If your firm is regulated under DORA and MiFID II, vendor onboarding is rarely the work of one person. It runs across legal, compliance, procurement, IT and the business owner of whatever the vendor plugs into. The process is repetitive enough that everyone knows it well, and bespoke enough that no two vendors get reviewed quite the same way.

That gap between repetition and inconsistency is what we set out to close with Arna’s updated Vendor Onboarding Blueprint.

What’s in the update

Two changes matter most.

1. Fine-tuned vendor categorisation. Not every vendor needs the same treatment. The blueprint now classifies vendors into four types: a general vendor (e.g. office supplies), a normal ICT provider, a critical ICT provider supporting a Critical or Important Function under DORA Art. 8(5), or an outsourced business function under the applicable national framework. There’s also an edge case for vendors that are both critical ICT and an outsourced function. The classification decides which scoring sheets apply, which clauses are mandatory, and which are nice-to-have. You stop applying critical-ICT scrutiny to a stationery contract — and you stop missing it on the SaaS tool that is quietly underpinning your KYC pipeline.

2. Pragmatic Mode. This is the first blueprint we’ve shipped with Pragmatic Mode, and it’s the change we’re most excited about. When Arna reviews a vendor contract, it proposes only the amendments and negotiating points needed to get to DORA and MiFID compliance. Not commas. Not stylistic preferences. Not a wishlist of clauses your in-house counsel might prefer in an ideal world. The smallest possible set of changes that gets the contract over the regulatory line.

That matters because vendor negotiations are zero-sum on attention. Every redline raised costs goodwill and time. Pragmatic Mode keeps your political capital for the clauses that actually move the risk needle such as Art. 30(3) audit rights, exit strategy, business continuity, data location, subcontracting consent.

End-to-end, with humans in the loop only when needed

Arna runs the process from the moment a vendor is proposed through to a signed audit report. It identifies the vendor, asks clarifying questions where it needs to, classifies the vendor type, scores the contract against the applicable sheets, calculates a weighted risk classification, and produces a standardised PDF report you can hand to a regulator.

It loops in a human only when needed: when a clause is genuinely ambiguous, when a risk crosses an escalation threshold, or when final approval is required. Otherwise, it runs through. The audit reports it produces are standardised across vendors, comparable across deals, and predictable in structure. A Head of Compliance reviewing a quarterly batch sees the same output shape every time.

Use ours, or make it yours

Arna gives our customers two paths. The first is to run our blueprint as-is. It encodes the regulatory baseline, and for many firms, that’s enough. The second is to adjust the blueprint to fit how the firm actually runs: who approves, who escalates, what the audit trail looks like, what the deliverable is shaped like, and where the human-in-the-loop checkpoints sit. The blueprint is the floor, not the ceiling. Many of our customers also build their own blueprints from scratch in Arna, encoding internal know-how that has previously lived only in the heads of their senior compliance team.

The point is that you don’t have to choose between “buy a rigid tool” and “build everything yourself.” You inherit the regulatory work we’ve done, and you keep the parts of your process that already work.

“Why not just use ChatGPT or Claude?”

Off-the-shelf LLMs are incredibly helpful. Used carefully, with a good prompt, they help an experienced lawyer think through a vendor contract. You can even build your own prompts and skills on top of them. Where Arna pulls ahead is at the organisational level, not the individual one.

- Standardisation across the firm, not the user. Anyone onboarding a vendor follows the same process. The Head of Legal isn’t auditing whether the procurement lead actually checked Art. 30(3). They know the blueprint did.

- No learning curve. A non-lawyer can run a vendor review end-to-end. The blueprint encodes the regulatory framework, so the user doesn’t have to.

- Knowledge you don’t have in-house. If you don’t have deep DORA or MiFID II expertise sitting at every desk, the blueprint still gives you a reasoned, defensible review.

- Scale and oversight. A manager can monitor the queue, see which cases are stuck, and intervene. You don’t get that visibility from one-off conversations in a chat window.

- Audit trail by default. Every review produces a standardised PDF that a regulator can ask for tomorrow. You’re not stitching together screenshots after the fact.

- Predictable behaviour. The same input produces the same shape of output. Risk classifications are calculated, not vibed.

A general-purpose chatbot is a tool that an individual uses well. A blueprint is something an organisation runs.

What this means for you

If you’re a COO trying to make vendor onboarding less of a fire drill, a Head of Legal tired of every contract review starting from a blank page, or a Head of Compliance who wants to know the same process is being followed regardless of who at the firm clicked “approve”, this is the blueprint to look at.

We’d love to walk you through it.

Get a demo