Keeping Pace with Regulatory Change in Third Party Risk Management (TPRM)

A decade ago, most third party risk programs followed a simple routine: assess the third party's risk level, perform adequate due diligence, review the contract, and check in once a year. While this approach is still used, it no longer meets today’s broader expectations for resilience, cybersecurity, privacy, supply chain oversight, and artificial intelligence, putting your business at risk of non-compliance or disruption.

In 2026, TPRM is governed by a much broader mix of frameworks and regulations, including the Digital Operational Resilience Act (DORA), the Network and Information Systems Directive 2 (NIS2), the General Data Protection Regulation (GDPR), the Corporate Sustainability Due Diligence Directive (CSDDD), and the UK critical third parties regime. These requirements may highlight different risk concerns, but they often affect the same parts of a TPRM program: third party classification, due diligence, contract terms, monitoring, issue management, and exit planning.

More Frameworks Now Affect TPRM 

The biggest change is not a single regulation, but the increase in frameworks that now apply to third party oversight. DORA requires financial firms to manage third party IT risk through governance, testing, concentration risk management, and record keeping. NIS2 broadens cybersecurity and supply chain requirements, making third party risk a key part of incident response and operational governance.

Privacy and supply chain rules add complexity. GDPR continues to guide how organizations manage third parties handling personal data. CSDDD and Germany’s Supply Chain Due Diligence Act (LkSG) also drive organizations to examine risks, including human rights and environmental risks, beyond direct suppliers.

Key takeaways

• Managing third party risk now means meeting broader standards for resilience, cybersecurity, privacy, and supply chain oversight.

• One process change may need to address multiple frameworks at once.

Operational Resilience Has Raised the Standard

Operational resilience rules continue to emphasize the importance and urgency of third party oversight. DORA requires firms to identify critical providers, manage concentration risk, include oversight and exit terms in contracts, and maintain detailed records. NIS2 also strengthens supply chain security and incident readiness, treating third party failures as broader issues. 

The UK’s critical third party regime adopts a similar approach for financial services, allowing direct oversight of providers whose disruption could affect many firms or the wider market. The bottom line: if a third party supports a critical service, regulators expect more than just a one-time review. 

Key takeaways 

• Critical third parties require heightened scrutiny as new regulations and resilience rules emphasize operational dependencies and disruption risk. 

• Third party classification, contracts, continuity, and documentation must adapt to resilience standards. 

Overlapping Rules from Different Jurisdictions Create Practical Challenges 

One challenge for TPRM teams is that third party oversight often goes beyond a single country’s rules. For example, a U.S. organization may begin with local requirements but find extra obligations if it serves customers in the EU or UK, supports regulated firms there, or uses third parties that do. This means the same third party might need different review steps based on location, customer type, or service model. To manage this complexity, organizations should prioritize requirements that carry the highest regulatory or business risk and look for opportunities to harmonize controls where possible. Establishing a baseline set of global controls, then layering on local or high-priority requirements, can help ensure compliance without duplicating effort. When faced with conflicting rules, consult with legal, compliance, or risk experts to determine which requirements should take precedence. 

Multiple regulatory requirements often create challenges as organizations grow. A TPRM program built for one country might struggle when the company expands to new markets or supports clients in other jurisdictions. DORA can even apply to non-EU providers serving EU financial firms; NIS2 covers organizations offering services in the EU, and the UK’s rules affect non-UK providers serving UK financial companies. 

Key takeaways 

• Expanding your business across borders often brings overlapping regulatory requirements. 

• TPRM needs adaptable due diligence and oversight for global third parties. 

Less Frequent Reviews Are Hard to Justify 

Annual assessments are useful, but less convincing when third party risk changes during the year. DORA and NIS2 both emphasize ongoing oversight and incident readiness.

Not every organization needs to implement automated monitoring or redesign risk re-assessment schedules; however, critical third parties, major subcontractor changes, concentration points, and significant incidents should be addressed between formal reviews.

Key takeaways

• Point-in-time reviews leave gaps when third party risk changes quickly, making it harder for your organization to respond to emerging threats.

• Higher-risk third parties require ongoing monitoring year-round.

AI Highlights Weaknesses in Older TPRM Processes 

Artificial intelligence (AI) is now providing clear indicators of where older TPRM tools fall short. Standard questionnaires developed a few years ago might cover security and privacy but probably miss basic questions about AI use, data inputs, model governance, and how important changes are explained. This means organizations are trying to assess new risks with outdated templates. 

Regulations make this even more challenging. AI-related requirements can come from specific AI rules, privacy laws, model risk standards, or industry supervision, depending on the country and use case. As a result, the same third party may need different levels of review based on its services and where it operates. 

Key takeaways 

• AI risks increasingly surface in third party relationships that older processes may overlook. 

• Cross-border third parties need flexible, AI-specific due diligence and contracts. 

A Few Things Organizations Can Do Now 

Most organizations do not need to completely rebuild their TPRM programs. By strengthening the parts facing new regulatory pressures, you can meet evolving requirements and keep your business protected. Current frameworks all point toward better visibility into third parties and dependencies, stronger documentation, clearer governance, and more up-to-date oversight, delivering the assurance your organization needs. 

Here are a few practical steps that can help: 

• Update your list of critical third parties and confirm which regulations apply based on service, location, customer type, and data exposure. 

• Prioritize requirements that carry the highest regulatory or business risk and look for opportunities to harmonize controls where possible. 

• Review your questionnaires and contract templates to ensure they cover resilience, subcontractor visibility, AI use, incident response, and exit support as needed. 

• Set up monitoring triggers for Critical and high-risk third parties, such as major incidents, subcontractor changes, declining performance, sanctions updates, or concentration points affecting critical services. 

• Ensure that changes or updates to your processes are documented, including the rationale for those changes.  

TPRM programs are always evolving, and recent changes mean many organizations must now align with overlapping expectations from DORA, NIS2, GDPR, CSDDD, and local rules for how third parties are chosen, contracted, monitored, and, if needed, exited. This is harder in multi-jurisdiction environments and with AI-enabled services, where the same third party can fall under several rule sets at once. Organizations that keep a clear view of critical third parties and jurisdictions, keep their questionnaires and contracts up to date on resilience and AI, and add reliable monitoring triggers, should be able to keep up without rebuilding their program every year. 

Author Bio

Known for turning insight into action, Hilary’s thought leadership and educational work have become go-to resources for professionals looking to mature their TPRM programs. She regularly publishes articles, frameworks, and practical guides that break down complicated risk topics into meaningful, accessible strategies.

Hilary recently joined the Third Party Risk Association (TPRA) as a staff member, supporting industry-wide education, peer learning, and advancing best practices. She is also the founder of TPRM Success, a boutique consultancy that helps organizations strengthen their third party risk management capabilities through targeted training, tools, and strategic guidance.