Building a DORA-Compliant Vendor Risk Scoring Methodology: A Step-by-Step Guide
Why Scoring Matters
DORA Art. 28 requires financial entities to "identify, assess, and manage all risks in relation to contractual arrangements on the use of ICT services provided by ICT third-party service providers." The regulation mandates risk management. It does not prescribe the methodology.
This creates a practical challenge: every financial institution needs a vendor risk scoring methodology, but there is no regulatory template. The EBA guidelines on outsourcing provide general principles, and the ESA Regulatory Technical Standards on the register of information define data fields — but neither provides a scoring formula.
The methodology in this guide is designed to be:
- DORA-aligned: Every scoring dimension maps to a specific DORA requirement
- Quantitative: Produces a numerical score, not a subjective assessment
- Reproducible: Two analysts scoring the same vendor with the same data produce the same result
- Actionable: Score thresholds trigger specific governance actions
The Scoring Framework: Two-Dimensional Assessment
Vendor risk assessment under DORA requires two dimensions:
Inherent risk — the risk created by the nature of the relationship, independent of the vendor's controls. A vendor providing core banking infrastructure has higher inherent risk than a vendor providing office supplies software, regardless of how good either vendor's security is.
Residual risk — the remaining risk after accounting for the vendor's controls, contractual protections, and the institution's mitigating measures. A high inherent risk vendor with excellent controls may have lower residual risk than a medium inherent risk vendor with weak controls.
Inherent Risk Scoring (60% Weight)
Dimension 1: Criticality of Supported Function (0-25 points)
The most important inherent risk factor is what the vendor supports. Art. 28 distinguishes between ICT services "supporting critical or important functions" and other ICT services. The scoring reflects this distinction.
| Score | Criteria | Example |
|---|---|---|
| 25 | Supports critical function (Art. 3(22)) | Core banking provider, payment processing infrastructure |
| 20 | Supports important function | CRM system, risk management platform |
| 15 | Supports operational process | Email system, collaboration tools |
| 10 | Supports administrative function | HR system, expense management |
| 5 | Supports non-essential function | Marketing analytics, training platform |
Data source: Business Impact Analysis (BIA), function criticality classification.
Dimension 2: Data Sensitivity (0-20 points)
What data does the vendor access, process, or store? Data sensitivity directly maps to DORA Art. 9 protection requirements and GDPR data protection obligations.
| Score | Classification | Examples |
|---|---|---|
| 20 | RESTRICTED | Payment card data, credentials, cryptographic keys |
| 15 | CONFIDENTIAL | Customer PII, financial data, transaction records |
| 10 | INTERNAL | Operational data, internal communications, policies |
| 5 | PUBLIC | Published reports, marketing materials |
Dimension 3: Concentration Dependency (0-20 points)
How dependent is the institution on this vendor? Concentration risk under DORA is a critical concern, particularly for cloud providers and infrastructure services.
| Score | Criteria | Description |
|---|---|---|
| 20 | Sole provider for critical function | No alternative; failure = critical function stops |
| 15 | Primary provider, limited alternatives | Failover possible but complex and time-consuming |
| 10 | One of multiple providers | Active-active or active-passive with tested failover |
| 5 | Easily substitutable | Multiple equivalent vendors available, low switching cost |
Dimension 4: Substitutability (0-15 points)
How quickly and at what cost can the vendor be replaced? This drives exit strategy requirements under Art. 28(8).
| Score | Criteria |
|---|---|
| 15 | > 12 months to migrate; high data lock-in; proprietary formats |
| 10 | 6-12 months to migrate; moderate integration complexity |
| 5 | 1-6 months to migrate; standard formats; multiple alternatives |
| 0 | < 1 month to migrate; commodity service; portable data |
Dimension 5: Geopolitical Exposure (0-20 points)
Where is the vendor headquartered, where does it process data, and what jurisdictions govern the relationship?
| Score | Criteria |
|---|---|
| 20 | Data processed outside EU; vendor in high-risk jurisdiction; CLOUD Act exposure |
| 15 | Data processed in EU; vendor headquartered outside EU |
| 10 | Data and vendor in EU but in different member state |
| 5 | Data and vendor in same member state |
Residual Risk Scoring (40% Weight)
Dimension 6: Vendor Security Controls (0-25 points)
Based on evidence, not self-assessment. Accepted evidence includes: ISO 27001 certification, SOC 2 Type II report, penetration test results, security audit findings.
| Score | Criteria |
|---|---|
| 0-5 | ISO 27001 certified, SOC 2 Type II clean, recent pentest with no critical findings |
| 6-10 | One major certification, minor pentest findings remediated |
| 11-15 | Self-attested security practices, no independent verification |
| 16-20 | Known security gaps, unremediated findings |
| 21-25 | No security assessment available or vendor unresponsive |
Note: Lower score = lower risk (better controls)
Dimension 7: SLA Performance History (0-20 points)
Based on measured SLA performance over the past 12 months.
| Score | Criteria |
|---|---|
| 0-5 | SLA met > 99.5% of measurement periods |
| 6-10 | SLA met 98-99.5% of measurement periods |
| 11-15 | SLA met 95-98% of measurement periods |
| 16-20 | SLA met < 95% of measurement periods |
Dimension 8: Incident History (0-20 points)
Based on vendor's incident history affecting the institution or disclosed publicly over the past 24 months.
| Score | Criteria |
|---|---|
| 0-5 | No incidents affecting institution; no material public incidents |
| 6-10 | Minor incidents, all within SLA, fully remediated |
| 11-15 | Major incident in past 24 months, remediated |
| 16-20 | Multiple major incidents or data breach |
Dimension 9: Contractual Protections (0-15 points)
Based on the Art. 30 contractual provisions in place.
| Score | Criteria |
|---|---|
| 0-5 | All Art. 30 provisions in place; audit rights; termination assistance; SLA penalties |
| 6-10 | Most Art. 30 provisions; some gaps in audit rights or termination assistance |
| 11-15 | Limited contractual protections; standard vendor terms only |
Dimension 10: Exit Strategy Viability (0-20 points)
Based on the documented and tested exit strategy.
| Score | Criteria |
|---|---|
| 0-5 | Exit strategy documented, tested, data portable, alternative identified |
| 6-10 | Exit strategy documented but untested; alternative identified |
| 11-15 | Exit strategy documented but no alternative identified |
| 16-20 | No exit strategy documented |
Calculating the Composite Score
Example calculation:
A cloud provider hosting the institution's core banking application:
- Criticality: 25 (critical function)
- Data sensitivity: 15 (confidential customer data)
- Concentration: 20 (sole provider)
- Substitutability: 15 (12+ months to migrate)
- Geopolitical: 15 (EU data, US-headquartered vendor)
- Inherent total: 90
- Security controls: 3 (ISO 27001, SOC 2 Type II, clean pentest)
- SLA performance: 5 (99.8% SLA achievement)
- Incident history: 10 (one minor incident, remediated)
- Contractual: 5 (full Art. 30 provisions)
- Exit strategy: 10 (documented but untested)
- Residual total: 33
Composite score: (90 x 0.6) + (33 x 0.4) = 54 + 13.2 = 67.2 (High)
Risk Classification and Governance Actions
| Classification | Score Range | Governance Requirements |
|---|---|---|
| Critical | 75-100 | Board-level reporting, quarterly review, full Art. 30 contractual provisions, annual on-site audit, tested exit strategy, continuous monitoring |
| High | 50-74 | IT risk committee reporting, semi-annual review, Art. 30 provisions, periodic audit, documented exit strategy |
| Medium | 25-49 | Annual review, standard contractual provisions, documented risk assessment |
| Low | 0-24 | Biennial review, standard terms acceptable, lightweight assessment |
Incorporating Advanced Risk Factors
Fourth-Party Risk Adjustment
Add 0-10 points to the inherent risk score for fourth-party exposure:
- +10: Vendor has known fourth-party concentration (shared infrastructure dependencies with other critical vendors)
- +5: Vendor's fourth-party exposure is unknown (no SBOM or subcontracting disclosure)
- +0: Vendor has disclosed and diversified fourth-party dependencies
Financial Viability Adjustment
Add 0-10 points to the residual risk score for vendor financial health:
- +10: Startup with < 2 years revenue history, no profitability path
- +5: Established vendor with recent financial stress indicators
- +0: Financially stable vendor with long track record
Implementation and Maintenance
Initial assessment: Score all existing ICT vendors within 6 months of methodology adoption. Prioritize critical and high-risk vendors.
Ongoing reassessment cadence:
- Critical vendors: Quarterly
- High vendors: Semi-annually
- Medium vendors: Annually
- Low vendors: Biennially
Score change triggers: Major vendor incident, acquisition/merger, significant SLA breach, new vulnerability disclosure, change in institution's criticality assessment.
Key Takeaways
- Vendor risk scoring requires two dimensions: inherent risk (nature of the relationship) and residual risk (vendor controls and contractual protections).
- 10 scoring dimensions cover the full range of Art. 28 requirements: criticality, data sensitivity, concentration, substitutability, geopolitical exposure, security controls, SLA performance, incident history, contractual protections, and exit strategy viability.
- Composite score = (Inherent x 0.6) + (Residual x 0.4) with classification thresholds: Critical (75-100), High (50-74), Medium (25-49), Low (0-24).
- Risk classification drives governance actions: board reporting, review frequency, contractual requirements, audit rights, and exit strategy testing.
- Advanced adjustments for fourth-party risk and vendor financial viability provide additional precision for complex vendor relationships.
- Methodology must be reproducible: same data, same score, regardless of analyst.
Resume en francais
L'article 28 de DORA exige la gestion du risque tiers TIC mais ne prescrit pas de methodologie de scoring. Ce guide fournit un cadre quantitatif a deux dimensions : risque inherent (60 % du poids — criticite de la fonction supportee, sensibilite des donnees, dependance de concentration, substituabilite, exposition geopolitique) et risque residuel (40 % — controles de securite du fournisseur, performance SLA, historique d'incidents, protections contractuelles, viabilite de la strategie de sortie). Dix dimensions de scoring produisent un score composite de 0 a 100, classe en quatre niveaux : Critique (75-100), Eleve (50-74), Moyen (25-49), Faible (0-24). Chaque classification declenche des actions de gouvernance specifiques — reporting au conseil, frequence de revue, exigences contractuelles, droits d'audit et tests de strategie de sortie. Des ajustements avances pour le risque de quatrieme partie et la viabilite financiere du fournisseur completent le modele. La methodologie doit etre reproductible : memes donnees, meme score, quel que soit l'analyste.