
European Trust Center Readiness Checklist (Free, Scored)
A free, scored European Trust Center readiness checklist: 58 line items across six stakeholder lanes, mapped to NIS2, DORA, and GDPR evidence expectations.
Download this template
Version 1.0 · Updated Jul 3, 2026 · Free, no email required
European Trust Center Readiness Checklist (Free, Scored — 2026)
This European Trust Center readiness checklist is a scored self-assessment — 58 line items across six stakeholder lanes — that tells you whether your trust center actually serves the people (and AI agents) who read it: security reviewers, legal teams, compliance teams, procurement, customer-update subscribers, and automated due-diligence agents. Each item is scored Yes (2), Partial (1), or No (0), producing a readiness percentage and one of three bands: Foundational (below 40%), Developing (40–75%), or Buyer-ready (above 75%). The checklist is built on the six-lane stakeholder model from our guide to the European Trust Center, and every lane maps to a concrete European evidence expectation — GDPR Article 28 subprocessor transparency, NIS2 supply-chain security, DORA ICT third-party requirements, and genuine EU data sovereignty.
It ships as a scored Excel workbook (one sheet per lane plus an auto-summing scorecard), a print-ready PDF, and a machine-readable Markdown file an AI agent can run the entire assessment from.
Key takeaways
- Trust center readiness is a per-stakeholder question, not a single score. A portal that delights security reviewers can still fail legal (gated subprocessor list), procurement (no published pricing), or AI agents (no machine-readable evidence) — the checklist scores each lane separately so you see exactly where deals stall.
- European readiness has its own bar. ISO 27001-first framing, a public subprocessor list per GDPR Article 28, NIS2 supply-chain evidence, and DORA contractual data points are things EU buyers check that US-template trust centers routinely miss.
- The scoring model is deliberately strict. "Partial" (1 point) covers evidence that exists but is stale, incomplete, or needlessly gated — because to a reviewer on a deadline, stale evidence is barely better than none.
- The sixth lane is the newest and weakest for most companies. AI agents running vendor due diligence need extractable, version-pinned, citable evidence. The
llms.txtconvention is still emerging — roughly 10% of domains had adopted it by 2026 and Google has said its search systems don't use it — so treat this lane as a forward bet you score honestly, not a box you tick. - One owner per lane, quarterly cadence. Readiness decays: certificates expire, subprocessors change, pricing moves. The checklist works as an operating rhythm, not a one-off audit.
What's inside the checklist
The 58 line items follow the six stakeholder lanes of a European Trust Center. Every item carries a "what good looks like" definition and an evidence example, so two people scoring the same portal land on the same number. A preview:
| Lane (items) | Owner | Example line items |
|---|---|---|
| 1. Security teams (11) | Security lead / CISO | ISO 27001 certificate published with scope and validity dates; penetration-test executive summary from the last 12 months; encryption posture documented at rest and in transit |
| 2. Legal teams (10) | Legal / DPO | DPA downloadable without registration; public subprocessor list with purpose, data, and hosting location; provider jurisdiction and CLOUD Act exposure disclosed |
| 3. Compliance teams (11) | Compliance / GRC lead | Frameworks shown with scope and audit dates, not logo strips; NIS2 Article 21 posture mapped; DORA Article 30 contractual data points available for financial-sector customers |
| 4. Procurement (9) | Sales / RevOps | Published pricing; vendor assurance profile with legal-entity facts; cyber insurance certificate; uptime history |
| 5. Customer-update recipients (8) | Customer success | Subscribable trust updates; structured incident notices; subprocessor change notices with an objection window |
| 6. AI agents (9) | Engineering / web team | llms.txt declaring trust center scope; machine-readable evidence catalog; version-pinned documents; a declared access-tier and authentication contract |
The scoring model
Each line item gets one of three scores:
| Score | Points | Meaning |
|---|---|---|
| Yes | 2 | Published, current, complete, and accessible at the right access tier |
| Partial | 1 | Exists, but stale (>12 months), incomplete, or gated where it shouldn't be |
| No | 0 | Absent, or effectively unfindable |
Your total (maximum 116 points) converts to a readiness percentage and a band:
| Band | Score | What it means |
|---|---|---|
| Foundational | < 40% | The trust center is a brochure. Reviewers fall back to email-a-PDF, and every enterprise deal pays a security-review tax. |
| Developing | 40–75% | Core evidence exists but at least two lanes are underserved — typically legal transparency, update channels, or AI readability. |
| Buyer-ready | > 75% | All six lanes self-serve. Security reviews run in parallel with the deal instead of blocking it. |
The Excel workbook computes per-lane scores, the total percentage, and the band automatically; the Markdown version contains the same items and rules in a format an AI agent can execute end to end.
How to run the self-assessment
- Assign one owner per lane (see the table above). Cross-lane items — the subprocessor list serves legal and customer-update recipients — are scored by the lane they appear in; duplication is deliberate, because both audiences must be able to find them.
- Score against what a stranger can find, not what exists internally. If your pentest summary exists but a reviewer can't locate it within two minutes, that's a Partial at best. For gated items, score whether the route to the document (NDA flow, access request) is self-serve.
- Consolidate in the scorecard. One coordinator — usually the CISO or compliance lead — reviews per-lane scores, flags the two weakest lanes, and assigns fixes as tickets with owners and dates.
- Repeat quarterly, re-score on change. Re-score a single lane after any material event: a renewed certificate, a subprocessor change, an incident, new pricing, or changes to machine-readable endpoints. Subprocessor lists and certificate validity dates decay fastest — check those monthly.
Why European readiness is different
A generic trust center checklist tests whether documents exist. A European one tests whether they satisfy the regulatory stack your buyers answer to — because when your customer is an essential entity under NIS2 or a financial entity under DORA, your evidence becomes an input to their compliance file.
- NIS2 (Directive (EU) 2022/2555) requires essential and important entities to manage supply-chain security continuously (Article 21(2)(d)) and to report significant incidents on a strict clock — early warning within 24 hours, notification within 72 hours, final report within one month (Article 23). Your regulated customers therefore need ongoing visibility into your posture and a structured channel for incident communication, which is exactly what lanes 3 and 5 score. The directive's transposition deadline was 17 October 2024, and by May 2026, 23 of 27 member states had transposed it — so this is enforcement reality, not a future concern.
- DORA (Regulation (EU) 2022/2554), applicable since 17 January 2025, makes financial entities responsible for ICT third-party risk (Articles 28–30), including a register of information about every ICT provider. If you sell to banks, insurers, or fintechs, they need specific contractual and operational data points from you — the checklist scores whether your trust center surfaces them instead of triggering a bespoke questionnaire.
- GDPR (Regulation (EU) 2016/679) sets the legal-lane bar: Article 28 requires processors to obtain authorisation before engaging subprocessors and to flow down equivalent obligations, Article 32 requires documented technical and organisational measures, and Articles 33–34 drive breach-communication expectations. A public, current subprocessor list with purposes and locations — plus a working change-notice channel — is the single most-checked legal item in EU vendor reviews.
- Sovereignty and residency. European buyers distinguish EU hosting from EU jurisdiction: a US-incorporated provider can host in Frankfurt and remain subject to the US CLOUD Act. The checklist scores whether you disclose where data lives, which entity operates the portal, and whose disclosure orders reach it — the questions EU buyers now ask first.
The efficiency argument runs the same direction: NIS2, DORA, and GDPR ask overlapping questions about suppliers, incidents, and security measures. A trust center that publishes evidence once, mapped to all three, replaces three parallel questionnaire streams — the reuse logic behind Trust Center requirements under NIS2 and DORA.
The sixth lane is where the next divergence is happening: European buyers are beginning to send AI agents to run vendor due diligence, and agents need machine-readable, version-pinned, citable evidence — the architecture of the AI-native Trust Center. Score this lane honestly: it is a forward bet with early-mover advantage, not a settled standard.
UK and Norway/EEA note
The checklist applies beyond the EU-27 with two adjustments. UK companies score against UK GDPR (retained post-Brexit) and should treat the forthcoming Cyber Security and Resilience Bill as their NIS2 analogue — while noting that their EU customers still evaluate them against NIS2 and GDPR proper. Norwegian and EEA companies already apply DORA through Norway's national DORA Act, in force since 1 July 2025; NIS2 is not yet in force in Norway (national implementation is still in preparation), so lane 3's NIS2 items score against the expectations of your EU customers rather than a domestic obligation. In both cases, the six-lane model — and the sovereignty questions in lane 2 — apply unchanged.
Get the checklist
Download the European Trust Center readiness checklist as a scored Excel workbook, a print-ready PDF, or a machine-readable Markdown file (v1.0, updated 3 July 2026) using the download options on this page. Run the assessment, find your two weakest lanes, and fix them first.
And if the fix list is long: Orbiq's Trust Center platform is built to make most of these line items the default — ISO 27001-first evidence structure, public subprocessor transparency, subscribable trust updates, NDA-gated access flows, and agent-readable endpoints, operated under EU jurisdiction.
Sources & References
- Directive (EU) 2022/2555 — NIS2 — supply-chain security (Art. 21(2)(d)); incident reporting: 24h early warning, 72h notification, one-month final report (Art. 23).
- Regulation (EU) 2022/2554 — DORA — ICT third-party risk management and contractual provisions (Art. 28–30); applicable since 17 January 2025.
- Regulation (EU) 2016/679 — GDPR — subprocessor authorisation (Art. 28), security of processing (Art. 32), breach notification (Art. 33–34).
- European Commission — NIS2 Directive policy page — transposition deadline of 17 October 2024.
- ECSO — NIS2 transposition tracker — 23 of 27 member states transposed as of May 2026.
- SE Ranking —
llms.txtadoption study — ~10% of ~300,000 analysed domains had anllms.txtfile; Google Search does not use the file.
Related Reading
Download this template
Version 1.0 · Updated Jul 3, 2026 · Free, no email required
Frequently Asked Questions
What is a European Trust Center readiness checklist?
A European Trust Center readiness checklist is a scored self-assessment that measures whether your buyer-facing security portal serves every stakeholder who reads it — security reviewers, legal teams, compliance teams, procurement, customer-update subscribers, and AI agents — against European expectations such as ISO 27001-first framing, GDPR Article 28 subprocessor transparency, NIS2 supply-chain evidence, and DORA ICT third-party requirements. Each line item is scored Yes (2), Partial (1), or No (0), producing a readiness percentage and band.
What should a trust center checklist include?
A complete trust center checklist covers six lanes: security evidence (ISO 27001 certificate with scope, penetration-test summary, encryption and access-control posture), legal documents (DPA, public subprocessor list, transfer mechanisms, provider jurisdiction), compliance mapping (NIS2, DORA, and GDPR evidence with validity dates), procurement signals (published pricing, insurance, continuity evidence), customer-update channels (incident and subprocessor change notices), and AI-agent readability (llms.txt, machine-readable evidence catalogs, version-pinned documents).
How do you score trust center readiness?
Score each line item Yes (2 points — evidence is published, current, and accessible at the right tier), Partial (1 point — evidence exists but is stale, incomplete, or needlessly gated), or No (0 points). Divide your total by the maximum (116 points across 58 items) to get a readiness percentage: below 40% is Foundational, 40–75% is Developing, and above 75% is Buyer-ready.
Who should own the trust center readiness assessment?
Assign one owner per lane: the security lead owns security evidence, legal or the DPO owns legal documents, the compliance or GRC lead owns framework mapping, sales or revenue operations owns procurement signals, customer success owns update channels, and engineering or the web team owns AI-agent readability. A single coordinator — usually the CISO or compliance lead — consolidates the scorecard.
How often should you run a trust center self-assessment?
Run the full six-lane assessment quarterly, and re-score a single lane whenever it changes materially — after a new certification or audit, a subprocessor change, a security incident, a pricing update, or a change to your machine-readable endpoints. Certification validity dates and subprocessor lists decay fastest, so check those monthly.
Do UK and Norwegian companies need the same trust center readiness?
Yes, with local adjustments. UK companies operate under UK GDPR and the forthcoming Cyber Security and Resilience Bill and still sell to EU buyers who expect ISO 27001- and GDPR-first evidence. Norwegian companies already apply DORA through the national DORA Act (in force since 1 July 2025), while NIS2 is not yet in force in Norway. The six-lane readiness model applies across the EU, EEA, and UK.