Third-Party & Vendor Due Diligence

Develop practical supplier assessment and vendor risk skills with a third-party due diligence course focused on Spanish and EU compliance.

  • 78 students
  • July 2026
Trust badge Trust badge

Get this CPD-Accredited programme now. Be secure with an SSL-secured payment backed up by a 14-day money-back guarantee.

Overview

Third-party relationships can improve capability, reduce costs, and provide access to specialist services, but they can also expose an organisation to cybersecurity incidents, regulatory breaches, service disruption, fraud, financial instability, unethical conduct, and reputational damage. This third-party due diligence course helps professionals investigate vendors, classify supplier risks, evaluate controls, and make better-informed decisions before and throughout a commercial relationship.

The online training explains how to recognise operational, financial, cybersecurity, data protection, environmental, social, governance, and reputational risks connected to suppliers and service providers. Learners explore vendor selection, risk assessments, segmentation, contractual controls, regulatory accountability, cloud security, incident response, ongoing monitoring, and evidence-based reporting through a five-module curriculum focused on Spain and the European Union.

What Is Third-Party Due Diligence Training?

Third-party due diligence training explains how organisations assess external suppliers, vendors, contractors, consultants, cloud providers, distributors, and business partners before approving or continuing a relationship. It helps learners determine who the third party is, what services it provides, which risks it introduces, whether its controls are reliable, and how the relationship should be monitored.

The process is more than a one-time supplier questionnaire. Effective vendor due diligence combines initial screening, risk classification, evidence review, contractual safeguards, performance monitoring, incident management, reassessment, and controlled termination. Where personal data is processed, the GDPR requires controllers to select processors that provide sufficient guarantees and to establish appropriate contractual and security arrangements. (EUR-Lex)

Who Should Take a Vendor Due Diligence Course?

This course is suitable for:

  • Compliance officers responsible for investigating third parties and documenting regulatory decisions.

  • Procurement and sourcing professionals who select, assess, approve, and monitor suppliers.

  • Third-party risk analysts responsible for vendor segmentation, risk reviews, and remediation tracking.

  • Information security and cybersecurity teams evaluating cloud providers, software suppliers, and outsourced services.

  • Data protection professionals reviewing processors, subprocessors, data transfers, and security assurances.

  • Internal auditors and assurance professionals testing whether supplier controls operate effectively.

  • Legal and contract management teams supporting risk clauses, accountability, audit rights, and termination provisions.

  • Operational risk and business continuity teams managing dependency, concentration, resilience, and service-disruption risks.

  • Managers and business owners accountable for services delivered through external organisations.

  • International professionals who work with Spanish or EU-connected vendors and need practical regulatory awareness.

What Does Third-Party Due Diligence Training Cover?

The course covers the complete vendor risk lifecycle, beginning with the reasons third parties create business risk and progressing through Spanish and European regulatory expectations, risk identification, supplier segmentation, professional investigations, contracting, governance, monitoring, cybersecurity, cloud risk, and programme development.

Learners examine how to collect relevant evidence, distinguish critical suppliers from lower-risk providers, assess operational and financial stability, evaluate cybersecurity safeguards, identify ESG and reputational concerns, communicate findings, and convert assessment results into proportionate business decisions. The detailed course curriculum appears below.

Professionals with responsibility for human-rights and environmental supplier oversight may also consider the complementary CSDDD Due Diligence and Supply Chain Compliance course.

Curriculum Summary

Module

Key Topics

Module 1: Why Third Parties Become Your Biggest Business Risk

  • Hidden risks within vendor relationships

  • Organisational accountability for outsourced activities

  • Identification of critical suppliers

  • Risk-first culture and governance

Module 2: Navigating Spanish and European Regulations Without Costly Compliance Mistakes

  • Spanish third-party risk requirements

  • GDPR, AML, public procurement, and sector rules

  • Contractual and ethical accountability

  • Continuous regulatory monitoring

Module 3: Spotting High-Risk Third Parties Before They Put Your Organisation at Risk

  • Operational, financial, cyber, ESG, and reputational risks

  • Third-party risk assessment methods

  • Vendor segmentation and criticality

  • Risk-informed business decisions

Module 4: Building a Third-Party Due Diligence Programme That Actually Works

  • Supplier selection and onboarding

  • Professional due diligence investigations

  • Contracts, governance, and risk controls

  • Performance monitoring and escalation

Module 5: Protecting Your Organisation Against Third-Party Cybersecurity and Supply Chain Risks

  • Third-party cyber threats

  • Supplier security assessments

  • Cloud, incident, and digital supply-chain risk

  • Future-ready risk management programmes

Why Is Continuous Vendor Due Diligence Important for Compliance and Resilience?

A supplier that appeared acceptable during onboarding may later change ownership, outsource important services, experience financial difficulties, suffer a data breach, lose key personnel, enter a higher-risk market, or fail to maintain agreed controls. Point-in-time checks cannot reliably identify every change that develops during the relationship.

Poor third-party oversight can contribute to:

  • Data protection breaches and insecure processing arrangements.

  • Operational outages and failure of critical outsourced services.

  • Fraud, bribery, money laundering, or conflicts-of-interest exposure.

  • Weak audit trails and unsupported supplier approval decisions.

  • Contract disputes, unexpected costs, and ineffective service-level controls.

  • Cyberattacks involving cloud providers, software suppliers, or subcontractors.

  • Reputational damage caused by unethical or irresponsible supplier conduct.

Spanish Law 10/2010 establishes due diligence obligations for organisations within its AML scope, while Spain’s Public Sector Contracts Law 9/2017 promotes transparency, integrity, fair treatment, and effective use of public funds. These requirements do not apply identically to every organisation, but they demonstrate why supplier decisions must be documented and proportionate to risk. (BOE)

Cybersecurity expectations increasingly extend into supplier relationships. NIS2 includes supply-chain security within its cybersecurity risk-management measures, while DORA establishes ICT third-party risk obligations for financial entities within its scope. (EUR-Lex)

Completing this online vendor due diligence training supports stronger professional judgement, more consistent investigations, better documentation, and improved communication between procurement, compliance, legal, cybersecurity, risk, and operational teams. It can help individuals and employers develop a more structured approach to supplier assurance without presenting due diligence as a simple checklist exercise.

Learning Outcomes

By completing this course, learners will be able to:

  1. Explain how suppliers, vendors, contractors, and service providers create third-party risk.
  2. Recognise operational, financial, cybersecurity, ESG, compliance, and reputational warning signs.
  3. Distinguish between initial vendor screening, due diligence, risk assessment, and ongoing monitoring.
  4. Classify third parties according to service criticality, information access, dependency, and potential impact.
  5. Apply risk-based principles when selecting the depth and frequency of supplier reviews.
  6. Identify evidence that can support financial, operational, legal, ethical, and security assessments.
  7. Interpret key Spanish and European requirements affecting third-party relationships.
  8. Evaluate whether a supplier provides appropriate assurances before receiving business or personal data.
  9. Review the purpose of contracts, audit rights, service levels, incident duties, and termination controls.
  10. Outline a structured third-party due diligence investigation and escalation process.
  11. Develop proportionate monitoring activities for critical and higher-risk suppliers.
  12. Describe how cloud, subcontracting, incident response, and digital supply-chain risks should be governed.

Requirements

No formal third-party risk management qualification is required. The course introduces key principles before progressing into more detailed regulatory, contractual, cybersecurity, and programme-management topics.

Professional experience is not essential, although learners working in procurement, compliance, risk, cybersecurity, legal services, auditing, data protection, supply chains, or vendor management may find the scenarios particularly relevant.

Learners should have:

  • An interest in applying the learning in a workplace or professional setting
  • An interest in third-party due diligence and its practical responsibilities
  • A device with internet access
  • Desktop or laptop access recommended for the best learning experience

This Course Includes

  • Approximately 8 hours of online self-paced learning
  • Structured modules based on the supplied curriculum
  • Practical professional guidance
  • Spanish and EU regulatory and professional alignment
  • Real workplace examples and applied scenarios
  • Knowledge checks and assessment preparation
  • Mock exam
  • Final exam
  • Certificate of completion
  • Access from desktop, tablet, or mobile device

Certification

Certification

After completing the course, learners will receive a Certificate of Completion from Global Safety Academy.

The certificate demonstrates that the learner has completed structured training covering third-party due diligence, vendor risk assessment, supplier segmentation, regulatory awareness, contract governance, monitoring, cybersecurity, cloud risk, and professional responsibilities.

It does not constitute government approval, a regulated professional licence, formal certification against an ISO standard, or guaranteed acceptance by an employer or professional body.

Why Choose Us

Global Safety Academy provides structured online learning for professionals who need to understand complex workplace and business responsibilities without unnecessary technical language. The course connects regulatory expectations with realistic supplier decisions, helping learners understand not only what to review but why the evidence matters.

The self-paced format supports individual learners, distributed teams, and international organisations. Each module progresses from core third-party risk concepts into practical assessment, governance, monitoring, and cybersecurity responsibilities.

A Certificate of Completion provides evidence that the learner has completed the course and studied its principal due diligence and vendor risk topics.

Learners choose Global Safety Academy because the training is:

  • Clear, structured, and easy to follow
  • Suitable for busy professionals and teams
  • Focused on real workplace and professional challenges
  • Built around practical application rather than abstract theory
  • Written in accessible Global English
  • Designed for international learners and organisations
  • Supported by certificate-based completion

Career Opportunities

This course can support professionals working in or moving towards roles such as:

  • Third-Party Risk Analyst
  • Vendor Risk Manager
  • Supplier Assurance Analyst
  • Procurement Risk Specialist
  • Compliance Officer
  • Cybersecurity GRC Analyst
  • Operational Risk Analyst
  • Internal Auditor
  • Vendor Relationship Manager
  • Supply Chain Risk Coordinator

The training can strengthen professional development, workplace responsibility, sector knowledge, compliance awareness, and readiness for supplier-facing duties. Course completion does not guarantee employment, promotion, professional membership, or qualification for a regulated role.

Curriculum

1

Module 1: Why Third Parties Become Your Biggest Business Risk

1 Hour

  • The Hidden Risks Inside Modern Third-Party Relationships
  • Why Spanish Organisations Can No Longer Outsource Responsibility
  • Understanding Critical Suppliers Before They Become Critical Business Risks
  • Building a Risk-First Culture for Third-Party Due Diligence
2

Module 2: Navigating Spanish and European Regulations Without Costly Compliance Mistakes

1 Hour

  • Understanding Spain’s Regulatory Framework for Third-Party Risk Management
  • Managing Vendor Compliance Under GDPR, AML, Public Procurement, and Sector-Specific Rules
  • Contracts, Legal Accountability, and Ethical Third-Party Management in Spain
  • Creating Continuous Regulatory Compliance Instead of One-Time Vendor Reviews
3

Module 3: Spotting High-Risk Third Parties Before They Put Your Organisation at Risk

1 Hour

  • Identifying Operational, Financial, Cybersecurity, ESG, and Reputational Risks
  • Using Third-Party Risk Assessments to Support Better Business Decisions
  • Vendor Segmentation: Prioritising Critical Third Parties Based on Risk
  • Turning Risk Assessment Results into Confident Business Decisions
4

Module 4: Building a Third-Party Due Diligence Programme That Actually Works

1 Hour

  • Selecting the Right Supplier from the Very Beginning
  • Conducting Professional Third-Party Due Diligence Investigations
  • Strengthening Supplier Relationships Through Contracts, Governance, and Risk Controls
  • Monitoring Third-Party Performance Before Small Issues Become Major Compliance Failures
5

Module 5: Protecting Your Organisation Against Third-Party Cybersecurity and Supply Chain Risks

1 Hour

  • Understanding Why Third Parties Have Become a Major Cybersecurity Target
  • Evaluating Supplier Security Before Sharing Business or Personal Data
  • Managing Cloud Security, Incident Response, and Digital Supply Chain Risks Under Spanish and EU Requirements
  • Building a Future-Ready Third-Party Risk Management Programme

Frequently Asked Questions

Vendor due diligence is the investigation and assessment process, while third-party risk management covers the wider relationship lifecycle. Due diligence supports decisions during selection, onboarding, reassessment, investigation, and renewal. Third-party risk management also includes governance, contracting, monitoring, incident response, remediation, business continuity, and termination.

The course is designed for professionals who select, approve, manage, investigate, audit, or monitor external organisations. Relevant learners include procurement professionals, compliance officers, risk analysts, internal auditors, cybersecurity teams, data protection professionals, legal teams, contract managers, and operational leaders.

The answer depends on the organisation, sector, activity, third party, and applicable jurisdiction. GDPR processor selection, AML obligations, public procurement rules, DORA, NIS2, and sector-specific requirements can create different forms of supplier assessment or oversight responsibility. Organisations should determine their exact obligations through appropriate legal and regulatory advice. (AEPD)

Yes. The course addresses supplier selection, personal-data sharing, processor accountability, security assurances, contracts, cloud services, incident response, and continuous monitoring. It supports awareness of GDPR and Spain’s Organic Law 3/2018 but does not replace a formal data protection impact assessment or legal review. (BOE)

Yes. Learners examine supplier security assessments, access to business and personal data, cloud-service risks, incident response, digital dependencies, subcontracting, and supply-chain cybersecurity. The content also introduces relevant NIS2, DORA, ISO/IEC 27036, and NIST supply-chain risk principles. (iso.org)

The course is set at Intermediate level. It explains foundational concepts before progressing into risk segmentation, investigations, Spanish and EU regulations, contractual controls, ongoing monitoring, cloud security, and programme development.

No formal experience is required. Basic familiarity with business operations, procurement, compliance, cybersecurity, risk, auditing, legal responsibilities, or supplier relationships may help, but the course explains the essential concepts in accessible Global English.

The estimated completion time is approximately eight hours. Actual study time may vary depending on the learner’s prior experience, reading pace, assessment preparation, and review of applied scenarios.

Learners who complete the course will receive a Certificate of Completion from Global Safety Academy. The certificate demonstrates completion of structured training in third-party due diligence, vendor risk assessment, supplier monitoring, regulatory awareness, and cybersecurity risk.

No. The course provides professional-development training and a Certificate of Completion. It does not provide a regulated licence, formal legal authority, government approval, guaranteed professional recognition, or permission to perform activities reserved for qualified specialists.

Third-Party & Vendor Due Diligence training course banner for compliance, vendor risk assessment, supplier screening, and governance.
$34.00
This Course Includes
  • 6 Hour
  • Access from mobile and PC
  • Study materials included
  • Certificate of completion
Accredited By:
Trust badge
Trust badge