"License fee is not TCO." Every CFO knows it; every GRC vendor stays quiet about it. Here's the honest 3-year calculation for a 200-employee company under ISO 27001 + NIS-2. Comparison: SaaS GRC (Vanta/Drata) vs. SecTepe.Core as an EU-native in-house platform.
Component 1: License and Hosting
- Vanta/Drata: typically €18,000–€35,000 p. a. for 200 employees with ISO 27001 + SOC 2. Surcharge per additional framework.
- SecTepe.Core: license in low five-digit range p. a., hosting on own infrastructure (or EU host, ~€3,600 p. a.).
3 years SaaS: ~€75,000. 3 years in-house license + hosting: ~€45,000. Already a €30,000 difference.
Component 2: Implementation and Integration
Both solutions need initial configuration. SaaS promises "auto-pilot" – realistically 80–120 PD of own work for ISO 27001 plus environment fit. In-house platform with templates and wizard-supported setup: 60–100 PD.
Daily cost in-house GRC FTE: ~€600–€800. Implementation: similar, +/- €20,000.
Component 3: Data Sovereignty and GDPR
SaaS GRC stores audit data, risk register, supplier lists often on US infrastructure (AWS us-east). Schrems II makes that GDPR-tricky, NIS-2 Art. 21(2)(d) tightens it. Three options for the CISO:
- DPA + EU hosting option from the vendor (often a 30–50 % surcharge).
- Don't put sensitive data into SaaS – but then half the tool is useless.
- In-house platform: data stays physically where it belongs.
Option (1) adds ~€5,000–€15,000 in premium per year. Over 3 years: €15,000–€45,000.
Component 4: Vendor Lock-in Risk and Exit Costs
Anyone maintaining compliance evidence, risk register, and policy documents in SaaS GRC for 3 years has a lock-in problem: export gives CSV, but no structured data in a form another vendor directly imports. Migration effort for a later switch: realistically 40–80 PD plus 6 months parallel operation.
In-house platform with open data models + DB backups: exit risk significantly smaller. Data belongs to the company.
Component 5: Scaling With More Frameworks
SaaS vendors charge per framework. Mid-market 2026 often needs several in parallel: ISO 27001 + NIS-2 + GDPR + (sector-specific B3S, SOC 2 for US customers). With SaaS, surcharge per framework €5,000–€15,000 p. a. With in-house platform with the multi-framework module: additional frameworks without license uplift, only configuration effort.
Over 3 years that can add another €30,000–€100,000.
Component 6: AI Features
SaaS increasingly offers AI assistants (policy generation, RAG audit, STRIDE threat modeling). Vanta/Drata charge AI modules separately, often €8,000–€20,000 p. a. In-house with own Ollama LLM: one-time hardware investment (~€5,000), then running cost ≈ electricity.
The Honest 3-Year Table
| Item | SaaS GRC | In-House |
|---|---|---|
| License/hosting | €75,000 | €45,000 |
| Implementation | €60,000 | €50,000 |
| EU hosting premium / GDPR fit | €30,000 | €0 |
| 3 additional frameworks | €50,000 | €10,000 |
| AI modules | €40,000 | €5,000 |
| Exit-risk reserve | €30,000 | €0 |
| 3-year TCO | ~€285,000 | ~€110,000 |
Where SaaS GRC Wins
Honestly: for a 30-employee startup needing only SOC 2 for US customers, with no EU data protection sensitivity, no NIS-2 obligation – Vanta/Drata is faster live and cheaper. Sub-50 employees, single framework, no GDPR focus: SaaS clearly wins.
But for 100+ employees, multiple frameworks, EU headquartered, NIS-2 in scope, data sensitivity – the math tips substantially.
What the CFO Should Concretely Check
- How many frameworks do we need over 3 years?
- Where is which data stored? What does the DPA say?
- What does a vendor switch really cost – not according to vendor marketing?
- Which AI features do we need, what do they cost extra?
- How much internal FTE effort sticks to the tool, and where?
Conclusion
GRC TCO is more than the license invoice. Over 3 years, multiple frameworks, and an EU data protection requirement, the in-house platform is the economically and strategically clean choice for the mid-market. The CFO who dismisses this as vendor marketing should run the math themselves – the numbers above are from real consulting engagements.