European regulations on third-party risk management

Introduction

In the current business landscape, the emphasis on managing third-party risk has risen significantly, with regulations playing a pivotal role in ensuring companies across the globe adhere to stringent standards for ethical, sustainable, and secure operations. The German Supply Chain Act, the Corporate Sustainability Reporting Directive, the Network and Information Security Directive 2, the Digital Operational Resilience Act, and the Loi de Vigilance represent pivotal pieces of legislation designed to bolster compliance, environmental responsibility, and digital security. In this blog we explore these regulatory initiatives more in depth and discuss their implications.

Corporate Sustainability Reporting Directive (CSRD)

Continuing with the overview of regulations related to third-party risk management, the Corporate Sustainability Reporting Directive (CSRD) represents a significant shift towards enhancing transparency and accountability in sustainability reporting across the European Union. The CSRD, effective from January 5, 2023, modernizes and expands the reporting obligations under the previous Non-Financial Reporting Directive (NFRD), setting a new benchmark for corporate sustainability disclosures. This directive mandates a broader spectrum of companies, including all large firms and listed SMEs, to report on their sustainability impacts and practices, with the aim of providing stakeholders with comprehensive and reliable sustainability information​​​​​​.

The CSRD introduces the principle of 'double materiality,' requiring companies not only to disclose how sustainability issues affect their business but also how their operations impact the environment and society. This forward-thinking approach ensures that companies' reports reflect both the financial implications of sustainability risks and opportunities, as well as their broader societal and environmental impacts​​. With nearly 50,000 companies across the European Economic Area expected to be affected, the CSRD aims to cover a significant portion of the EU's business landscape, ensuring a wide-ranging impact on sustainability reporting standards​​​​.

Companies subject to the CSRD must report in line with the European Sustainability Reporting Standards (ESRS), providing a harmonized framework for sustainability disclosures. This directive not only seeks to enhance the quality and comparability of sustainability information but also to integrate such reporting into the core business processes, aligning with the EU's broader sustainability goals​​. The first set of ESRS was published on December 22, 2023, marking a crucial step towards the standardized reporting that will be mandatory for companies under the CSRD​​.

The transition to the CSRD poses both challenges and opportunities for businesses. It calls for an improvement in supply chain data collection, analysis, and reporting practices to meet the new requirements. However, it also presents a chance for businesses to showcase their commitment to sustainable practices, potentially attracting investors and customers looking to support responsible and environmentally conscious companies​​.

For companies navigating these changes, it's crucial to begin preparing now. Understanding the CSRD's requirements, assessing current sustainability reporting practices, and identifying gaps in data collection and disclosure processes are key steps. By aligning with the CSRD, companies can not only comply with regulatory requirements but also contribute to the broader goal of a sustainable, low-carbon economy​​.

Network and Information Security Directive (NIS-2)

The Network and Information Security Directive 2 (NIS-2) represents a significant enhancement over its predecessor, designed to bolster cybersecurity across the EU by introducing more stringent security protocols, expanding its scope to include a wider range of sectors, and enforcing stricter incident reporting mechanisms​​. NIS-2 aims to address the increasing threats in the digital landscape, acknowledging the surge in cyber-attacks and the critical importance of digital infrastructure security for society and the economy at large​​​​.

Key objectives of NIS2 include strengthening security measures for essential entities across various sectors, harmonizing reporting obligations to ensure a unified response to cyber threats, expanding regulation scope to cover additional sectors and digital service providers, and promoting stronger national supervision along with EU-wide collaboration​​. The Directive notably broadens its reach to include sectors such as postal and courier services, waste management, and public administration, underscoring the evolving nature of cyber risks​​.

The NIS-2 Directive states that organisations in scope should take into account "Supply chain security, including security-lreated aspects concerning the relationships between each entity and its direct suppliers or service providers" (Article 21).

The Directive also mandates member states to implement measures for "cybersecurity in the supply chain for ICT products and ICT services" (article 7).

Finally, the Directive requires member states to perform "coordinated security risk assessments of critical supply chains" (article 22). This also suggests that organisations being part of a critical supply chain must have a decent understanding of their third-party relationships and associated risks.

One significant area of focus under NIS-2 is the security of Operational Technology (OT). The Directive acknowledges the skills shortage in cybersecurity, particularly in OT, and emphasizes the need for entities to understand their risks and actively manage their security measures​​. Entities covered by NIS-2 will need to take appropriate technical, operational, and organisational measures to manage risks and minimize the impact of incidents, which includes implementing risk analysis, security policies, incident handling protocols, and business continuity plans​​.

In summary, NIS-2 represents a comprehensive effort by the EU to enhance cybersecurity resilience across member states. By expanding its scope, enforcing stricter security measures, and emphasizing incident reporting and collaboration, NIS2 aims to protect the EU's digital economy from the growing threat of cyber-attacks. Entities impacted by NIS2 should view this as an opportunity to assess their current cybersecurity practices and strengthen their preparedness against potential cyber incidents.

Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is a pivotal EU regulation designed to enhance the IT security and resilience of the financial sector against operational disruptions. Enforced from January 16, 2023, with applications starting January 17, 2025, DORA aims to harmonize operational resilience rules across 20 different types of financial entities and their ICT third-party service providers​​.

DORA is necessitated by the financial sector's increasing reliance on technology, making entities vulnerable to cyber-attacks and incidents that could disrupt financial services across borders. It emphasizes the need for a robust digital operational resilience framework to mitigate ICT risks that could impact the economy​​.

Key Components of DORA:

• ICT Risk Management: Establishing a framework for managing ICT risks, including third-party risk management and key contractual provisions.
• Digital Operational Resilience Testing: Mandating both basic and advanced testing to ensure ICT systems' robustness against disruptions.
• ICT-related Incident Reporting: Requiring the reporting of major ICT-related incidents to competent authorities and promoting information exchange on cyber threats​​.

Financial entities are required to adopt comprehensive measures to protect and prevent against potential threats, with DORA specifying processes and systems for swift threat detection and defense. Regular testing of operational stability, particularly through penetration tests, is mandated to uncover and mitigate vulnerabilities​​​​.

The implementation of DORA may present challenges, necessitating updates to ICT systems, fit-for-purpose tooling, optimization of processes, and employee training to comply with the new regulations​​. Financial services firms are urged to perform gap assessments and develop roadmaps for compliance, focusing on embedding digital resilience across all operational levels​​.

The German Supply Chain Act (Lieferkettensorgfaltspflichtengesetz, LkSG)

The German Supply Chain Act, which came into effect on January 1, 2023, mandates German companies to ensure compliance with human rights and environmental protection throughout their global supply chains. Initially applicable to companies with at least 3,000 employees, it will expand in 2024 to include companies with over 1,000 employees. This act requires businesses to conduct due diligence by identifying, assessing, and addressing risks in their supply chains, thereby extending their responsibility beyond their direct operations to include both direct and indirect suppliers. Companies are obligated to establish complaint mechanisms, document and report their due diligence efforts, and may face fines for non-compliance. This legislation highlights a significant step towards ensuring the ethical sourcing of materials and fair labor practices across industries​​​​.

The act is monitored by the German Federal Office for Economic Affairs and Export Control (BAFA), which is tasked with ensuring companies meet their due diligence obligations. BAFA can impose fines for non-compliance, with penalties reaching up to EUR 8 million or 2 percent of the company's average annual turnover for larger entities. The Supply Chain Act represents a fundamental shift towards greater corporate accountability in global supply chains, requiring companies to adopt comprehensive risk management strategies to comply with its provisions​​.

These regulations collectively signify a robust framework aimed at fostering transparency, sustainability, and resilience in the digital age. They underscore the importance for companies to stay abreast of regulatory requirements. By integrating these directives into their operational ethos, businesses can not only mitigate risks but also harness opportunities for innovation and competitive advantage.

For businesses navigating this complex regulatory landscape, it's crucial to adopt a proactive and strategic approach to compliance. Implementing robust risk management systems, enhancing transparency, and fostering a culture of sustainability and resilience can help companies not only meet these regulatory demands but also drive long-term value creation.

Duty of Vigilance (Loi de Vigilance)

The French Law on the Duty of Vigilance, Loi de Vigilance, mandates large companies to manage human rights and environmental risks associated with their activities, including those of their subsidiaries, subcontractors, and suppliers. This law is unique as it requires these companies not only to report on efforts to identify human rights-related risks but to actively implement a vigilance plan to prevent them. The law applies to companies headquartered in France with at least 5,000 employees or those with a global employee count of 10,000, including through direct and indirect subsidiaries​​​​​​.

To comply with this law, companies need to establish, implement, and publish a vigilance plan. This plan should outline measures taken to identify, prevent, and mitigate risks of human rights violations and environmental damages internally as well as in the supply chain. It encompasses the company's operations, its subsidiaries, and the activities of suppliers and subcontractors with established commercial relationships. Essential components of the vigilance plan include risk mapping, measures to address and prevent risks, procedures for assessing compliance among subsidiaries, suppliers, and subcontractors, and a system for risk monitoring and third-party due diligence assessments.

Failure to comply with the law, including not publishing a vigilance plan, can result in fines of up to €10 million, which can increase to €30 million if the non-compliance leads to damages that could have been prevented. Moreover, any concerned party, including victims of corporate abuses, can take legal action against companies failing to meet their obligations under this law​​​​.

This legislation represents a significant step towards ensuring corporate accountability for human rights and environmental impacts in the global supply chain. It sets a precedent for other countries and the European Union, which has shown interest in adopting similar directives for mandatory supply chain due diligence​​.

For more detailed guidance on implementing the requirements of the French Duty of Vigilance Law and understanding its implications, companies can consult resources from the European Coalition of Corporate Justice and other related analyses​​​​​​.

‍