It goes without saying that the regulatory environment is ever changing, and increasingly active. It can be very difficult to keep on top of new proposals and guidance. However, understanding how they can affect your risk programmes is critical to success. And as more and more legislation targets your management practices for third party, fourth party, and supply chain relationships, more vigilance is needed to align your compliance and third-party risk management (TPRM) initiatives.
Much of the upcoming regulation coming out of the EU is focused on Environmental, Social, Governance (ESG) initiatives, like removing forced labour from supply chains. As ESG and sustainability practices become more integrated into TPRM programmes, it is expected that more organizations will be held accountable.
Events like last year’s CrowdStrike outage that revealed vulnerabilities in third and fourth-party technology engagements also highlight challenges posed by concentration risk, few binding regulations, standards, or best practices designed to fend against such failures, and a lack of effective digital resilience strategies. Alternatively, the DORA regulation is designed to reduce the likelihood of information security or software issues from bringing down entire systems in the EU financial sector. DORA may create a watershed moment for similar legislation.
Below are just a few new and upcoming legislative acts that are making waves across TPRM programmes in the EU and beyond.
DORA goes into effect 17 January, 2025 and creates a single financial services information and cybersecurity regulation for all of Europe. The goal of DORA is to define and strengthen cybersecurity protections, best practices, and frameworks to ensure the security and resiliency of networks and information systems at these organisations and their relevant third parties.
Third parties, and third-party risk management (TPRM), are central to the DORA regulation. Some of the guidance around third-party information and communications technology (ICT) service providers within DORA include:
In November of 2022 the EU adopted the CSRD, which requires relevant organisations to report on a range of different topics, including climate change, environmental protection, social responsibility, and governance.
Companies not only need to perform thorough due diligence analysis on their own organizations but also must review their third parties and their activities. CSRD reporting will begin in January 2025.
On the impact of future regulations, the CSRD is also introduced in the concept of “double materiality.” This means companies are required to report both on their ESG risks and opportunities that affect their business and on those ESG impacts of their business on the people and the environment. This represents a significant amount of work required in fulfilling the reporting requirements.
In January 2024, the European Commission released the final draft of the CSDDD to address ESG concerns within organisations and their supply chains.
Under this regulation, applicable organisations need to identify, mitigate, prevent, and be responsible for human rights, labor, and environmental activities in their own operations and those of their supply chains/third parties.
In April of 2024, the EU Parliament approved the ban of sales, imports, and exports of products manufactured using forced labour. Under this, any suspected use of forced labour is to be investigated and the products will be removed from the market. This also applies to products created down and/or within supply chains.
This regulation is still in its early days and is expected to go into full force in 2027.
There are additional regulations on the horizon that directly affect how businesses manage their third-party relationships. The EU Deforestation-free Regulation (EUDR) was expected to go into effect at the end of 2024 but has been delayed for a year. It, too, affects sustainability practices and reporting. It is likely that there will be additional and similar regulations on the not-too-distant horizon. It pays to keep up with requirements and to build your TPRM program to weather anticipated and unanticipated regulatory changes.
If you have any questions on how upcoming regulations could affect your TPRM programmes, click here to connect with one of our TPRM experts.
Share with Your Friends:
