Cyber Crossroads 2025: How DORA, NIS2, and SEC Rules Are Reshaping Third Party Cyber Risk Management

Show Notes

In this episode of The Third Party Risk Institute Podcast, we take a deep dive into the three landmark regulations set to redefine cybersecurity and third-party risk management (TPRM) in 2025:

• DORA (EU Digital Operational Resilience Act) – binding requirements for financial institutions and ICT providers, including detailed vendor contract clauses, unrestricted audit rights, and concentration risk analysis.
• NIS2 Directive – expanding cybersecurity obligations across 18 critical sectors with strict incident reporting timelines, supplier security expectations, and senior management accountability.
• U.S. SEC Cybersecurity Disclosure Rule – mandating public companies to disclose material cyber incidents within four days and report annually on vendor cyber risk management practices.

Together, these regulations signal a global shift: cyber resilience and third-party risk oversight are now board-level imperatives.

What we cover in this episode:
• Key contract clauses and due diligence steps required by DORA
• How NIS2 expands supply chain risk accountability beyond finance
• Why SEC rules make vendor cyber incidents investor disclosures
• Practical ways to embed vendor oversight into enterprise risk programs
• Actionable steps for CROs, CISOs, and TPRM teams to stay compliant

You’ll walk away with practical guidance on:
• Performing a regulatory gap analysis across DORA, NIS2, and SEC rules
• Updating vendor contracts with notification, audit, and cooperation clauses
• Building a structured supply chain security program aligned with ISO 27001 and NIST CSF
• Preparing disclosure processes and templates to meet SEC 8-K reporting deadlines
• Using certifications like C3PRMP to build in-house expertise and demonstrate readiness

This episode is essential listening for:
• Chief Risk Officers, CISOs, Vendor Risk Managers, and Procurement Leaders
• Cybersecurity, Compliance, and Audit Professionals
• Board Members and Executives overseeing enterprise resilience

By embracing these regulatory changes, you won’t just avoid penalties, you’ll strengthen trust, enhance resilience, and gain a competitive edge in today’s interconnected economy

🎧 Enjoying the podcast?
Explore more resources, expert insights, and certification programs at www.thirdpartyriskinstitute.com

📱 Follow us on LinkedIn for real-world conversations and industry trends: Third Party Risk Institute Ltd.

📬 Have a question or topic you'd like us to cover?
Email us at: info@thirdpartyriskinstitute.com

Chapters

• 0:00: Introduction & Why This Matters So Much
• 1:42: DORA: Resilience in the EU Financial Sector
• 8:25: NIS2: Expanding Cyber Rules Across 18 Sectors
• 13:07: SEC Rule: Transparency for U.S. Public Companies
• 17:41: Roadmap to Compliance
• 19:51: Closing Insights

Transcript

Cyber Crossroads 2025: How DORA, NIS2, and SEC Rules Are Reshaping Third-Party Cyber Risk Management

Host: Welcome to The Third Party Risk Institute Podcast, your shortcut to staying genuinely well-informed.

If you’ve felt the ground shifting under your feet with the pace of change in cybersecurity, you’re not alone. 2025 is shaping up to be a landmark year for global cybersecurity regulations, particularly in terms of how organizations manage risks from vendors and service providers.

Today, we’re taking a deep dive into three major regulatory initiatives:

• The EU Digital Operational Resilience Act (DORA)
• The EU NIS2 Directive
• The U.S. SEC Cybersecurity Disclosure Rule

Our mission is to cut through the complexity, pull out the most important insights, and explain exactly what these regulations mean for third-party risk management (TPRM) and, more importantly, how you can prepare.

Why These Regulations Matter

While DORA, NIS2, and the SEC Rule differ in scope and jurisdiction, they share a common theme:

A demand for rigorous, transparent, and proactive cyber risk management across the entire supply chain.

This isn’t just about ticking boxes anymore. Regulators expect companies to embed cybersecurity into every vendor relationship, from contracts to due diligence and transparent reporting.

These changes are reshaping operational strategies at a fundamental level, especially for:

• Chief Risk Officers (CROs)
• CISOs
• Vendor Risk Managers
• Procurement Leaders

DORA: Digital Operational Resilience Act

Applicable from January 17, 2025, DORA introduces a single, binding framework for the EU financial sector.

Key highlights:

• Applies to banks, insurers, payment firms, investment firms, credit unions, and their ICT providers.
• Contracts must include:
  • Clear roles and responsibilities
  • Data/service location requirements
  • Unrestricted audit rights (including regulators)
  • Incident assistance at no extra cost
  • Exit and transition provisions
• Vendors may be designated as critical service providers subject to direct EU oversight.
• Pre-contract due diligence is non-negotiable, requiring certifications (ISO 27001, SOC 2), incident history, and continuous monitoring.
• Institutions must maintain a third-party risk register and conduct concentration risk analysis.

NIS2 Directive

Transposed into EU member state law in October 2024, NIS2 expands cybersecurity requirements across 18 critical sectors, including energy, healthcare, transport, digital services, and manufacturing.

Key obligations:

• Incident reporting timelines:
  • Initial notification within 24 hours
  • Detailed report within 72 hours
  • Final report within 1 month
• Top management accountability: executives can be held personally liable for noncompliance.
• Significant fines for violations (millions of euros or % of global turnover).
• Requires organizations to:
  • Maintain a formal supply chain risk management program
  • Vet and categorize suppliers by criticality
  • Bake cybersecurity expectations into contracts
  • Perform ongoing due diligence, reassessments, and audits

SEC Cybersecurity Disclosure Rule

Adopted in July 2023, phased in through 2024, this U.S. rule applies to public companies and focuses on transparency for investors.

Key requirements:

• Material cyber incidents (including third-party breaches) must be disclosed on Form 8-K within 4 business days.
• Annual reporting (Form 10-K) must describe:
  • Cyber risk management strategy
  • Governance and board oversight
  • Third-party risk management practices
• Drives stronger vendor due diligence, faster incident notification clauses, and greater board-level scrutiny of TPRM.

What This Means for Organizations

These three frameworks collectively:

• Elevate TPRM to a board-level issue
• Require tougher vendor contracts (audit rights, cooperation, indemnification)
• Enforce faster incident reporting and transparency
• Demand continuous monitoring and due diligence
• Increase cross-functional collaboration (CROs, CISOs, boards, auditors)

Practical Roadmap for Compliance

1. Perform a Gap Analysis – Compare your current program against DORA, NIS2, and SEC requirements.
2. Update Vendor Contracts – Include mandatory clauses for notification, audits, transition, and incident cooperation.
3. Strengthen Due Diligence – Require certifications (ISO 27001, SOC 2), SBOMs, and conduct regular reassessments.
4. Engage Vendors as Partners – Collaborate with suppliers on shared compliance goals.
5. Use Established Frameworks – ISO 27001, NIST CSF, and professional certifications like C3PRMP to build expertise.
6. Document Everything – Regulators assume “if it isn’t documented, it didn’t happen.”

Closing Thoughts

2025 marks a turning point in third-party cyber risk management.

Compliance is the floor, not the ceiling.
The real goal is building a culture of resilience and trust across your vendor ecosystem, so you’re ready not just for regulators, but for real-world cyber threats.