EBA consults on Draft Guidelines on third-party risk management with regard to non-ICT related services

Background

The European Banking Authority (“EBA”) launched a public consultation on the draft Guidelines on the sound management of third-party risk (“Guidelines”). The Guidelines focus on third-party arrangements in relation to non-ICT-related services provided by third-party service providers and their subcontractors. The Guidelines aim to revise and update EBA’s Guidelines on outsourcing arrangements (EBA/GL/2019/02) (“Outsourcing Guidelines”) from 2019, to align with the Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (“DORA”).

Scope of the Guidelines

1. The Guidelines limit the scope to non-ICT Third-Party Service Providers (“TPSP”). Arrangements with ICT third party service providers (“ICT TPSP”) remain covered by DORA. 
2. The Guidelines apply to competent authorities as well as financial institutions such as credit institutions, third country branches, investment firms, payment institutions, electronic money institutions, issuers of asset-referenced tokens (ARTs) and certain creditors, collectively referred to as ‘financial entities’. Issuers of ARTs which are not institutions are included in the scope. Account Information Service Providers (AISPs) are excluded if they solely provide account information services.

What will financial entities be expected to do?

The Guidelines specify the internal governance arrangements, including sound risk management, that financial entities should implement when they rely on third-party arrangements (“TPA”) where a TPSP provides a function, in particular critical or important functions or parts thereof. 

TPA is a new concept established under the Guidelines and is defined as “an arrangement of any form between a financial entity and a third-party service provider, including intragroup third-party service providers, for the provision of one or more functions to the financial entity”. The definition includes all types of arrangements (unless specifically out scoped), meaning that both outsourcing arrangements as a subset as well as what is currently deemed as non-outsourcing are covered by the Guidelines, ultimately meaning that the first step of distinguishing between outsourcing and non-outsourcing will no longer be needed to determine whether the Guidelines apply. The TPA definition excludes arrangements between a TPSP and any entity in the supply chain (i.e. a subcontractor to the financial entity). 

Similar to the Outsourcing Guideline, the Guidelines define the term “function” as “process, service or activity or part of it”. The definition of “critical and important function” is “a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law”, which is similar to the definition in DORA. Annex I to the Guidelines provide a non-exhaustive list of functions that could be provided by a TSPS. As a general principle, the Guidelines exclude the following functions e.g. services that do not have material impact on the financial entities’ risks exposures or on their operational resilience (e.g. advice from an architect, providing legal opinion and representation in front of the court and administrative bodies, cleaning, gardening and maintenance of the premises) etc. 

In general, the obligations under the Guidelines are similar to those of DORA in relation to ICT services and the Outsourcing Guidelines. In essence, financial entities should have the following in place. 

• Management of third-party risk: financial entities shall manage the risks connected to the TPAs with TPSPs in accordance with the rules set out in the Guidelines.
• Monitoring of TPAs: financial entities shall establish appropriate oversight of TPAs including receiving reports, making risk assessments etc. 
• Internal governance: financial entities shall ensure that there is a robust internal governance system in relation to TPAs and TPSPS in place and that the financial entity’s management body is duly informed of TPSPs. 
• Maintain a register: financial entities shall maintain the register over TPAs that shall be consistent to the extent possible, when not merged, with the register of information under Article 28(3) DORA. Financial entities are encouraged to avoid discrepancies between these two registers when they are not merged. The Guidelines provide a list of values to be included in such a register, which are similar to the ones included in the register of information under Article 28(3) DORA. Financial entities shall provide the register to the competent authorities upon request. 

When applying the requirements set out in the Guidelines, financial entities may apply proportionality, taking into account the complexity of the functions provided by TPSPs, the risks arising from the TPAs, the criticality or importance of the function provided by TPSPs and the potential impact on the continuity of their activities.  

What financial entities will need to do:

• map the non-ICT TPAs including both what were deemed to be outsourcing arrangements and non-outsourcing, 
• identify whether any of the TPAs require remediation (e.g. where they were not deemed to be an outsourcing arrangement nor an ICT service under DORA), 
• map the existing documentation (checklists, questionnaires, templates, internal governance documents) against the requirements in Guidelines and make necessary updates, 
• establish the risk management of the TPAs in accordance with the requirements in the Guidelines, 
• establish (or, if already in place, adapt) and maintain the register. 

Next Steps

The deadline for the submission of comments to the Guidelines is 8 October 2025, and it is possible that the Guidelines will be finalized by the end of 2025. Once finalised, the Guidelines will repeal the Outsourcing Guidelines. The finalised Guidelines will apply to new contracts from the date of entry into force. For existing contracts, the Guidelines grant a transitional period of two years from the entry-into-force-date by which the financial entities shall comply with the guidelines in relation to all TPAs.