This is just the beginning
Here is the latest edition of the agenda. As we approach the event, we will be adding speakers and sessions to enhance your experience. To stay informed, please register your interest
Wednesday June 3, 2026
8:00 am - 8:50 am
Registration and breakfast
8:50 am - 9:00 am
Chair’s opening remarks
9:00 am - 9:35 am
TPRM REGULATION IN PRACTICE
Preparing for increased scrutiny amid overlapping and evolving regulations
- Distilling what recent supervisory reviews reveal about practical expectations under DORA, EBA outsourcing/cloud guidance and EU rules
- Building a single, coherent control framework that works across EU entities, rather than managing each regulation in isolation
- Interpreting high-level, principles‑based requirements into concrete controls, metrics and evidence that stand up to regulatory scrutiny
- Avoiding over-classification of gaps while designing frameworks that remain adaptable
9:35 am - 10:25 am
DORA IN PRACTICE: WHAT’S STILL NOT WORKING IN ICT RISK AND THIRD‑PARTY OVERSIGHT? – PANEL DISCUSSION
Translating regulatory intent into implementation
- Moving from static lists to dynamic, risk‑based inventories of third‑ and Nth‑party providers
- Designing and executing meaningful operational resilience tests across complex, multi‑vendor and chain‑outsourcing scenarios
- Consistently meeting DORA’s tight incident reporting timelines when information sits across multiple providers and jurisdictions
- Retrofitting DORA requirements into legacy contracts, SLAs and governance structures without disrupting critical services
10:25 am - 10:55 am
Morning refreshment break and networking
10:55 am - 11:30 am
HIDDEN AI
Understanding and controlling vendor AI use
- Identifying undisclosed AI usage across vendors and sub-vendors
- Assessing vendor AI models with limited documentation or transparency
- Managing data leakage and bias decision-making from hidden AI
- Strengthening contractual and governance models for unknown AI usage
11:30 am - 12:20 pm
CYBERSECURITY & AI-EXPANDED ATTACK SURFACES ACROSS THE THIRD-PARTY ECOSYSTEM – PANEL DISCUSSION
Increased cyber risk in a cloud-connected, AI-enabled landscape
- Understanding how cloud connectivity, API integrations and AI-enabled workflows are expanding third and Nth-party attack surfaces
- Examining how AI adoption by vendors introduces new cyber, data integrity and operational resilience risks
- Exploring professionalisation of threat actors and increasingly sophisticated attack methods
- Understanding failures caused by patching, software updates and configuration changes at 3rd and 4th parties
12:20 pm - 1:20 pm
Lunch break and networking
1:20 pm - 2:10 pm
DATA QUALITY – PANEL DISCUSSION
Overcoming poor data quality to meet resilience and supervisory expectations
- Addressing fragmented vendor inventories and missing contacts
- Improving tagging, critical mapping between services, processes and suppliers
- Reconciling internal data sources to support regulatory reporting
- Enabling real-time situational awareness and decision-making during incidents
2:10 pm - 3:00 pm
INTRAGROUP ARRANGEMENTS – PANEL DISCUSSION
Aligning governance across stakeholders
- Clarifying regulatory expectations for intra-group services, including risk, reporting and oversight requirements
- Applying consistent governance for intra-group arrangements and participation in joint scenario testing
- Identifying concentration and single point of failure risks within the corporate group
- Demonstrating resilience and continuity without assuming lower inherent risk
3:00 pm - 3:30 pm
Afternoon refreshment break and networking
3:30 pm - 4:05 pm
GOVERNING GENAI IN DECISION-MAKING AND OVERSIGHT
Governing autonomous AI systems without clear regulations
- Assessing liability when agentic AI tools move from summarizing data to recommending strategic decisions
- Managing concentration risk when corporate strategy depends on a single vendor's proprietary "black box" algorithms
- Where EU corporate law draws the line between "decision support" and illegal "outsourcing of judgment" to autonomous systems
- Identifying major risks (hallucinations, bias, data leakage) and implementing specific controls for high-stakes governance tools
4:05 pm - 4:40 pm
CONTRACT REMEDIATION
Updating legacy agreements under regulatory deadlines
- Reviewing existing contracts to identify gaps against new regulatory requirements
- Embedding mandatory clauses such as audit rights and breach notifications to align contracts with supervisory demands
- Negotiating with vendors to manage resistance while addressing time pressures and constraints
- Standardizing approaches across multiple agreements for consistent compliance
4:40 pm - 4:50 pm
Chair’s closing remarks
4:50 pm
End of day one
Thursday June 4, 2026
MODERATOR
8:00 am - 8:50 am
Registration and breakfast
8:50 am - 9:00 am
Chair’s opening remarks
9:00 am - 9:35 am
GEOPOLICITCAL DISRUPTION - KEYNOTE
Managing exposure, concentration, and dependencies in an evolving global landscape
- Identifying and responding to geopolitical disruption in third-party relationships
- Managing concentration risk and dependencies across regions and alliances
- Assessing the impact of state actions, sanctions, trade controls, and nation-state cyber activity on third parties
- Accessing reliable geopolitical intelligence to support effective monitoring and decision-making
9:35 am - 10:10 am
CRITICAL THIRD-PARTY DESIGNATIONS & CTPP UNCERTAINTY
Preparing for designation, capital impact and regulatory expectations
- Outlining emerging EU critical third-party regimes
- Managing uncertainty around designation lists, timing, and criteria, while maintaining readiness
- Assessing implications for governance and oversight models
- Operationalising designation requirements and demonstrating sustained compliance under supervisory scrutiny
10:10 am - 10:35 am
MONITORING & ENHANCING RESILIENCE
Embedding operational resilience through continuous monitoring and scenario testing
- Moving beyond static assessments to real-time monitoring of critical vendors
- Conducting scenario testing to validate impact tolerance and recovery strategies
- Integrating external threat intelligence with internal operational data
- Detecting early warning indications of incidents and strengthening cross-functional responses
10:35 am - 10:55 am
Morning refreshment break and networking
10:55 am - 11:45 am
SUPPLY CHAIN COMPLEXITY AND DEPENDENCY – PANEL DISCUSSION
Systemic risk in interconnected ecosystems
- Recognising how failures cascade across supply chains
- Applying cross-industry lessons to anticipate complex supplier and infrastructure risks
- Assessing systemic risks created by shared infrastructure
- Evaluating interdependencies between suppliers and sectors to uncover hidden vulnerabilities
11:45 am - 12:35 pm
CONCENTRATION RISK THROUGH THE NTH PARTY LANDSCAPE – PANEL DISCUSSION
Managing risk propagation beyond direct contracts
- Mapping fourth, fifth and Nth-party dependencies to identify where a single supplier creates a critical concentration point
- Understanding risk propagation across multi-tier supply chains
- Identifying concentration risks within shared cloud infrastructure and service hubs
- Managing accountability and implementing mitigation strategies for risks beyond direct contracts
12:35 Luncheon Roundtables:
ESG Risk Thresholds
Geopolitical Risk Integration
Intragroup Risk Proportionality
Supply Chain Cyber Resilience
Thursday - part2 June 4, 2026
1:35 pm - 2:25 pm
DECONSTRUCTED PANEL DISCUSSION
Roundtable moderators reconvene on stage to share key tensions, disagreements and insights from lunch discussions
2:25 pm - 3:00 pm
STEP-IN RISK & STRESSED EXIT PLANNING
How firms interpret and implement step-in requirements within TPRM frameworks
- Interpreting new step-in risk requirements and when firms are expected to intervene
- Identifying suppliers and scenarios that may trigger intervention or stressed exit
- Designing stressed exit strategies that work under disruption
- Exploring Escrow arrangements across services and assets
3:00 pm - 3:35 pm
CAPABILITY, CAPACITY AND THE ROLE OF THE HUMAN IN MODERN TPRM
Keeping people, processes and tools aligned with expectations
- Assessing organisational capability gaps in TPRM and AI oversight
- Balancing automation with skilled human oversight
- Strengthening tool adoption to embed technology intro daily processes
- Keeping first-line teams aligned with regulatory and operational expectations
3:35 pm - 3:55 pm
Afternoon refreshment break and networking
3:55 pm - 4:45 pm
COMPLIANCE VS COST – PANEL DISCUSSION
Balancing regulatory expectations with business reality
- Understanding how enforcement severity and penalties influence compliance priorities
- Evaluating trade-offs between risk mitigation, revenue and operational efficiency
- Developing frameworks to allocate TPRM resources based on risk and cost impact
- Communicating rationale and decisions to management, regulators, and stakeholders
4:45 pm - 5:35 pm
THE FUTURE OF TPRM – PANEL DISCUSSION
How innovation is reshaping third-party risk management
- Identifying signs of market fragility, over-reliance and unsustainable supplier models
- Assessing the impact of supplier failure and market consolidation on critical services
- Anticipating supervisory and regulatory response to market disruption and systemic risk
- Repositioning TPRM from a compliance function to a strategic enterprise risk control
5:35 pm - 5:45 pm
Chair’s closing remarks
5:45 pm
End of Vendor & Third Party Risk Europe 2026
Do you have any questions regarding the event?
Any inquiries regarding joining the agenda, the speaker lineup, and agenda, please get in touch with the producer of the event producer[@]cefpro.com or call us at +44 (0)207 164 6582 for more information