, address weak points, and keep your vendors working in line with your goals (and regulatory requirements) throughout the relationship.

What standards should you evaluate third-party risk by?

When assessing vendors, you need to evaluate them against meaningful benchmarks. By focusing on the right areas, you’ll get a clearer understanding of their reliability and the risks they might introduce to your operations. 

Cybersecurity posture

Cyberattacks are evolving every day, and your vendors’ security measures are a direct extension of your own. A single weakness in their defenses can expose your sensitive data, compromise operations, or even lead to regulatory issues.

Take a close look at their cybersecurity practices. Are they using encryption to protect data at rest and in transit? Do they enforce multi-factor authentication for accessing critical systems? What about access controls: are they limiting sensitive data access to only the right people?

A vendor with strong cybersecurity protocols not only protects your business but also shows that they take their role in your partnership seriously. On the other hand, weak measures are a risk you simply can’t afford. Make cybersecurity a top priority in your assessment process.

Uptime and availability

Downtime might be your vendor’s problem at first glance, but it quickly becomes yours when it disrupts your operations. Imagine losing access to critical services during a peak period: how would it affect your customers, your reputation, and your bottom line?

To avoid these scenarios, assess their uptime guarantees. Are they prepared to meet your needs, even during unexpected disruptions? Ask about their disaster recovery plans and redundancy systems. Reliable vendors will have clear strategies to maintain availability and reduce the impact of technical failures or external threats.

Downtime is inevitable, but how a vendor plans for it can make all the difference. Look for partners who prioritize continuity and have tested systems to back it up.

Incident management response

Every business will face incidents—it’s how you respond to them that matters most. The same goes for your vendors. If they can’t handle disruptions properly, the fallout can quickly spiral into bigger problems for your business.

When evaluating vendors, dig into their incident management frameworks. Do they have a clear system for detecting and documenting incidents? How quickly can they respond, and how well do they communicate with you during a crisis?

Strong vendors will also have post-incident strategies in place. They won’t just fix the issue; they’ll analyze what went wrong and take steps to prevent it from happening again. 

Regulatory compliance with DORA requirements

When assessing vendors, check how well they align with DORA’s requirements. Are they capable of timely incident reporting? Do they maintain a secure IT environment that meets regulatory standards? Have they implemented risk management practices that demonstrate their commitment to compliance?

Working with vendors who understand and meet these obligations is non-negotiable. Their compliance makes your position stronger, reduces your risk exposure, and helps keep your operations on the right side of regulatory expectations.

What you need to do for your third-party risk due diligence

Building a strong due diligence strategy involves gathering the right tools and information. Here’s what you’ll need to get started.

Vendor questionnaires 

The first step in evaluating your vendors is asking the right questions. Sending detailed questionnaires helps you understand their risk profile and identify any potential issues early.

Focus on critical areas: 

• What cybersecurity measures do they have in place? 
• Are they using robust encryption, firewalls, and multi-factor authentication?
• What operational policies guide their day-to-day processes? 
• Have they experienced incidents like data breaches, and how did they handle them?

Their responses will give you a baseline understanding of their risk management practices. Use these insights to decide which vendors need closer scrutiny. A detailed questionnaire not only highlights risks but also sets the tone for an open, transparent relationship.

Security audits

Questionnaires are a good start, but they can’t give you the full picture. That’s where security audits can help. These audits are your way of verifying that your vendors practice what they preach.

During an audit, look at whether they’re following their stated cybersecurity protocols, operational policies, and compliance standards. For example, do they regularly test their systems for vulnerabilities? Are they patching software promptly?

Audits often uncover risks that vendors might not even be aware of themselves. By taking a closer look, you can spot gaps in their defenses and address them before they affect your business.

Security document review

Documentation is key to understanding a vendor’s reliability. Look for certifications like ISO 27001 or SOC 2, which demonstrate adherence to industry standards. Review their data protection policies to ensure they meet regulatory requirements as well as your expectations. Records of past compliance audits can also shed light on how seriously they take their responsibilities.

Security ranking checks 

Sometimes an objective perspective is the best way to assess a vendor’s risk. Security ranking tools like those available on the Graphite Connect platform analyze public data to give you insights into a vendor’s cybersecurity posture.

These tools evaluate factors like past breaches, exposed credentials, and their overall approach to security, so you can see where vendors may be falling short. Security rankings are especially helpful when dealing with vendors that manage sensitive data or have access to critical systems. They let you spot red flags quickly and focus your attention on high-risk relationships.

Third-party risk management software

Tracking questionnaires, reviewing documents, and conducting audits for multiple vendors takes time and resources. This is where third-party risk management software like Graphite Connect becomes a game-changer.

These tools automate key tasks, making it easier to keep track of assessments, monitor compliance, and gather real-time insights into vendor performance. Instead of juggling spreadsheets or chasing down updates, you can manage everything from a centralized platform.

Graphite is the tool you need to maintain third-party risk due diligence

Keeping up with third-party risk due diligence doesn’t have to be a burden. Graphite makes the entire process easier, from onboarding vendors to monitoring their compliance over time.

With Graphite, you can:

• Send and manage vendor questionnaires in one place.
• Track compliance with DORA requirements using real-time dashboards.
• Centralize documentation like contracts and certifications.
• Monitor vendor performance and security rankings without added effort.

By using Graphite, you’ll save time, reduce risks, and stay confident that your vendors are meeting the standards that matter most. Ready to simplify third-party risk due diligence? Schedule your demo today!