FiorLab is supplier risk scoring software for EU regulated buyers. Six dimensions, deterministic rules-based scoring, registry-checked data, OCR-verified documents, and a 5-tier verification multiplier that disincentivises self-declaration. Auditor-readable from day one. Free Starter; published pricing from €329 per month.
Most platforms in the supplier risk scoring software category are dressed-up questionnaires. They send the supplier a 200-row form, ingest the answers, run a weighted-sum formula across the responses, and produce a number. That number looks defensible at the procurement-review meeting. It is not defensible at a DORA Article 28(4) supervisory review, an EBA outsourcing inspection, or a CBI 2026 supervisory visit.
Three failure modes show up repeatedly when we audit incumbent supplier risk scoring software against the live regulatory texts.
Self-declaration treated as evidence. The supplier ticks "we hold ISO 27001" and the platform scores the dimension as if the certificate were verified. There is no link to the accredited certification body, no expiry date, no scope, no accreditation body. When the supervisor asks "show us how you know that's true", the answer is a screenshot of the supplier portal.
Opaque AI scoring. An "AI risk score" with no per-dimension explanation, no source data trace, and no auditor-readable evidence chain. This is the worst-of-both-worlds — looks sophisticated, fails the first regulator question ("walk us through how you arrived at this score for this supplier on this date").
Null-as-zero or null-as-100. A supplier with no disclosed financial data scores 0 ("nothing disclosed") or 100 ("nothing flagged") depending on which way the platform treats a null. Both are wrong. The correct treatment under DORA Article 28(4) is to score the dimension on what you have, mark the rest as not-evidenced, and surface the gap in the assessment output. Supplier risk scoring software that papers over null with optimistic defaults is not auditor-defensible.
FiorLab scores every supplier across six dimensions. Each dimension has a verified evidence chain — registry record, certification body, OCR-verified document, or external API call.
Altman Z-Score (the canonical bankruptcy-prediction model: working capital, retained earnings, EBIT, market value of equity, sales — all over total assets). Piotroski F-Score (nine binary signals across profitability, leverage, liquidity, operating efficiency). Cross-checked against registry filings (annual returns, abridged accounts). Null financials score 0 ("not disclosed"), not 100. Hidden cliff: a leveraged supplier with positive headline P&L but Piotroski F = 2 is one bad quarter away from a Z-distress band shift.
Registry status (active, dissolved, in liquidation, in examinership), VAT validation via VIES, LEI lookup via GLEIF, sanctions and PEP screening, regulator-imposed enforcement actions, jurisdictional posture. Direct evidence from the source registry with a timestamp and a defensible decay model.
Environmental disclosures (carbon footprint, scope 1/2/3), social disclosures (modern-slavery, supply-chain due diligence under the German LkSG and EU CSDDD), governance disclosures (board, audit, risk). Mapped to CSRD/ESRS datapoints. OCR-verified document evidence with staleness scoring.
SLA history, on-time delivery rate, breach log, service-credit application. Sources: buyer-provided historical data + provider-reported performance, with reconciliation gap surfaced as a separate signal. A supplier that grades itself "100% on-time" without buyer-side reconciliation is a flag, not a feature.
ISO 9001 (general), ISO 14001 (environmental), ISO 27001 (information security), ISO 45001 (OH&S), ISO 22000 (food), ISO 50001 (energy), ISO 13485 (medical devices), ISO 27701 (privacy), IATF 16949 (automotive), AS9100 (aerospace) — each verified against the accredited certification body via IAF CertSearch. Issue date, expiry, scope, accreditation body. Staleness decay applied; cron pipeline re-verifies certs older than 30 days every Sunday.
R&D intensity, patent footprint, technology partnerships, market posture. Optional dimension — relevant where strategic-supplier selection requires it, omitted from purely-regulatory assessments where the dimension would dilute the signal.
The minimum EU registry set for any defensible supplier risk scoring software in 2026.
services.cro.ie (uses CRO_API_KEY). Fallback path via core.cro.ie (public but blocked from Vercel IPs). FiorLab Limited (CRO 813471) is self-verified via its own API integration.api.iafcertsearch.org.Premium data partners (Dun & Bradstreet, CreditSafe, EcoVadis) are integration-ready when buyer subscriptions justify the spend. The free registry layer is sufficient for the regulator-defensible baseline.
Supplier risk scoring software at FiorLab applies a verification multiplier per dimension. The multiplier disincentivises self-declaration and rewards verified evidence. A supplier with a registry-verified ISO 27001 certificate scores materially higher than one with a self-declared tick-box, even if both claim the same certification.
| Verification level | Multiplier | What it means |
|---|---|---|
| registry_verified | 1.0x | Verified against the source registry (CRO, Companies House, Handelsregister, VIES, GLEIF) or the accredited certification body (IAF CertSearch). The gold standard for auditor defensibility. |
| verified | 0.95x | Verified via OCR-extracted document with cross-reference integrity check against company name and registry status. Strong evidence, slight discount versus direct registry call. |
| partially_verified | 0.88x | Some evidence verified, some gaps. The dimension is scored on the verified portion with the gap flagged in the assessment output. |
| unverified | 0.80x | Document uploaded but no cross-reference integrity check possible. Suitable for non-critical signals. |
| self_declared | 0.65x | Tick-box claim with no evidence. Significant discount applied. Not defensible at supervisory review on its own. |
Verified evidence ages. FiorLab applies a 5-tier staleness decay to every document: fresh (under 30 days, full weight), aging (30–180 days, 0.92x), stale (180–365 days, 0.85x), very stale (365–730 days, 0.70x), expired (beyond 730 days, demoted). This is the defensible auditor-readable cadence model under DORA Article 28 ongoing-monitoring obligations. Certifications are re-verified against the accreditation body weekly via the cron pipeline.
Comparison rows are based on publicly available product documentation, official websites, and analyst coverage as of 29 June 2026. To request a correction, email hello@fiorlab.com.
| FiorLab | Aprovall | Vendorica | OneTrust | |
|---|---|---|---|---|
| Scoring model | Deterministic rules-based 6-dim | Multi-dimension | AI-assisted | AI-assisted |
| Verification multiplier | 5-tier explicit | Not published | Not published | Not published |
| Document staleness decay | 5-tier explicit | Manual review | Manual review | Manual review |
| Live registry verification | CRO, CH, HR, VIES, GLEIF, IAF | Comparable EU set | D&B / CreditSafe partner data | D&B / Bureau van Dijk partner data |
| Per-dimension evidence chain in PDF | Yes | Yes | Yes | Yes |
| HQ jurisdiction | Ireland (EU) | France (EU) | USA | USA |
| Published pricing | Free + from €329/mo | Contact sales | Contact sales | Contact sales |
| Free tier | Up to 5 suppliers | Trial only | Demo only | Demo only |
Supplier risk scoring software evaluates third-party suppliers across multiple risk dimensions — financial stability, regulatory compliance, sustainability, delivery performance, quality, and innovation — and produces a defensible composite score with the per-dimension evidence chain attached. The score is used by procurement, compliance, and risk teams to onboard, monitor, and exit suppliers under EU regulatory frameworks including DORA Article 28, EBA outsourcing guidelines, GxP, MiFID II, and CSRD.
Self-declared scoring relies on the supplier ticking a box that says "we hold ISO 27001" or "our financials are healthy" without verification against the source. It is the cheapest signal in the procurement compliance category and the easiest to game. Under DORA Article 30(3)(e), EBA outsourcing guidelines, and the CBI's 2026 supervisory posture, evidence must be auditor-defensible — which means cross-referenced against the issuing authority (the accredited certification body, the public registry, the OCR-verified document) with a timestamp. Supplier risk scoring software that treats self-declaration as evidence is not defensible at supervisory review.
Financial stability (Altman Z-Score, Piotroski F-Score, working capital, profitability, leverage ratios). Regulatory compliance (registry status, certifications, sanctions, jurisdictional posture). ESG/sustainability (environmental, social, governance disclosures). Delivery performance (SLA history, on-time rate, breach log). Quality management (ISO 9001 / 13485 / IATF 16949 verified evidence). Innovation capability (R&D intensity, patents, market posture). Each dimension has a deterministic rules-based score with per-dimension evidence traceability.
CRO Ireland (Irish company registry, services.cro.ie), UK Companies House, German Handelsregister, VIES (EU VAT validation), GLEIF (Legal Entity Identifier global lookup), and IAF CertSearch (ISO certification verification against the global accredited body database). French Infogreffe is planned. Premium data partners (Dun & Bradstreet, CreditSafe, EcoVadis) are integration-ready when buyer subscriptions warrant the cost.
Supplier risk scoring software at FiorLab applies a verification multiplier per dimension: registry_verified 1.0x (the gold standard — verified against the source registry or accredited certification body), verified 0.95x, partially_verified 0.88x, unverified 0.80x, self_declared 0.65x. The multiplier disincentivises self-declaration and rewards verified evidence. A supplier with a registry-verified ISO 27001 certificate scores materially higher than one with a self-declared tick-box, even if both claim the same certification.
Document staleness is scored on a 5-tier decay model: fresh (under 30 days, full weight), aging (30–180 days, 0.92x), stale (180–365 days, 0.85x), very stale (365–730 days, 0.70x), expired (beyond 730 days, demoted). This is the defensible auditor-readable cadence model under DORA Article 28 ongoing-monitoring obligations. Certifications are re-verified against the accreditation body weekly via the cron pipeline.
The phrase "supplier risk scoring" hides an honest question: do you trust the score? Most platforms in the category make the score the product. We made the evidence the product, and the score the byproduct. A FiorLab assessment PDF lets the reader trace every score back to a registry record, a certification body lookup, or an OCR-verified document with a timestamp. That is the test our customers' regulators apply, and it is the test we apply to ourselves. Run a real assessment on a real supplier in our free Starter plan, no card required. If the evidence chain stands up to your supervisor's scrutiny, the rest is conversation. Reach us at hello@fiorlab.com.
— Word from our founder
Final free pilot cohort closes 30 June 2026 · paid-only from 1 July. Up to 5 suppliers, full 6-dimension scoring, registry verification, and audit-ready PDF reports. EU-hosted, customer-owns-data.
Start Your Free Pilot