The supplier inventory is the foundation of Third-Party Risk Management. Without a complete register of all third parties, no structured risk management is possible β and regulatory requirements under NIS2 and DORA cannot be met.
What belongs in the supplier inventory?
A complete supplier inventory contains for each supplier: name and contact details, type of service and contract details, classification (critical/non-critical), access to systems and data, certifications and compliance status, subcontractors (fourth parties) and current risk score. DORA Art. 28(3) explicitly requires a complete information register of all ICT third-party providers.
360TPRM creates and maintains the supplier inventory automatically β with daily risk scores for each supplier.
Supplier inventory as a regulatory obligation
DORA Art. 28(3) requires financial entities to maintain a complete information register of all ICT third-party providers. NIS2 requires an overview of all critical suppliers as part of supply chain security management. ISO 27001:2022 Annex A.5.19 requires a maintained list of all suppliers with access to information assets.
Organisations without a complete supplier inventory cannot demonstrate NIS2 or DORA compliance. Supervisory authorities check the inventory as a first step.
FAQ
Build supplier inventory
See in a 45-minute demo how 360TPRM specifically meets your requirements.
Request free demo β