Who should read this risk management article?

This article is written for compliance professionals, CISOs, GRC managers, audit teams, and risk officers working in risk management. It provides actionable insights relevant to organizations managing compliance programs.

How can I apply these risk management insights?

Use our AI-powered compliance platform to map your requirements across 692 frameworks with 819,000+ control mappings. Start with a free account to explore relevant frameworks, run gap analyses, and build remediation plans.

Third-Party Risk Management in 2025: What's Changing

Supply chain attacks are up 300% since 2020. Regulators are tightening requirements for vendor oversight. We look at the new TPRM landscape and what frameworks like NIST CSF 2.0, DORA, and CPS 230 require.

The Third-Party Risk Explosion

The average enterprise now relies on over 1,000 third-party vendors. Each one is a potential entry point for attackers, a regulatory liability, and an operational dependency. The SolarWinds, MOVEit, and Okta breaches demonstrated that a single compromised vendor can cascade across thousands of organisations.

Regulators have noticed. 2024-2025 is seeing a wave of new and updated regulations specifically targeting third-party risk management.

What's New in Regulation

NIST CSF 2.0 (February 2024): The new Govern function includes an entire category dedicated to Cybersecurity Supply Chain Risk Management (GV.SC). It requires organisations to establish a supply chain risk management programme, identify and prioritise suppliers, and include cybersecurity requirements in contracts.

EU DORA (January 2025): The Digital Operational Resilience Act requires financial entities in the EU to maintain a comprehensive register of ICT third-party arrangements, conduct thorough due diligence, and ensure contractual provisions for audit rights, security obligations, and exit strategies.

APRA CPS 230 (July 2025): Australian financial institutions must identify material service providers, obtain board approval for these arrangements, and ensure substitutability plans exist for critical dependencies.

SEC Cybersecurity Rules (December 2023): While primarily focused on incident disclosure, the SEC rules have prompted boards to ask harder questions about third-party cyber risk oversight.

Building a Modern TPRM Programme

Effective third-party risk management in 2025 requires:

Tiered assessment: Not all vendors need the same level of scrutiny. Classify vendors by the data they access, the systems they connect to, and the criticality of their service. Reserve deep assessments for high-risk vendors.

Continuous monitoring: Annual questionnaires are insufficient. Use continuous monitoring tools that track vendor security posture, breach disclosures, and financial health in real time.

Fourth-party visibility: Your vendors have vendors. Understanding your critical fourth-party dependencies:the cloud providers, infrastructure vendors, and data processors your vendors rely on:is increasingly required by regulation.

Contractual teeth: Ensure contracts include right-to-audit clauses, security requirements, breach notification obligations, and clear exit provisions. DORA and CPS 230 both mandate specific contractual provisions.

Third-Party Risk Management in 2025: What's Changing

The Third-Party Risk Explosion

What's New in Regulation

Building a Modern TPRM Programme

Frequently Asked Questions

Explore this topic on our compliance platform

Put compliance intelligence to work