Global Third-Party Cyber Risk Regulatory Trends to Know: US and Europe

The landscape of third-party cyber risk is undergoing a profound transformation, driven by an escalating threat environment, an expanding attack surface, AI, and a tidal wave of new global regulations. As organizations grapple with complex digital supply chains, regulators across the US and EMEA are stepping up oversight, making 2026 a pivotal year for compliance and risk management. This analysis explores the essential threat intelligence and regulatory shifts that demand immediate attention.

The volatile threat and risk environment

The context for increased regulatory focus is a rapidly evolving and hostile threat landscape. Recent events demonstrate that geopolitical conflicts translate instantly into cyber conflict, escalating risk for organizations – and their third party business partners and suppliers – worldwide. Around the world, regulators are watching these events, tracking incidents, and trying to understand the impact to organizations that they are responsible for overseeing.

In recent months, Bitsight has observed a growing number of cyber attacks targeting public and private sector organizations in the Middle East, Europe, and the United States. Approximately 60 distinct threat actors and groups have engaged in malicious cyber activity since the Iran conflict began, leveraging distributed denial-of-service (DDoS) attacks, website defacements, and data leaks. Alarmingly, some groups have claimed compromises of critical industrial control environments and logistics systems, including energy and transportation networks.

The destructive potential of sophisticated groups is also clear. For instance, the Iran-linked Handala group executed a recent cyber attack that significantly disrupted a major U.S. medical technology company, Stryker. The attackers reportedly bypassed malware defenses by co-opting Microsoft Intune to remotely wipe over 200,000 systems and mobile devices in an operation framed as retaliation for military actions.

Adding to the systemic risk, Bitsight researchers have found that Industrial Control System (ICS) and Operational Technology (OT) systems are increasingly exposed to the public Internet. Global ICS/OT exposure surpassed 200,000 monthly unique IPs in 2025, with many of these devices used in critical infrastructure. Concurrently, the number of associated vulnerabilities (CVEs) is growing, and some devices are being actively exploited.

Of course, over the last 9 months there have also been a number of high-profile incidents impacting supply chain partners:

• Jaguar Land Rover Manufacturing Shutdown (Sep. 2025): The Scattered Spider group exploited a zero-day vulnerability in SAP NetWeaver, halting production for five weeks.
• Salesforce / OAuth Token Theft (July–Aug. 2025): Attackers targeted third-party integrations instead of Salesforce itself.
• Axios Library Hijack (April 2026): A DPRK actor compromised a maintainer's npm account to release malicious updates to the Axios library.
• Collins Aerospace Airport Disruptions (Sep. 2025): A ransomware attack on the MUSE passenger processing system disrupted multiple European airports.

Finally, the emergence of artificial intelligence (AI) presents a dual challenge: it is a significant threat for attack automation, but also offers opportunities to reduce risk if leveraged effectively. Regulators are paying close attention to AI exposure and risk.

Global regulators are observing a rapidly changing attack surface, growing cyber threats, increased successful attacks targeting third party supply chains. And what we’ve seen over the past year is that they are responding in kind – with greater emphasis and oversight into third party risk into their regulated entities.

Intensified regulatory focus on third-party risk in the US

Let’s start in the US, where regulators are uniformly prioritizing third-party cyber risk management in 2026. This focus is driven by the realization that material risks and incidents can occur both internally and within third-party environments. We’ll examine regulators across different sectors and industries to see how they are approaching things.

1. Federal Financial Regulators: Securities and Exchange Commission (SEC), Office of the Comptroller of the Currency (OCC), Federal Reserve Board (FRB)

Federal financial regulators have long led the way in developing third party cyber risk requirements and ensuring that those requirements are being implemented by financial institutions across the US. All indicators suggest that third party cyber risk remains a critical priority for these regulators.

The SEC’s oversight into third party cyber risk of its regulated financial institutions is tightening through both new rules and examination priorities.

• Regulation S-P: Reg S-P is an SEC rule requiring certain financial institutions (like broker-dealers, investment companies, advisers, and transfer agents) to protect customer data. New amendments passed in 2025 broaden the definition of “customer information” and introduce new service provider oversight obligations, including a critical 72-hour notification requirement. Compliance deadlines are rapidly approaching: December 3, 2025, for large institutions and June 3, 2026, for smaller entities.
• 2026 Exam Priorities: Cybersecurity remains a vital, perennial priority for the Division of Examination, but the Division is focusing specifically on third party risk. Examinations will specifically focus on compliance with Regulation S-P, assessing firms’ policies, internal controls, oversight of third-party vendors, and governance practices. The Division will also scrutinize the training and security controls firms use to mitigate new risks from AI and polymorphic malware attacks, including how they operationalize threat intelligence.
• Public Company Disclosure Requirements: Existing 10-K/8-K requirements demand disclosure of material cyber risks and incidents, with a heavy focus on third-party risk issues. Public companies must disclose processes to oversee and identify risks from threats associated with third-party service providers. The dismissal of SEC v. SolarWinds in November 2025 may indicate less aggressive enforcement of public disclosures, but the case nevertheless highlights the criticality of accurate reporting regarding both pre-attack cybersecurity practices and the subsequent incident impact. 

Other federal financial regulators appear to maintain their focus on cybersecurity oversight. The Office of the Comptroller of the Currency (OCC) views operational resilience and cybersecurity as top issues in its 2025 Bank Supervision Operating Plan. The Federal Reserve Board (FRB) Office of Inspector General listed ensuring service providers have effective IT security programs as a major management challenge for 2025–2026. Both organizations are focused on improving their own internal third party supply chain risk programs in light of recent incidents that have taken place on their own systems. 

2. Department of Justice (DOJ) and the False Claims Act 

One area of aggressive third party contractor enforcement is taking place within the Department of Justice. The DOJ is signaling a significant upward trajectory in enforcement of False Claims Act (FCA) cases involving misleading cybersecurity statements by federal contractors. In 2025, the DOJ recovered over $52 million across nine cyber FCA settlements, more than triple that of previous years. 

Deputy AG Brenna Jenny noted that these cyber-fraud cases focus on “misrepresentations” about cybersecurity compliance, not just data breaches. This increased scrutiny means entities receiving federal funds (e.g., defense contractors, healthcare) must expect continued oversight regarding their cybersecurity commitments. For example, a defense contractor settlement of $4.6 million in 2025 showcased enforcement for failures like not implementing required NIST SP 800-171 controls and submitting false SPRS scores.

3. Department of War and the Cybersecurity Maturity Model Certification (CMMC) 

After years of development, the Cybersecurity Maturity Model Certification (CMMC) became mandatory in DOD contracts for contractors handling Controlled Unclassified Information (CUI). CMMC includes provisions requiring contractors to meet certain cybersecurity control requirements, as well as their third party subcontractors, suppliers, and vendors.

The phased rollout of CMMC requires self-assessments for Level 1 and 2 starting in November 2025, with mandatory third-party assessment (C3PAO) for Level 2 starting in November 2026. Significantly, Level 3 requirements focus explicitly on supply chain risk management requirements (SCRM Plan and Supply Chain Security Requirements).

CMMC will have a massive impact on the way that defense contractors manage their own cyber risk, as well as risk posed from third party subcontractors and vendors. 

4. Health and Human Services (HHS): Office of Civil Rights (OCR) and HIPAA 

HHS continues to deal with significant numbers of HIPAA data breaches, including breaches affecting third party service providers (known in health care parlance as “business associates.”) 

Healthcare organizations face ongoing challenges with business associate breaches. Since January 1, 2025, 165 cyber breaches involving third-party “business associates” were reported to HHS-OCR, affecting over 24.4 million individual records. The March 2026 MMG Fusion settlement, for a 2020 incident, illustrated HIPAA violations stemming from failing to conduct a thorough risk analysis and failing to notify covered entities of the breach.

5. Federal Energy Regulatory Commission (FERC)  

The Federal Energy Regulatory Commission (FERC) recently passed a Final Rule on Supply Chain Risk Management Reliability Standards Revisions in September 2025. This rule directs NERC to address supply chain risks for network-connected equipment to protect the electric grid. Audit lessons learned show that lack of due diligence and oversight when relying on third parties remains a key failure point.

6. New York Department of Financial Services (NYDFS) 

The New York Department of Financial Services (NYDFS) issued updated guidance in October 2025 on managing third-party service provider (TPSP) risks. The guidance emphasizes that Senior Governing Bodies and Officers must actively engage in TPSP-related cybersecurity risk management and oversight. Required elements include robust due diligence, contractual provisions, and a focus on vulnerability management and confirmed remediation of identified deficiencies.

Third-party regulatory developments in Europe

In Europe, major directives like NIS2 and DORA are moving from legislation to enforcement, creating stringent new mandates for third-party oversight.

1. NIS2 Directive

The NIS2 Directive is a major cybersecurity directive covering 18 critical infrastructure sectors. Entities must implement technical, operational, and organizational measures, including risk management, incident response, and supply chain security. 

While EU Member States were required to incorporate the NIS2 directive into national laws by October 2024, some countries have yet to finalize transposition. Those that have transposed are still finalizing supervisory frameworks and registration systems. In January 2026, the European Commission proposed targeted amendments to the directive, which could narrow its scope and introduce elements of maximum harmonization. Proposed changes could exempt "small mid cap" organizations (those with 150M EUR revenue or less than 750 employees) from additional regulatory scrutiny.

2. DORA (Digital Operational Resilience Act) 

DORA is a major cybersecurity regulation that applies to banks, investment firms, insurance companies, crypto-asset service providers, and their critical third-party information and communications tech (ICT) service providers. It contains several key pillars for managing cyber and third party risk. 

The year 2025 was a transition year for financial entities and regulators preparing for DORA. Implementation tasks around registers of contractual arrangements with ICT service providers and major ICT incident reporting are still being completed. Findings from the Supervisory Review and Evaluation Process (SREP) consistently show that ICT risk management remains a persistent weak spot, receiving the worst average scores.

Critical Third Party ICT Providers (CTPPs): A major shift under DORA is the designation of CTPPs, which are now subject to direct oversight by European Supervisory Authorities (ESAs). These designated providers offer pivotal ICT services, including core infrastructure and data services, to financial entities across the EU. Designated organizations include major names like Amazon Web Services, Google Cloud, Microsoft Ireland Operations Limited, and SAP SE.

ECB Supervisory Priorities (2026–2028): The European Central Bank (ECB) confirms that increasing cyber threats and dependency on common third-party service providers continue to pose major challenges to banks. Banks must consistently and swiftly implement the relevant DORA requirements, particularly those for ICT third-party risk and incident response management. The ECB will also gradually step up engagement with banks on the risks and gains associated with using new technologies, especially AI.

DORA Expectations for 2026: Financial institutions should prepare for four key regulatory shifts:

1. Expect direct engagement with regulators.
2. Regulators will use the Register of Information (RoI) to gain visibility into digital supply chains.
3. Focus will shift to assessing the effectiveness of established TPRM programs.
4. Expect on-site inspections focused on cybersecurity and third-party risk management.

Conclusion: Third party cyber risk is a key regulatory focus for 2026

The regulatory landscape is clear: sector-specific regulators are prioritizing third party and supply chain risk for oversight in 2026 and beyond. Coupled with rising supply chain threats and the emerging risks of AI, operational resilience hinges on effective TPRM.

The key focus for organizations in 2026 is to move beyond basic compliance toward true risk reduction by expanding ongoing monitoring to a broader set of third parties, achieving a greater understanding of digital exposures, and integrating threat intelligence directly into TPRM programs. The political dynamics in the US and EU will continue to impact oversight priorities, making continuous regulatory awareness a necessity.