A three-minute Wednesday read for procurement, compliance, and risk teams — the dated regulator items that touched your third-party register, unpacked, plus three concrete actions to take before Monday.
Same shape every week. Read it once, learn the pattern, skim to what you need.
The dated regulator items — EBA, BaFin, CBI, DNB, ACPR, CSSF, EMA, AMF, EIOPA, ESMA, EU AI Act — with the exact one-line action they took and the one-line implication for buyers.
One story unpacked in 400 words. Practitioner voice, not regulator commentary. What it means for your third-party register, contracts, and monitoring cadence over the next 30 days.
Three concrete actions. Each is a single imperative sentence — enough to walk into your Monday risk stand-up with a plan and enough to defend the decision at the next supervisory conversation.
A recent week's calendar block, unedited. This is what the "This week's calendar" section looks like.
9th MaRisk amendment published. Central outsourcing officer role removed → central outsourcing management function. Sub-outsourcing reporting tightened. AML now explicit in outsourcing decisions. Contingency planning required where no viable exit exists. For buyers: 12-month grace, sub-outsourcing chain visibility is the hardest lift.
GPAI enforcement powers switch on. Commission enforcement live for GPAI providers. Fines up to €15M or 3% of global turnover. Article 50 transparency binds. For buyers: three-question audit — which suppliers embed GenAI, do you have Article 50 transparency documentation, is it flagged in the third-party register?
Non-ICT TPRM final guidelines (EBA/CP/2025/12) — imminent. Extends EBA outsourcing oversight to all non-ICT third-party arrangements at credit institutions and investment firms. Comply-or-explain, two-year grace to update contracts and refresh the register once it publishes. For buyers: template mapping should be pre-staged, not reactive.
Procurement, compliance, and risk leaders at EU-regulated buyers. If you own the third-party register, or you own the answer to "walk us through how you decided this provider supports a critical or important function," this is written for you.
If your role is regulator-facing at an EU financial institution, insurer, fund, payment firm, life sciences, critical-infrastructure, or NIS2-in-scope operator — this reads three minutes on a Wednesday morning and pays off inside a fortnight.
A regulator brief. Every issue leads with the dated regulator items and the operational reading for buyers. Product mentions are rare and marked. No "here's what FiorLab launched this week." If a specific FiorLab capability solves the reader's problem, we say so once and move on; the rest of the issue reads whether you use FiorLab or a spreadsheet.
Every Wednesday morning, 09:00 IST (Ireland). One send. No follow-up broadcast series, no "special editions," no re-sends with different subject lines. If the regulatory week is quiet, we still publish — the shape stays the same, the volume varies.
No. Your email is used only to deliver The Regulator's Desk. We host with a GDPR-compliant EU sending provider, retain the record for the duration of your subscription, and delete on unsubscribe within 30 days. See our privacy notice for the full detail; the DPA covers FiorLab's underlying data-processing posture.
The FiorLab team. Every issue is edited to a single voice; when a guest practitioner contributes to "The Take," their byline appears explicitly under that block. Editorial standards: no legal advice, no anonymous competitor swipes, no motive imputation to any regulator or vendor. Practitioner observation only.
Every issue carries a one-click unsubscribe link in the footer. No confirmation flow, no "are you sure," no re-permission emails. If you also want your record deleted from our list, reply to any issue with the word "delete" — done within 30 days per our data-retention policy.
Subscribe. Every issue is public; we'd rather you read the same brief as your buyers than build a mental model of us from the marketing site alone. If you find something worth improving, tell us at hello@fiorlab.com.
One click. Confirm the email. First issue lands next Wednesday.