Agnes evaluates suppliers with a checklist and risk scores

How to do a supplier risk assessment (Step-by-step guide for SMBs)

NIS2, Compliance, SMB

Knowing your suppliers is the first step

How many suppliers does your company work with? And for how many of them do you know exactly what data they process or which systems they can access?

For most SMBs, the honest answer is: "We are not entirely sure." That is exactly where the risk sits. Not because those suppliers are necessarily untrustworthy, but because you cannot demonstrate it when someone asks.

Whether that is an auditor, a client with a security questionnaire, or your own IT team after an incident.

In this article, we walk through a supplier risk assessment step by step. No theoretical model, but a workable process you can start this week.

Why you assess supplier risks (not just because of NIS2)

The obvious reason: GDPR and NIS2 expect it. As a data controller, you are responsible for parties that process personal data on your behalf. And supply chain security is an explicit NIS2 requirement.

But there are practical reasons too. More and more clients are asking about your suppliers in compliance questionnaires. And if a breach occurs at one of your suppliers? That is your problem as well.

Regulations aside: if you do not know who does what with which data, you cannot assess where you are vulnerable. A risk assessment is a practical tool first, a compliance requirement second.

Step 1: Make a list of all your suppliers

This sounds simple, but most companies already struggle here. Suppliers get added on the fly, tools are chosen by individual teams, and nobody keeps a central overview of what is running.

Start with an inventory:

  • SaaS tools: CRM, email marketing, HR software, accounting, project management
  • Hosting parties: cloud providers, data centres, CDN services
  • Service providers: accountant, payroll administration, cleaning company, security firm
  • Physical suppliers: hardware, network-connected printers, telephony providers

Ask each team which tools and services they use daily. You will probably be surprised by the number.

Tip: in ComplianceHive you can register all your suppliers centrally and link them directly to the data they process.

Step 2: Determine which suppliers have access to sensitive data or systems

Not every supplier carries the same risk. Your office supply vendor delivering paper is a different story from your HR platform managing payroll data.

Make a distinction:

| Type | Example | Risk level | |------|---------|------------| | No data access | Office supplies, catering | Low | | Limited data access | Project management tool (names, emails) | Medium | | Broad data access | HR system, CRM, accounting software | High | | System access | Cloud hosting, IT administrator, SSO provider | High |

The question is always: does this supplier have access to personal data? And if so, how sensitive is that data?

Step 3: Score each risk (use this simple framework)

Now that you know which suppliers process data, you can score the risk. Use three axes:

1. Data sensitivity - What type of data does the supplier process?

  • Low (1): business contact details only
  • Medium (2): customer data, financial information
  • High (3): health data, national ID numbers, criminal records

2. Access level - How deep is the supplier embedded in your systems?

  • Low (1): no direct access, receives only exports
  • Medium (2): limited access via API or portal
  • High (3): full system access or admin rights

3. Supplier maturity - How well organised is the supplier itself?

  • Low risk (1): ISO 27001 certified, transparent, solid DPA
  • Medium risk (2): has a privacy policy, DPA available on request
  • High risk (3): no visible policy, refuses DPA, unclear data location

Total risk score: add the three scores together.

| Score | Risk level | Action | |-------|-----------|--------| | 3-4 | Low | Annual review is sufficient | | 5-6 | Medium | Bi-annual check, DPA required | | 7-9 | High | Quarterly review, additional contractual agreements, set concrete requirements |

This is not a scientific model. But it gives you a workable method to differentiate and focus your attention on the suppliers that matter most.

Step 4: Prioritise and take action

You now have an overview with risk scores. The next step is taking action on the suppliers with the highest scores.

That could mean requesting a Data Processing Agreement (DPA) if one is missing. Or having additional security requirements written into the contract. Sometimes the right action is finding an alternative, for example if a supplier will not cooperate with your questions about data processing. And for some suppliers, you can reduce the risk by limiting access rights.

Start with your top 5 highest-scoring suppliers. You do not need to solve everything at once. The point is that you can show you have a systematic approach.

Step 5: Document it and keep it current

This is where many companies stop. They do the analysis, create a spreadsheet, and then that document disappears into a drawer.

A risk assessment is not a one-off exercise. Suppliers change, your tool stack grows, and new regulations come in. The spreadsheet you made in January is already outdated by June if you do not maintain it.

What you should document:

  • Date of the assessment
  • Risk score per supplier
  • Measures taken
  • Date for the next review
  • Any notes or points of attention

During an audit, you want to be able to show this dossier within a few minutes. Not: "That is somewhere on the shared drive." But: "Here is the overview, last updated last month."

ComplianceHive offers a supplier register where you track DPA status, risk category, and review dates per supplier, so you always have a current overview.

What NIS2 specifically expects from you

NIS2 Article 21 names supply chain security as one of the mandatory security measures. In concrete terms, that means:

  • Mapping your supply chain
  • Assessing risks per supplier
  • Making contractual agreements about security
  • Repeating and maintaining this periodically

It is not about having a perfect system. It is about being able to demonstrate that you are working on it systematically. Can you show an inspector which suppliers you have assessed, when, and what you have agreed? Then you are in good shape.

Also read: the GDPR side of vendor management for the full picture.

Start your first supplier inventory today

A supplier risk assessment does not have to be complicated. Make the list, score the risks, and tackle the biggest gaps first. The perfect analysis does not exist. A documented approach does, and that is always better than nothing.

Start your free trial of ComplianceHive and manage all your suppliers in one place. So you know exactly where you stand at every audit. Try it free for 30 days.

Start gaining control over your vendors and software today

Let ComplianceHive help you with ISO 27001, GDPR, vendor management, and more. No hassle, no spreadsheets, just clarity. Start now with a free 1-month trial. No credit card required, no hidden fees. Discover the Busy Hive plan and manage up to 25 tools and vendors in one overview.

Try 1 month for free