Third-Party Risk: Definition and Compliance Guide

Third-Party Risk Management

Third-party risk management (TPRM) is the process of identifying, assessing, and controlling risks arising from an organization's relationships with external vendors, suppliers, contractors, and service providers who have access to its data, systems, or operations.

third-party riskvendor managementsupply chaindue diligenceTPRM

Why It Matters

Organizations increasingly rely on third parties for critical functions — cloud hosting, payroll, payment processing, IT support. When a vendor suffers a breach, your organization is affected too. Some of the largest data breaches in history (Target, SolarWinds, MOVEit) originated through third-party vulnerabilities. Regulators hold organizations accountable for their vendors' security and compliance.

The TPRM Lifecycle

1. Identification and Inventory

Maintain a complete register of all third parties
Classify by criticality and data access level
Map data flows to and from each vendor

2. Risk Assessment

Evaluate security posture (questionnaires, certifications, audit reports)
Assess financial stability and business continuity
Review regulatory compliance status
Check sanctions lists and adverse media

3. Due Diligence and Contracting

Verify claims through documentation review
Negotiate appropriate contract clauses (DPAs, SLAs, security requirements)
Define audit rights and breach notification obligations
Establish exit and transition plans

4. Ongoing Monitoring

Continuous security monitoring (threat intelligence, rating services)
Periodic reassessment (annual or based on risk level)
Incident monitoring and response coordination
Performance reviews against contractual obligations

5. Offboarding

Secure data return or deletion
Revoke access and credentials
Verify compliance with contractual obligations
Document lessons learned

Regulatory Requirements

Regulation	Third-Party Requirements
GDPR	Data Processing Agreements (Article 28), processor due diligence, sub-processor authorization
NIS2	Supply chain security assessment, vendor risk management as a required security measure
DORA	ICT third-party risk management framework for financial entities
SOX	Controls over outsourced processes affecting financial reporting
HIPAA	Business Associate Agreements for PHI access
PCI DSS	Service provider compliance validation

Key Regulation

GDPR Article 28 — processor obligations and DPA requirements
NIS2 Article 21(2)(d) — supply chain security
DORA (Regulation 2022/2554) — ICT third-party risk for financial services
ISO 27001 Annex A.5.19–5.22 — supplier relationship security

Third-Party Risk Management

third-party riskvendor managementsupply chaindue diligenceTPRM

Regulation

Third-Party Requirements

GDPR

Data Processing Agreements (Article 28), processor due diligence, sub-processor authorization

NIS2

Supply chain security assessment, vendor risk management as a required security measure

DORA

ICT third-party risk management framework for financial entities

SOX

Controls over outsourced processes affecting financial reporting

HIPAA

Business Associate Agreements for PHI access

PCI DSS

Service provider compliance validation

Third-Party Risk Management

Why It Matters

The TPRM Lifecycle

1. Identification and Inventory

2. Risk Assessment

3. Due Diligence and Contracting

4. Ongoing Monitoring

5. Offboarding

Regulatory Requirements

Key Regulation

DORA Compliance and Training for Financial Services: The Complete Guide for 2026

Want more than the definition?

Third-Party Risk Management

Why It Matters

The TPRM Lifecycle

1. Identification and Inventory

2. Risk Assessment

3. Due Diligence and Contracting

4. Ongoing Monitoring

5. Offboarding

Regulatory Requirements

Key Regulation

DORA Compliance and Training for Financial Services: The Complete Guide for 2026

Want more than the definition?