What is a Third-Party Risk Assessment? | 360TPRM

The third-party risk assessment is the core process in TPRM: it systematically analyses what risks a supplier poses to your organisation — across cybersecurity, compliance, operational resilience and data protection.

What is analysed in a risk assessment?

A complete third-party risk assessment covers four dimensions: (1) cybersecurity risk — what vulnerabilities does the supplier have? Are there known breaches? (2) compliance risk — does the supplier comply with relevant standards like ISO 27001 or SOC 2? (3) operational risk — how resilient is the supplier to outages? (4) dependency risk — how critical is the supplier to your own processes?

Four dimensions in one dashboard

360TPRM aggregates all four risk dimensions into a single risk score — automatically, continuously and in real time.

Risk assessment under NIS2 and DORA

NIS2 Art. 21(d) explicitly requires supply chain security — organisations must systematically assess and document supplier risks. DORA Art. 28 ff. obliges financial entities to fully assess all ICT third-party providers before contract and on an ongoing basis. Without structured risk assessments, regulatory compliance cannot be demonstrated.

Regulatory must

Organisations unable to demonstrate documented third-party risk assessments risk fines under NIS2 of up to €10M or 2% of global annual turnover.

FAQ

How often should a risk assessment be conducted?+

For critical suppliers: continuously. For non-critical suppliers: at least annually — but NIS2 and DORA require risk-based continuous monitoring.

What is the difference from due diligence?+

Due diligence is a one-time review before contract. Risk assessment is a continuous process throughout the entire supplier relationship.

Automate risk assessments

See in a 45-minute demo how 360TPRM specifically meets your requirements.

Request free demo →