Contract Management › Vendors

Vendor Contracts: What They Must Contain and How to Manage Them

Q: What must a vendor contract contain under GDPR?

The contract must at minimum cover the parties, scope of services, price and payment, duration and termination, confidentiality, and liability. If the vendor processes personal data, a Data Processing Agreement must be attached in accordance with GDPR Article 28. The contract should also govern the conditions under which sub-contractors may be used.

Q: What does NIS2 require in vendor contracts?

NIS2 (Article 21(2)(d)) requires organisations in in-scope sectors to manage supply chain security contractually. Vendor contracts must include specific security requirements, audit rights, incident response obligations with defined timeframes, and an agreed exit strategy with provisions for data handling at contract end.

Q: When should I renegotiate a vendor contract?

Contracts should be renegotiated at expiry, following significant changes in legal requirements (such as new regulation like NIS2), after a security incident involving the vendor, following changes in the vendor ownership or structure, or when the scope of services changes materially. As a general rule, contracts with critical vendors should be reviewed at least annually.

Q: What happens to data when a vendor contract ends?

The exit strategy should be agreed in the contract before the relationship begins. It should specify that the vendor returns or deletes all data within a defined timeframe, that access credentials are revoked at contract end, and that deletion is documented. This is a requirement under GDPR Article 28, and NIS2 and ISO 27001 contain equivalent expectations for documented exit handling.

Q: Who is responsible for creating vendor contracts?

Responsibility typically sits with the person who enters into agreements on behalf of the organisation — often a procurement manager, legal counsel, COO, or CFO. The compliance and DPO functions should be involved when the contract involves personal data or security requirements. Organisations without in-house legal support are advised to seek legal assistance for significant vendor contracts.

Q: Can a vendor contract replace a Data Processing Agreement?

No. A vendor contract cannot replace a Data Processing Agreement. GDPR Article 28 sets specific requirements for a DPA that are not covered by a standard vendor contract. Both documents are required when the vendor processes personal data on behalf of the controller.

Q: What does ISO 27001 require for vendor contracts?

ISO 27001:2022 addresses supplier security through Annex A.5.19 (information security in supplier relationships) and A.5.20 (information security within supplier agreements). These controls require that security requirements are documented in the agreements themselves — covering confidentiality, incident notification, access control, audit rights, and exit terms. For ISO 27001-certified organisations, vendor contracts form part of the audit evidence reviewed during certification.

Q: What is vendor risk, and how is it managed?

Vendor risk is the risk your organisation takes on by depending on an external party. It covers operational risk (the vendor fails), security risk (the vendor is compromised), and compliance risk (the vendor does not meet legal requirements). A structured approach includes due diligence before signing, clear security requirements in the contract, and ongoing oversight of the vendor performance.

Q: How do I manage many vendor contracts efficiently?

Effective management requires a central contract repository with automatic renewal reminders, DPAs linked to vendor profiles, and an audit log documenting completed reviews. Without a structured system, it is almost impossible to manage 20+ active contracts, ensure security requirements remain current, and document compliance for regulators.

Most businesses have vendor contracts. Far fewer know what they actually contain. Get the complete checklist and understand the requirements under GDPR, NIS2, and ISO 27001.

Vendor contract checklist showing GDPR data processing agreement NIS2 supply chain security and ISO 27001 supplier management requirements

Most businesses have vendor contracts. But in practice, many discover they have no real idea what those contracts contain, when they expire, or whether they meet today’s legal requirements.

That gap has grown alongside the regulatory landscape. GDPR, NIS2, and ISO 27001 all place specific requirements on what a vendor contract must contain and document. Getting it wrong can be costly — and vendor problems tend to surface at the worst possible moment.

This guide gives you the complete picture: what the contract must cover, what the law requires, and how to make sure you actually have it under control.

What Is a Vendor Contract?

A vendor contract is a legally binding agreement between a business and an external supplier. It sets out the services, responsibilities, obligations, and terms of the relationship.

It is important to understand what a vendor contract is not: it is not the same as a Data Processing Agreement (DPA). The vendor contract governs the entire business relationship. The DPA is a separate legal requirement under GDPR, specifically regulating the processing of personal data. Both are necessary when the vendor processes personal data on your behalf — and one does not replace the other.

A good vendor contract creates clarity for both parties, documents your security and legal requirements, and gives you the means to act quickly if the relationship breaks down.

What Must a Vendor Contract Contain?

This is the question most people are looking for an answer to. And the answer is not a single clause — it is a checklist that covers the entire relationship from start to finish.

Element	What it covers
Parties and subject matter	Who is the agreement between, and precisely what is being delivered?
Scope of services and SLA	Quality requirements, delivery timelines, uptime, and service levels
Price, payment, and adjustments	Fees, payment terms, price escalation, and billing model
Duration and termination	Contract term, notice periods, and conditions for automatic renewal
Liability and limitation	Who bears responsibility, and what is the cap on liability?
Confidentiality and non-disclosure	What information is confidential, and for how long?
Sub-contractors	Who are approved sub-contractors, and under what conditions?
Security requirements	Minimum technical requirements, certifications, and audit rights (NIS2 and ISO 27001-relevant)
Data processing	When is a DPA required? Link to GDPR Article 28 obligations
Breach and termination for cause	Consequences of contract breach and the right to immediate termination in serious cases
Exit strategy and data handling	What happens to data and systems when the contract ends?
Governing law and jurisdiction	Which law applies, and which court handles disputes?

That is a long list. Deliberately so. A vendor contract that only covers the first four items is not a proper vendor contract — it is an offer with a signature.

Vendor Contracts and GDPR

There is one misunderstanding we encounter repeatedly: that a Data Processing Agreement replaces the vendor contract. It does not.

The two documents serve different purposes. The vendor contract governs the entire business relationship — services, pricing, liability, and termination. The Data Processing Agreement specifically governs the processing of personal data under GDPR Article 28. Both documents are required when your vendor processes personal data on your behalf.

GDPR also requires you to carry out oversight of your data processors and to ensure that any sub-processors are approved and bound by equivalent obligations. This is an area many organisations overlook — and it can create problems in the event of a data breach.

A practical rule of thumb: if your vendor has access to personal data for which you are the controller, a DPA is required alongside the vendor contract. The two agreements are linked, but they are separate documents with distinct purposes.

Vendor Contracts and NIS2

This is where .legal’s approach differs from most. NIS2 is not only relevant for organisations directly in scope — it affects the entire supply chain.

NIS2, implemented in Danish law on 1 July 2025, sets explicit supply chain security requirements under Article 21(2)(d). Organisations within the in-scope sectors must actively manage security across their supply chains. And that happens primarily through contracts.

In practice, the vendor contract must include:

Specific security requirements — not vague references to "reasonable security", but concrete, enforceable technical minimum requirements
Audit rights — agreed in advance, so you actually have the right to carry out oversight
Incident response obligations — the vendor must notify you within agreed timeframes when a security incident occurs
Exit strategy and data handling — documented in the contract, not agreed verbally at the point of termination

A practical example: an organisation in the energy sector uses a cloud provider for business-critical systems. Under NIS2, it is not sufficient to know the provider takes security seriously. It must be in the contract — which standards are maintained, how incidents are reported, and what happens if the relationship ends.

Organisations not directly in scope can still be affected: if you supply services to a NIS2-covered customer, expect them to pass security requirements down to you contractually. That is the cascade effect built into NIS2’s supply chain logic.

Read more about NIS2 and what it requires of your organisation.

Vendor Contracts and ISO 27001

ISO 27001:2022 addresses supplier security directly through two controls:

Annex A.5.19 — Information security in supplier relationships: requires a policy for supplier security and ensures that security requirements are agreed with suppliers, including conditions for access to information assets
Annex A.5.20 — Information security within supplier agreements: requires security requirements to be documented in the supplier agreements themselves, covering confidentiality, incident notification, access control, audit rights, and exit terms

For organisations that are certified or working towards ISO 27001 certification, vendor contracts form part of the audit evidence reviewed during certification assessments. Having an internal security policy is not enough — it must be reflected in the contracts you hold with your vendors.

Financial organisations under DORA (the Digital Operational Resilience Act) face equivalent obligations under Article 30, which sets specific contractual requirements for ICT service providers — including exit strategies, inspection rights, and reporting obligations.

Read more about ISO 27001 compliance and what it requires in practice.

Vendor Risk Management — From Contract to Ongoing Oversight

The contract is the starting point, not the finish line. A solid vendor contract creates the framework — but managing vendor risk is an ongoing process.

A structured approach looks like this:

Assessment — Due diligence before signing: what is the vendor’s security maturity? Do they hold relevant certifications? What is the impact if they fail?
Contract — Agree security requirements, audit rights, incident response, and exit terms in writing and without ambiguity
Oversight — Ongoing follow-up through audits, status reviews, and incident log monitoring
Renegotiation or exit — Contracts are renegotiated when requirements change, or when the vendor fails to meet agreed standards

It sounds straightforward. But for organisations managing 20, 50, or 200 active vendor contracts, it is a genuine governance challenge to track expiry dates, verify that security requirements are still current, and document oversight for regulators.

That is exactly what .legal’s vendor management module addresses: a central view of all vendor relationships, with linked contracts, DPAs, audit logs, and automatic reminders for renewal and follow-up.

Read more about information security risk management and vendor audits.

Common Mistakes in Vendor Contracts

These mistakes are more common than you might expect. And most are only discovered when something goes wrong.

Automatic renewal without a reminder mechanism — The contract renews quietly, and no one notices that the terms are outdated
No termination right in the event of a security breach — The vendor suffers a serious data breach, but the contract provides no clear right to immediate termination
DPA missing or out of date — The vendor processes personal data, but no DPA was ever created — or it dates from 2018
Sub-contractors not specified or approved — The vendor uses sub-contractors you are not aware of and have not approved
No exit plan at contract end — The relationship ends, but no one agreed what happens to data, systems, and access credentials
Security requirements too vague to be enforceable — The contract mentions "reasonable security measures", but that is too ambiguous to act on

How to Manage Many Vendor Contracts

For organisations with a significant number of vendor relationships, ad hoc management is not sustainable. What is needed is a structured system.

A good setup includes:

Central contract repository — All vendor contracts in one place, not scattered across drives, inboxes, and local folders
Automatic renewal reminders — Notifications well in advance of expiry or automatic renewal
DPAs linked to vendor profiles — The Data Processing Agreement is directly connected to the vendor and contract, not stored separately
Audit log — Documentation of when vendor reviews were carried out and what was followed up on

.legal’s contract management software is built for precisely that: oversight, reminders, and integration with the compliance process. Want to see how it works in practice? Book a free demo and get a clear picture of what is missing in your vendor management.

Frequently Asked Questions about Vendor Contracts

What is the difference between a vendor contract and a Data Processing Agreement?

A vendor contract governs the entire business relationship — services, pricing, liability, and termination. A DPA specifically governs the processing of personal data under GDPR Article 28. Both are required when the vendor processes personal data. One does not replace the other.

What must a vendor contract contain under GDPR?

At minimum: the parties, scope of services, price and payment, duration and termination, confidentiality, and liability. If the vendor processes personal data, a DPA must be attached under GDPR Article 28. The contract should also regulate the use of sub-contractors.

What does NIS2 require in vendor contracts?

NIS2 Article 21(2)(d) requires organisations in in-scope sectors to manage supply chain security contractually. Contracts must include specific security requirements, audit rights, incident response obligations with defined timeframes, and an agreed exit strategy.

When should I renegotiate a vendor contract?

At expiry, following changes in legal requirements, after a vendor security incident, or when the scope of services changes materially. Critical vendor contracts should be reviewed at least annually.

What happens to data when a vendor contract ends?

The exit strategy should be agreed in the contract upfront: the vendor returns or deletes data within a defined timeframe, access is revoked, and deletion is documented. This is required under GDPR Article 28 and expected under NIS2 and ISO 27001.

Who is responsible for creating vendor contracts?

Typically the person who enters into agreements — procurement manager, legal counsel, COO, or CFO. Compliance and DPO functions should be involved when the contract involves personal data or security requirements.

Can a vendor contract replace a Data Processing Agreement?

No. GDPR Article 28 sets specific requirements for a DPA that a standard vendor contract does not cover. Both documents are required when the vendor processes personal data on your behalf.

What does ISO 27001 require for vendor contracts?

Annex A.5.19 and A.5.20 require security requirements to be documented in vendor agreements — covering confidentiality, incident notification, access control, audit rights, and exit terms. For certified organisations, vendor contracts form part of the audit evidence.

What is vendor risk, and how is it managed?

Vendor risk covers operational, security, and compliance risk from depending on external parties. A structured approach includes due diligence before signing, clear security requirements in the contract, and ongoing oversight.

How do I manage many vendor contracts efficiently?

It requires a central contract repository with automatic renewal reminders, linked DPAs, and an audit log. .legal's vendor management and contract management software handles exactly that. Book a demo to see it in practice.

Still unsure?

Ask Johannes directly, he runs most demos personally

Book him here

Screenshot of .legal vendor contracts module showing centralised contract overview with renewal reminders linked DPAs and audit log

.legal compliance platform Manage Your Vendor Contracts with .legal

Bring vendor contracts, DPAs, audit logs, and security requirements together in one place - with built-in renewal reminders and direct links to GDPR, NIS2, and ISO 27001 frameworks. Get full oversight of your supply chain risk in a single system.