Most compliance teams manage vendor assessments the same way: a Word document emailed to the provider, responses pasted into a spreadsheet, someone manually reviewing it a few weeks later. It works until you have ten providers to assess, a due date from your competent authority, and no clear record of who responded with what.
DORA Art. 28(1)(d) requires financial entities to continuously monitor third-party ICT risk. That means structured assessments — sent, tracked, scored, and documented — not ad hoc emails. The Vendor Questionnaire module in DORA GRC is built specifically for this.
This post walks through exactly how it works.
What the module does
The Vendor Questionnaire module lives under Pillar 4 in DORA GRC. From here you can:
- Send a questionnaire to any provider in your Provider Register by email
- Choose from three pre-built templates mapped to DORA, ISO 27001, or cloud-specific requirements
- Track response status per questionnaire (Awaiting / Received / Scored / Overdue)
- Record and score responses question by question
- Have the overall risk rating automatically fed back into the Provider Register
The three built-in templates
When you create a questionnaire you pick one of three templates. Each maps directly to a specific regulatory or security framework:
DORA Vendor Assessment — 28 questions
This template covers the obligations that flow from Art. 28–30. Questions include whether the provider has a documented ICT risk management framework, whether they notify you of incidents within 4 hours per Art. 19, whether they grant audit rights, how they handle subcontracting disclosures, and whether they have a tested exit plan. There is also a question on TLPT cooperation for providers that support Critical or Important Functions.
ISO 27001 Information Security Assessment — 24 questions
For providers where you want to go deeper on information security controls independent of DORA. Covers certification status, access management, penetration testing cadence, encryption at rest and in transit, incident response, BCP testing, and data retention and deletion. Useful for providers that are not DORA-designated but still handle sensitive data.
Cloud Provider Assessment — 20 questions
Targeted at IaaS and SaaS vendors. Focuses on data residency (EU/EEA), multi-tenancy isolation, encryption standards, SLA commitments, disaster recovery RTO/RPO, backup testing, DDoS mitigation, and portability and exit obligations. References GDPR requirements alongside DORA.
Sending a questionnaire
Click + Send Questionnaire. A form opens where you select the provider from your Provider Register, pick the template, set a sent date and response deadline, and enter the vendor's contact email. If the provider already has a contact email stored in the Provider Register, it pre-fills automatically.
Once you save, the vendor receives an email with a unique link. The link is token-gated — only someone with that exact link can access the form. No account or login required on the vendor side.
What the vendor sees
The vendor opens the link and gets a clean form with each question listed in order. For most questions they choose Yes, Partial, No, or N/A, and can add a free-text evidence note per question. There is no DORA GRC account needed — the form is public and accessible only via the token in their email.
When they submit, responses are stored against the questionnaire record and the status updates to Received. You can resend the email link at any time using the Resend button if the vendor reports not receiving it.
Scoring
Once responses come in you open the questionnaire to review and score it. Scoring works as follows:
- Yes = 5 points (full compliance)
- Partial = 3 points
- No = 0 points (non-compliant)
- N/A = excluded from the score entirely
The overall score is calculated as (total points earned / maximum possible points) × 100. Risk ratings are assigned automatically based on that score:
- Low risk — 75% and above
- Medium risk — 50–74%
- High risk — 25–49%
- Critical risk — below 25%
The score and risk rating are written back to the provider's record in the Provider Register. No manual update needed.
Tracking the register
The Questionnaire Register table shows every questionnaire you have sent. Columns include the auto-generated ID (VQ-001 format), provider name, template used, sent date, due date, current status, score percentage, and risk rating. Questionnaires past their due date with no response show an Overdue badge in red. The stats panel at the top keeps a running count of total sent, awaiting response, scored, and overdue.
Each record can be opened to review individual responses, add notes, and attach supporting files. Attachments are stored in the document archive alongside incident reports and other compliance evidence.
How this fits into Art. 28 compliance
Art. 28(1)(d) requires ongoing monitoring — not just a one-time check. The register gives you a dated, auditable record of every assessment sent and scored. When a competent authority asks how you monitor ICT third-party risk for CIF-supporting providers, you have a specific answer: questionnaires sent on these dates, scored at these levels, with responses attached.
The module does not replace a full due diligence process or on-site audits, but it covers the structured periodic assessment requirement that most entities currently handle in spreadsheets.
Getting started
The module is available from the Pillar 4 section of the sidebar under Vendor Questionnaires. Providers need to be in your Provider Register first. If you have not started your Provider Register yet, that is the logical first step — providers entered there will appear in the questionnaire dropdown automatically.