A practical checklist for vendor and supplier risk management under NIS2

Practical checklist: good practices for vendor/supplier risk management inspired by GDPR, NIS2, Data Governance Act and DORA. The underlying question: what good practices do these EU laws highlight and transform into legal obligations in certain cases, and how can we combine them?

This checklist is *not* a comprehensive list of best practices, but it should be helpful to anyone involved in outsourcing, vendor selection, procurement and supplier contracts, and not only regarding IT service providers, data brokers and processors (this goes much further than purely data protection and Cybersecurity).

Some notes:

1?? Why the Data Governance Act? Between the Data Act (applicable in relation to connected / IoT devices mainly) and the Data Governance Act, there are many similar ideas regarding access to information, but I think the Data Governance Act is interesting from a broader perspective as it lets us ask more general questions regarding access to information anyway.

2?? What about the AI Act and its specific obligations (e.g. regarding certain assessments)? ArtificialIntelligence solution selection is in practice not that different from the selection of any other IT solution. The additional obligations flowing from the AI Act are harder to generalise to non-AI solutions without risking pushback about “too much red tape”, but it would be interesting to see ways to improve this checklist going forward.

3?? Want to learn more about this checklist, what lies behind it and how to integrate its lessons in your business? Reach out, we are always glad to help our clients!

4?? Have any other suggestions of *law-inspired* third-party risk management practices worth highlighting? Send them over!

5?? Want to download the PDF? A couple of possibilities:
(i) On desktop, click on the “expand” button and then the “download” button
(ii) Load it here: https://lnkd.in/ezXa_Yr9