From vendor-due-diligence-patrick-munro
Provides risk-based vendor assessment framework for IT service providers under DORA, NIS2, GDPR. Includes three-phase process, six-dimension risk scoring, and compliance checklists.
How this skill is triggered — by the user, by Claude, or both
Slash command
/vendor-due-diligence-patrick-munro:vendor-due-diligence-patrick-munroThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Risk-based vendor assessment framework that identifies material risks early, ensures DORA/NIS2/GDPR compliance, and provides clear recommendations for selection, contract calibration, and ongoing management. Built for regulated sectors (financial services under DORA, KRITIS sectors under NIS2) and for any organisation with meaningful ICT third-party exposure.
Risk-based vendor assessment framework that identifies material risks early, ensures DORA/NIS2/GDPR compliance, and provides clear recommendations for selection, contract calibration, and ongoing management. Built for regulated sectors (financial services under DORA, KRITIS sectors under NIS2) and for any organisation with meaningful ICT third-party exposure.
This skill provides frameworks for vendor assessment purposes only. It does not constitute legal, financial, or professional advice. Users should:
The frameworks are templates. Actual assessments require expertise in law, finance, cybersecurity, and risk management. Neither the skill creator nor Claude/Anthropic assumes liability for decisions made based on this skill's output.
Regulatory references current as of 2026-04-23. EU (DORA, NIS2, GDPR) and German (NIS2UmsuCG, BDSG) citations reflect the consolidated text available at that date. Member State NIS2 transposition remains uneven; Germany's NIS2UmsuCG entered into force on 6 December 2025 with the BSI reporting portal opening on 6 January 2026. Verify the current consolidated text and national transposition status on EUR-Lex and the Bundesgesetzblatt before use.
Phase 1: Initial Screening (1-2 days): rapid assessment to determine whether a vendor warrants detailed evaluation.
Phase 2: Detailed Assessment (1-2 weeks): comprehensive evaluation across all risk dimensions. See Section 2.
Phase 3: Final Evaluation (3-5 days): synthesis, risk scoring, mitigation strategies, recommendation.
Documents to request: 3 years audited financial statements; commercial credit report; professional liability insurance (€5M minimum); cyber insurance (€5M minimum for IT vendors); banking references.
Analysis: revenue trends and profitability; debt levels and liquidity ratios; customer concentration risk; financial stability score (1-5).
Red flags: consistent losses or negative cash flow; high customer concentration (>30% revenue from one client); recent credit downgrades; inadequate insurance coverage.
Documents to request: articles of incorporation and bylaws; material contracts (top 5 customers and suppliers); pending and historical litigation; regulatory filings; IP portfolio; data protection policies and GDPR documentation; subprocessor list (if data processor).
GDPR compliance review (Art. 28 GDPR): privacy policy and notices; DPA template; breach incident response procedures; international data transfer mechanisms (SCCs, adequacy); Art. 30 records of processing; DPIA process for high-risk processing.
Industry-specific: financial services clients - DORA compliance (Art. 28-30); KRITIS sectors - NIS2 compliance (Art. 21); AI systems - AI Act classification and compliance.
Red flags: pending significant litigation (>10% annual revenue); regulatory enforcement actions; material IP infringement claims; GDPR non-compliance (no DPA, inadequate security).
Documents to request: security certifications (ISO 27001, SOC 2 Type II, PCI DSS where applicable); recent penetration testing results; security incident history (3 years); business continuity and disaster recovery plans; backup procedures and testing records; technical architecture diagrams; data residency documentation; subprocessor security assessments.
Security assessment: encryption standards (at rest and in transit); access controls and identity management; vulnerability management program; security awareness training; incident response procedures and SLAs; third-party security audits.
NIS2 Art. 21(2) security measures (for KRITIS vendors), mapped to the ten statutory sub-paragraphs:
DORA ICT risk management (for financial services vendors): Art. 6-16 ICT risk management framework; Art. 17-23 incident management; Art. 24-27 digital operational resilience testing; Art. 28-30 third-party risk monitoring.
Red flags: no ISO 27001 or equivalent; no SOC 2 Type II; recent major security incidents with inadequate response; inadequate backup and DR; data residency non-compliance.
Documents to request: SLA performance history (12 months minimum); customer satisfaction metrics; support structure and escalation procedures; change management and release procedures; service availability statistics; MTTR data.
Analysis: service delivery track record; support responsiveness; technical competency; scalability; exit/transition procedures.
Red flags: consistent SLA failures; poor customer references; inadequate support infrastructure; no documented exit procedures.
Score each vendor 1 (Low) to 5 (Critical) across dimensions. Weighted matrix:
| Category | Weight | Score | Weighted Score |
|---|---|---|---|
| Financial Risk | 20% | ||
| Operational Risk | 25% | ||
| Compliance Risk | 30% | ||
| Security Risk | 15% | ||
| Reputational Risk | 5% | ||
| Strategic Risk | 5% | ||
| TOTAL | 100% |
Critical services (payment processing, customer data systems, core business operations) receive 2x weight on security and compliance factors.
Risk score interpretation:
For financial services clients, DORA Art. 28-30 impose enhanced requirements for ICT third-party service providers.
DORA Art. 28 - General Principles: comprehensive ICT third-party risk management framework; full contractual documentation of all services; identification of all ICT third-party dependencies; comprehensive exit strategies.
DORA Art. 30 - Mandatory Contract Elements: service description (clear, complete, up-to-date); service locations (including subcontracting); service levels (SLAs with measurement and reporting); GDPR-compliant DPA; minimum security standards; availability and business continuity (DR/BCP); detailed exit strategy; regular and for-cause audit rights; subcontracting prior notification with objection rights; access for authorities (BaFin, ECB, ESMA inspection rights); termination rights (material breach, regulatory concerns); appropriate liability allocation; notice requirements for material changes, incidents, regulatory changes.
Concentration risk (Art. 28(4)): is the vendor used by multiple financial entities? Does this create systemic risk? Are alternatives available? What is our dependency level?
Substitutability (Art. 28(4) read with Art. 29): can we switch vendors within 3-6 months (illustrative planning horizon; DORA itself requires "adequate transition periods" under Art. 30 rather than a fixed window)? Technical lock-ins? Data portability? Contractual barriers to exit?
ICT sub-outsourcing (Art. 30(2)(a), read with the Commission Delegated Regulation on subcontracting RTS, JC 2024 53): all subcontractors identified; subcontractor locations documented; subcontractor security verified; subcontractor change notification process.
For vendors in NIS2 scope (KRITIS sectors under essential/important entity obligations), Art. 21 requires cybersecurity risk management measures.
Required assessments against Art. 21(2) measures are enumerated in Section 2 above. Supply chain security (Art. 21(2)(d)): vendor's own cybersecurity measures verified; vendor's supply chain security practices assessed; contractual cybersecurity obligations included; regular vendor security reviews; vendor incident notification requirements.
Financial: shorter contract terms (1-2 years); payment terms protecting buyer (Net 30 vs. advance); parent company guarantees; performance bonds or escrow; more frequent financial reviews.
Compliance: enhanced contractual GDPR, DORA, NIS2 provisions; quarterly audit rights; regular compliance attestations; mandatory notification of regulatory changes; stricter SLAs with termination rights for non-compliance.
Security: required certifications as ongoing obligation; annual penetration testing at vendor cost; incident notification within 24 hours vs. 72; enhanced monitoring and logging; MFA requirements; regular security assessments.
Operational: robust SLAs with meaningful service credits; detailed exit and transition procedures; source code escrow for critical applications; dual sourcing for critical services; more frequent performance reviews.
Strategic: limit contract term; build exit provisions; avoid proprietary lock-in; maintain dual-source options.
Quarterly reviews: SLA compliance; service quality; security incidents; financial stability (where quarterly data available); compliance status.
Annual assessments: update full risk scoring matrix; contract performance and commercial terms review; market alternatives and pricing; strategic alignment; renewal or termination decision.
Trigger-based reviews (immediate): major security incident or data breach; regulatory enforcement action; material litigation; financial distress (credit downgrade, significant losses); acquisition or ownership change; service quality deterioration; repeated SLA failures; material contract breach.
Vendor Risk Report (10-20 pages): executive summary; vendor background; financial assessment; legal and compliance review; security and technical evaluation; operational assessment; risk scoring matrix with justifications; mitigation recommendations; recommended contract terms; implementation and monitoring plan; appendices.
Vendor Assessment Summary (2-3 pages): vendor overview and services; risk score summary table; key findings; recommendation (proceed/conditional/reject); required contract terms; next steps.
Vendor Comparison Matrix: side-by-side risk scores; compliance coverage comparison; cost-benefit analysis; strengths/weaknesses; recommended vendor with justification.
Vendor Risk Register (spreadsheet): vendor name and ID; service type and criticality; risk scores by category; overall rating; last assessment date; next review date; key risks and mitigations; contract key terms; primary contact; escalation contacts.
Vendor Onboarding Checklist: due diligence completed and approved; contract negotiated and executed; insurance certificates received; DPA signed; security documentation reviewed; access provisioning completed; integration plan approved; service transition timeline; monitoring procedures implemented; relationship management assigned; vendor added to risk register; first quarterly review scheduled.
This skill does not: replace professional due diligence services; provide legal advice; guarantee vendor performance or eliminate risk; substitute for organisation-specific risk frameworks; fulfill regulatory obligations without expert validation; create attorney-client or fiduciary relationships.
Users must: adapt frameworks to their specific industry, jurisdiction, and risk tolerance; engage qualified professionals for regulated assessments; verify current regulatory requirements; obtain internal approvals; maintain documentation for audit and compliance; update criteria as regulations evolve.
2plugins reuse this skill
First indexed Jul 8, 2026
npx claudepluginhub akshullyinnocent-oklahoma/awesome-legal-skills --plugin vendor-due-diligence-patrick-munroProvides risk-based vendor assessment framework for IT service providers under DORA, NIS2, GDPR. Includes three-phase process, six-dimension risk scoring, and compliance checklists.
Builds and runs a NIST 800-161-aligned vendor risk program: tier vendors, send SIG/CAIQ questionnaires, review SOC 2/ISO 27001 evidence, set contractual clauses, monitor continuously, and offboard securely.
Conducts GDPR Article 28(1) pre-contract vendor privacy due diligence: risk questionnaires, technical controls assessment, certification review, data flow analysis, sufficiency decisions.