According to the 2025 TPRM Observatory conducted by CESIN and Board of Cyber, 82% of respondents now consider supplier-related cyber risk to be "important" or "very important"—a clear signal that the digital supply chain remains a major point of vulnerability. Another revealing indicator: 60% of organizations now involve their legal department in third-party risk management, compared to only 11% in 2024. This spectacular increase is explained in particular by the continuous strengthening of regulations (NIS 2, DORA, GDPR, ISO 27001, sectoral directives, etc.). These developments show that compliance is becoming a central driver of cyber governance: it structures decision-making, guides budgets, and accelerates the professionalization of TPRM frameworks.
The increase in interconnections between systems, services, and partners—coupled with the multiplication of suppliers and subcontractors—imposes reinforced governance of external relationships. The Third-Party Risk Management (TPRM) approach aims to ensure not only the regulatory compliance of providers (GDPR for subcontractors, LPM for OIVs, DORA for financial players, etc.) but also proactive supervision of their security practices.
8 regulations to know when launching a TPRM strategy
To meet compliance requirements and effectively structure your TPRM approach, here is a concise overview of the main regulations to know, including their scope of application, specific obligations, and concrete impact on third-party risk management. To go further, each regulation is the subject of a dedicated article to deepen the understanding of its challenges and operational requirements.
GDPR (Art. 28)
Having entered into force in 2018, the General Data Protection Regulation (GDPR) governs the relationship between data controllers and processors.
Article 28 requires the signature of a Data Processing Agreement (DPA), specifying security measures, authorized audits, and rules for data transfers outside the EU.
All organizations handling personal data are concerned, regardless of their sector.
In terms of due diligence, GDPR mandates verifying provider compliance before any processing begins, notably through audits, certifications, or evidence of compliance.
On a contractual level, it structures obligations around confidentiality, security, and the right to audit.
Finally, GDPR has established a culture of reporting and traceability, where every processing activity and incident must be documented to prove compliance in the event of an inspection.
NIS 2
The NIS 2 directive, adopted in late 2022, is currently being deployed throughout the European Union. Several countries, including Belgium and Italy, have already implemented these directives, while the national transposition by ANSSI remains pending in France for late 2025.
The scope, however, is clear: 18 public and private activity sectors are concerned (energy, health, transport, digital, finance, administration, etc.), with a massive expansion compared to NIS 1.
According to the 2025 TPRM Observatory (CESIN & Board of Cyber), 64% of surveyed companies already operate under the NIS 2 framework, making it the regulation most respondents are subject to—ahead of the AI Act and DORA. The study also shows that regulation has become the primary driver of compliance initiatives, a phenomenon particularly marked in critical sectors.
NIS 2 introduces a profound change in TPRM by imposing continuous supplier assessment, risk management plans, and Service Level Agreements (SLAs) framing requirements for security, availability, and operational supervision.
It also requires rapid incident notification, a right to audit, and regular resilience tests to strengthen supervision across the entire supply chain.
In practice, this directive pushes companies to map their critical dependencies, measure the cybersecurity maturity of their third parties, and document evidence of compliance to be "audit-ready" as soon as the French transposition is published.
DORA
The Digital Operational Resilience Act, applicable since January 2025, targets financial institutions and their technology providers.
It aims to strengthen the digital operational resilience of the sector against cyber threats by requiring the maintenance of a detailed register of ICT suppliers, the performance of resilience tests (TLPT), and continuous monitoring of critical providers.
In a TPRM approach, DORA is particularly structuring: it governs the initial selection of providers (risk-based due diligence), defines minimum contractual clauses (incident notification, right to audit, reversibility), and imposes regular reporting mechanisms to supervisory authorities.
As the regulation primarily affects large financial institutions, the organizations concerned are often pioneers in compliance. They have already initiated advanced projects for supplier governance, continuous monitoring, and audit-ready documentation, pulling the sector's practices upward.
DORA transforms TPRM into a living and measurable framework, integrating monitoring KPIs (incident frequency, remediation time, control performance) and reinforced management of digital risk exposure.
ISO/IEC 27001:2022
Revised in 2022, the ISO/IEC 27001 standard modernizes the Information Security Management System (ISMS) by integrating new controls related to cloud, DevSecOps, operational resilience, and supplier management.
Certified organizations had until October 31, 2025, to finalize their transition to this version. Since this deadline, certification bodies no longer recognize the old version, and companies that have not yet migrated must now perform a full upgrade before any renewal audit or new certification cycle.
Within the TPRM framework, ISO 27001:2022 becomes a key benchmark for assessing supplier security maturity: it allows for the harmonization of contractual requirements, objectifies controls, and enables the comparison of practices between partners based on a recognized international standard.
It also encourages continuous assessment via performance and compliance indicators and helps harmonize audits and reporting between stakeholders.
Its adoption facilitates the creation of standardized scoring grids, unifying control practices across the supply chain.
AI Act
The European Artificial Intelligence Act, which entered into force in the summer of 2024, will be deployed progressively until 2027.
It applies to providers and users of AI systems operating in the EU, classifying uses according to their level of risk.
In the context of TPRM, the AI Act adds a new dimension of algorithmic due diligence: companies must evaluate their suppliers based on their data management, supervision processes, and the transparency of their models.
Contractual clauses must integrate obligations for documentation, performance control, and data governance.
This regulation also imposes complete traceability of AI systems, supporting audit preparation and the control of risks related to automation.
Cyber Resilience Act (CRA)
Adopted in late 2024, the Cyber Resilience Act introduces security obligations applicable to all products with digital elements: software, connected objects, industrial equipment, etc.
Its full application is scheduled for December 2027, but companies are already anticipating its effects.
The CRA modifies technical due diligence by requiring organizations to verify compliance with "secure by design" and "secure by default" principles.
It mandates the monitoring of updates, security patches, and product lifecycles, while introducing maintenance and reversibility clauses in supplier contracts.
This approach encourages continuous controls over software quality and vulnerability management, strengthening transparency and shared responsibility within the digital chain.
LPM
The Military Programming Law (LPM) is not a new law: in force for several decades, it is periodically revised. However, the 2024–2030 programming introduces several important changes, notably a strengthening of cybersecurity obligations for Operators of Vital Importance (OIV), an expansion of the scope of concerned entities, and increased requirements regarding supervision, control, incident reporting, and digital sovereignty in sensitive sectors (energy, transport, health, telecommunications, water, defense).
For TPRM, the LPM requires reinforced monitoring of providers operating on these strategic systems, including prior approval obligations, complete traceability of operations (logging, access control), regular audits, and close reporting with ANSSI for any incident or critical intervention.
Contracts must include specific clauses, such as strict management of technical access, encryption of exchanges, incident management protocols, continuity of essential services, or even the requirement for sovereign hosting for certain data.
Finally, the LPM imposes a logic of permanent audit, where organizations must be able to demonstrate at any time their level of compliance, supervision, and control over their chain of providers.
HDS
The new Health Data Host (HDS) standard, which came into effect in November 2024, aligns with GDPR requirements while strengthening the security of cloud and SaaS environments in the medical sector.
Providers (hospitals, medical device and pharmaceutical suppliers) have a transition period until November 2026 to comply.
In a TPRM approach, HDS certification constitutes a decisive selection criterion for healthcare providers.
It imposes rigorous due diligence on access management, data localization, and audit and supervision conditions.
The regulation also facilitates reporting to health authorities and ensures continuous compliance with the security and confidentiality requirements of sensitive data.
3 tips to go further
To succeed in your TPRM (Third-Party Risk Management) strategy, it is important to take into account the following regulatory elements, which will guide the management of supplier and provider-related cyber risks.
- Third-party requirements (due diligence, monitoring, clauses, notification)
Simple supplier compliance is no longer enough: it is now necessary to implement in-depth due diligence processes, continuous monitoring, the systematic integration of security clauses in contracts, and an effective incident notification system. Obligations arising from certain regulations such as DORA and NIS 2 accentuate the need for continuous monitoring of third-party risks and proactive management of the relationship with your subcontractors.
- Documentary base (ISSP, GDPR DPA, ISO 27001 evidence)
Your documentary base is, in a way, the solid foundation upon which all your regulatory compliance rests. It must include a structured Information Systems Security Policy (ISSP) aligned with ISO 27001 best practices, as well as a Data Processing Agreement (DPA) compliant with GDPR for any subcontractor handling personal data. All these documents must be centralized, versioned, and secured: keeping them in a simple Word file on an unprotected Cloud exposes the organization to risks of leakage, loss of evidence, or unauthorized access. Specialized tools exist to manage this documentary base (TPRM portals, GRC platforms, compliance evidence managers), guaranteeing encrypted storage, strict access controls, and complete traceability of updates, which are essential in the event of an audit or a request from the regulator.
- TPRM Toolbox (grid, remediation plans, continuous monitoring)
Building a TPRM toolbox does not happen overnight: it is a progressive project, built in stages and mobilizing several teams (IT Security, Purchasing, Legal, Compliance, Operations). Concretely, an effective TPRM toolbox relies on standardized assessment grids, due diligence procedures, structured remediation plans, and continuous monitoring to update the risk score. The goal: to have clear and actionable reporting for risk committees and regulators, without overcomplicating operational management.
The objective of this toolbox is not only to manage risks on a daily basis but to document the maturity of your organization, manage the supplier relationship over the long term, and demonstrate your resilience against cyber threats.
Conclusion
Understanding the eight key regulations and their impacts on your processes—due diligence, contracting, continuous monitoring, reporting—is only a first step. The real challenge consists of deploying these requirements progressively while staying vigilant in the face of the constant evolution of these regulatory frameworks and the possible emergence of new obligations in the coming years, by relying on:
- a solid documentary base, regularly updated;
- automation tools capable of centralizing evidence, accelerating assessments, and monitoring the attack surface of your third parties;
- expert support, essential for structuring your governance, defining your priorities, and saving time in achieving compliance.
Rather than waiting for audits or regulatory deadlines, engage now in a progressive and equipped approach. You will strengthen your ability to protect your data, secure your systems, and sustainably master the risks associated with your suppliers.
FAQ (PAA)
Here are some frequently asked questions and their answers to better understand the implications of regulations on your TPRM approach.
DORA vs NIS2: what are the TPRM differences?
DORA and NIS2 differ mainly in their scope of application and objectives. DORA targets the digital operational resilience of financial entities, emphasizing risk management related to information and communication technology (ICT), while NIS2 aims to strengthen cybersecurity and operational resilience in critical sectors across the EU.
In terms of TPRM, DORA insists on regular resilience tests and the monitoring of critical third-party providers, whereas NIS 2 focuses on harmonizing security standards in essential sectors.
Does the AI Act apply to my SaaS suppliers?
The AI Act will apply to SaaS providers if their artificial intelligence systems are classified as "high risk." This includes applications with a direct impact on citizens' lives, such as in the fields of health or public safety.
Affected providers must meet transparency and compliance requirements, including providing appropriate documentation and implementing continuous monitoring mechanisms.
CRA: which hardware/software are affected?
The Cyber Resilience Act applies to products integrating digital elements, such as software and smart hardware. This regulation aims to ensure that these products are designed to be more resistant to cyber threats, with specific requirements regarding security updates and CE marking.
Is ISO 27001 mandatory?
ISO 27001 is not legally mandatory, but it is widely adopted as a reference for implementing an Information Security Management System (ISMS). While highly recommended for demonstrating internationally recognized compliance, it may be required by certain contracts or audits.
What should be checked in a DPA (GDPR)?
A GDPR Data Processing Agreement (DPA) must include clear clauses regarding personal data management, subcontractor obligations, international transfers, audit possibilities, as well as provisions for incident notification and collaboration in the event of instructions from competent authorities. These agreements must be formalized and integrated into your contracts to ensure GDPR compliance.
How do I prove my TPRM compliance?
To demonstrate your TPRM compliance, it is essential to maintain a complete documentary base, including audit evidence, security test records, updated remediation plans, and regular reports on security KPI monitoring. Solid and accessible documentation facilitates demonstrating your compliance to authorities, clients, and partners.
