The Regulator's Desk

What EU regulators moved this week.

A three-minute Wednesday read for procurement, compliance, and risk teams — the dated regulator items that touched your third-party register, unpacked, plus three concrete actions to take before Monday.

Every Wednesday·3-minute read·Free forever

What lands in your inbox.

Same shape every week. Read it once, learn the pattern, skim to what you need.

01

This week's calendar

The dated regulator items — EBA, BaFin, CBI, DNB, ACPR, CSSF, EMA, AMF, EIOPA, ESMA, EU AI Act — with the exact one-line action they took and the one-line implication for buyers.

02

The Take

One story unpacked in 400 words. Practitioner voice, not regulator commentary. What it means for your third-party register, contracts, and monitoring cadence over the next 30 days.

03

Do this week

Three concrete actions. Each is a single imperative sentence — enough to walk into your Monday risk stand-up with a plan and enough to defend the decision at the next supervisory conversation.

Sample week — 30 June 2026.

A recent week's calendar block, unedited. This is what the "This week's calendar" section looks like.

Block 1 · This week's calendar

Three EU regulator moves your register cares about

30 JUN 2026 · BaFin · Germany

9th MaRisk amendment published. Central outsourcing officer role removed → central outsourcing management function. Sub-outsourcing reporting tightened. AML now explicit in outsourcing decisions. Contingency planning required where no viable exit exists. For buyers: 12-month grace, sub-outsourcing chain visibility is the hardest lift.

2 AUG 2026 · EU AI Act · 27 states

GPAI enforcement powers switch on. Commission enforcement live for GPAI providers. Fines up to €15M or 3% of global turnover. Article 50 transparency binds. For buyers: three-question audit — which suppliers embed GenAI, do you have Article 50 transparency documentation, is it flagged in the third-party register?

WATCHLIST · EBA · European Union

Non-ICT TPRM final guidelines (EBA/CP/2025/12) — imminent. Extends EBA outsourcing oversight to all non-ICT third-party arrangements at credit institutions and investment firms. Comply-or-explain, two-year grace to update contracts and refresh the register once it publishes. For buyers: template mapping should be pre-staged, not reactive.

The Take, Do This Week, and Look-ahead follow this section in the actual issue.

Who this is for.

Procurement, compliance, and risk leaders at EU-regulated buyers. If you own the third-party register, or you own the answer to "walk us through how you decided this provider supports a critical or important function," this is written for you.

If your role is regulator-facing at an EU financial institution, insurer, fund, payment firm, life sciences, critical-infrastructure, or NIS2-in-scope operator — this reads three minutes on a Wednesday morning and pays off inside a fortnight.

Common questions.

Is this a product newsletter or a regulator brief?

A regulator brief. Every issue leads with the dated regulator items and the operational reading for buyers. Product mentions are rare and marked. No "here's what FiorLab launched this week." If a specific FiorLab capability solves the reader's problem, we say so once and move on; the rest of the issue reads whether you use FiorLab or a spreadsheet.

How often do you send?

Every Wednesday morning, 09:00 IST (Ireland). One send. No follow-up broadcast series, no "special editions," no re-sends with different subject lines. If the regulatory week is quiet, we still publish — the shape stays the same, the volume varies.

Do you share my email address?

No. Your email is used only to deliver The Regulator's Desk. We host with a GDPR-compliant EU sending provider, retain the record for the duration of your subscription, and delete on unsubscribe within 30 days. See our privacy notice for the full detail; the DPA covers FiorLab's underlying data-processing posture.

Who writes it?

The FiorLab team. Every issue is edited to a single voice; when a guest practitioner contributes to "The Take," their byline appears explicitly under that block. Editorial standards: no legal advice, no anonymous competitor swipes, no motive imputation to any regulator or vendor. Practitioner observation only.

How do I unsubscribe?

Every issue carries a one-click unsubscribe link in the footer. No confirmation flow, no "are you sure," no re-permission emails. If you also want your record deleted from our list, reply to any issue with the word "delete" — done within 30 days per our data-retention policy.

What if I represent a competitor?

Subscribe. Every issue is public; we'd rather you read the same brief as your buyers than build a mental model of us from the marketing site alone. If you find something worth improving, tell us at hello@fiorlab.com.

Ready to subscribe?

One click. Confirm the email. First issue lands next Wednesday.