Not all suppliers are equally critical. Supplier classification categorises all third parties by their importance to critical business processes and their risk potential — enabling risk-based prioritisation of monitoring resources.
Classification criteria in TPRM
Typical classification criteria include: (1) criticality — how dependent are critical processes on this supplier? (2) data access — does the supplier have access to sensitive or personal data? (3) system access — does the supplier have access to internal IT systems? (4) substitutability — how easily can the supplier be replaced? (5) regulatory relevance — is the supplier to be classified as critical under DORA or NIS2?
360TPRM classifies suppliers automatically according to configurable criteria — with direct impact on monitoring intensity and reporting.
Critical vs. non-critical suppliers
DORA distinguishes between critical and important ICT third-party providers — with different requirements for contract design, monitoring and exit strategies. NIS2 requires classification as part of supply chain security. ISO 27001 recommends risk-based classification with at least three tiers (critical, important, standard).
The EU can place critical ICT third-party providers directly under EU oversight (Art. 31 DORA). Financial entities must report their critical providers to the supervisory authority.
FAQ
Classify suppliers automatically
See in a 45-minute demo how 360TPRM specifically meets your requirements.
Request free demo →