• Explores why legacy contracts are struggling to meet evolving regulatory expectations
• Examines key gaps related to DORA, NIS2, cyber resilience, and third-party oversight
• Discusses common forms of vendor pushback during contract remediation
• Highlights the growing importance of subcontractor and nth-party transparency
• Outlines how firms are using compensating controls to manage contractual gaps
• Explains how organisations prioritise remediation across large vendor portfolios
• Emphasises the role of governance, risk-based approaches, and operational resilience in modern contract management.



Ahead of Vendor & Third Party Risk Europe, we spoke with Michal Drohomirecki, Head of Information and Cybersecurity Contract Support - Third Party Security Risk at Standard Chartered Bank, who gave us an exclusive teaser of what to expect from his session on contract remediation under regulatory pressure.

Where do legacy contracts most commonly fail to meet new regulatory requirements?

Legacy contracts most often fail because regulation moves faster than contract design and organisational change. Typical gaps include:

• Privacy & ICT regulation lag – contracts predate GDPR evolution, NIS2 and DORA, lacking enforceable data, cyber, and resilience obligations.
• Modern risk blind spots – limited expertise when contracts were signed means cyber, operational resilience, and ICT concentration risks are not properly addressed.
• Sub-contracting & nth party risk – weak controls over subcontractors and fourth parties, with no transparency or regulatory flow down.
• Exit rights misaligned to regulation – termination focused on commercial breach only, not regulatory non-compliance or cyber security failures.
• Cyber, privacy and regulatory standards evolve faster than uptake – security clauses are static while threats and expectations change, exposing slow organisational adaptation.

Bottom line: legacy contracts reflect yesterday’s risk model, while regulation assumes dynamic, end to end control over today’s digital and third party ecosystem.

What does vendor pushback typically look like, and how is it overcome?

Pushback typically looks like…

•  Resistance to regulatory audit/access rights citing confidentiality or IP or being not applicable to them as service providers
• Pushback on sub‑contractor transparency (nth‑party disclosure)
• Reluctance to accept non‑commercial exit rights (e.g. for regulatory or cyber non‑compliance)
• Claims that new controls are costly, operationally heavy, or unnecessary

How it’s overcome:

• Reframing requirements as regulatory obligations, not negotiable asks
• Using risk‑based proportionality (apply stricter clauses only to critical services)
• Compensating controls mitigate clause gaps – where full contractual alignment is resisted, firms document alternative controls (e.g. independent assurance, continuous monitoring, internal oversight, segregated access, escalation rights) that demonstrate equivalent protection, instead of removing the clause entirely or accepting unmanaged risk. 

Pushback is commercial by default; it is resolved when compliance is positioned as a regulatory necessity and condition of doing business, not a preference.

How do organisations standardise remediation across large contract portfolios?

•  Define a standard remediation playbook
• Prioritise by risk and materiality – focus first on critical services, high‑risk vendors, and regulatory impact.
• Use trigger points – remediation embedded into renewals, amendments, extensions, or onboarding rather than stand‑alone re‑papering.
• Dedicated ownership model – clearly defined teams with authority over contract negotiation, risk acceptance, and risk register updates. These teams not only explain risk to the business, but identify compensating controls, approve amendments, and formally accept residual risk.