Third-party risk rarely announces itself with alarms. More often, it arrives quietly, disguised as an assumption. The assumption is that responsibility can be shared without consequence. That accountability can be distributed, diluted, and still hold its shape when pressure arrives. That contracts, frameworks, and carefully worded clauses will stand in for human judgment when systems fail and decisions cannot wait.
As banks lean ever more heavily on cloud providers, fintech partners, data vendors, and other external service firms, global regulators are making it clear that third-party risk can no longer be treated as a side issue. Against that backdrop, the Basel Committee on Banking Supervision has published a new set of principles aimed at reshaping how banks manage third-party risk in an increasingly digital financial system.
In my earlier piece, Governing the Extended Enterprise: The TPRM Platform I Would Demand, I laid out what a future-proof third-party governance platform must look like. But if the architecture is the “what,” organizations are now asking about the “how.” How do we take those principles and turn them into capability, authority, and action? Technology alone won’t get us there. Governance needs orchestration.
The European Parliament has backed more breathing room for companies facing the EU Deforestation Regulation (EUDR), voting to push key compliance dates into 2026 and 2027 while simplifying due diligence rules. The goal is to give organizations time to adapt, but the politics around deforestation-free supply chains are now more contentious than ever, and certainty remains elusive.
Poland’s competition authority has opened an antitrust case into Apple, raising fresh questions about whether the tech giant’s privacy controls have given it an unfair edge in the mobile advertising market.
The Danish Data Protection Authority has stepped into a debate over how far suppliers can go when asked to hand over employee information as proof that they’re complying with employment clauses in public and private contracts. A new guidance statement, issued in response to a request from Accura Advokatpartnerselskab, lays out the Authority’s view on the data protection rules that govern these disclosures, and confirms that many suppliers have been right to question the legal footing.
Third-party risk teams have spent the last few years preparing for a world where ESG reporting would continually grow in scope, depth, and regulatory expectation. Companies were told to map emissions throughout their supply chains, understand human-rights risks in their upstream tiers, and gather detailed data from suppliers that had never before been part of formal reporting channels. For better or worse, the direction felt clear.