LLegal

From Outsourcing to Third Party Arrangements: The New EBA Guidelines on Third-Party Risk Management 1/2

Von Outsourcing zu Third Party Arrangements: Die neuen EBA-Leitlinien zum Drittparteienmanagement • Teil 1: Überblick über die wichtigsten Neuerungen
0
Shares
0
0
0
0
0
0

Part 1: Overview of Key Developments

On 8 July 2025, the European Banking Authority (EBA) published its new consultation paper on the guidelines for the sound management of third-party risks (draft “Guidelines on the sound management of third-party risk”). This draft marks a significant step beyond the previous Outsourcing Guidelines from 2019.

The changes are far-reaching: both the scope and the depth of requirements have been significantly extended. The aim is to create a coherent, EU-wide framework for third-party risk management that is harmonised with other regulatory regimes – in particular the Digital Operational Resilience Act (DORA).

This first part of our analysis of the new guidelines on third-party management provides an overview of the key content and developments. Part 2 will follow with an assessment of the practical implications for financial institutions.

Key developments at a glance:

Distinction from DORA: Only non-ICT services covered

The new guidelines apply only to services that do not fall within the scope of DORA. This is a major change, as in the past the EBA Guidelines also applied to ICT services. The refined scope is intended to avoid double regulation, as DORA already comprehensively regulates the management of ICT third-party risk.

However, paragraph 31 of the consultation draft includes a special provision: in a footnote, it is clarified that in the case of a “non-ICT” service which also includes elements of ICT services, the institution must decide for itself which rules (DORA or Guidelines) apply. The decisive factor here – according to the wording – is the “materiality” of the ICT component of the service (“whether the use of ICT service is material for the provision of the services”).

New terminology

With the new guidelines, the EBA is responding to the previously existing double regulation in the area of IT outsourcing: since the entry into force of DORA, obligated institutions have had to comply with both the DORA requirements and the EBA Outsourcing Guidelines. To reduce these overlaps, the EBA now introduces new basic terms:

In future, the requirements will relate to so-called “Third Party Arrangements” (TPAs) – a comprehensive term replacing the previous term “outsourcing”. The same applies to the designation of service providers: these are now defined as “Third Party Service Providers” (TPSPs), replacing the previously used term “Service Provider”. The aim of adjusting the terminology is to harmonise it with other regulatory frameworks, such as DORA, and to create a consistent terminology.

Expanded scope of application

One of the most significant changes concerns the scope of the guidelines: in future, the guidelines will apply not only to credit and investment institutions within the meaning of CRD IV and to payment and e-money institutions, but also to:

  • investment firms not subject to CRD, provided they are not small and non-interconnected within the meaning of Regulation (EU) 2019/2033 (IFR),
  • issuers of asset-referenced tokens under MiCAR, subject to Regulation (EU) 2023/1114 (MiCAR), and
  • lenders under the Mortgage Credit Directive (Directive 2014/17/EU (MCD)).

Extended scope of regulation

The scope of regulation of the guidelines is also being significantly extended. Whereas the previous guidelines focused on “outsourcing arrangements”, all TPAs are now to be covered. This also brings the previously known “other external procurement of services” under MaRisk in line with outsourcing. Outsourcing is now only a subcategory of the broader term “Third Party Arrangements”.

Certain services such as statutory audits, clearing or global networks remain explicitly excluded. Nevertheless, for the majority of previous external procurements (and in particular for market data providers, who probably did not previously fall under DORA), this extension means a shift into regulatory obligation.

Critical or important functions

The central question remains whether a TPA is classified as a critical or important function – this distinction is also crucial under DORA. All subsequent measures depend on this classification, such as risk analysis, contractual design or requirements for the exit strategy. The definition in the consultation draft remains largely unchanged, ensuring a high degree of harmonisation with DORA.

Governance and responsibility

The EBA explicitly emphasises that the management board bears ultimate responsibility for dealing with third-party risks. Delegation to individual departments does not relieve them of overall responsibility. This places the topic on the strategic agenda of management boards. Institutions should not only establish operational processes and maintain a TPA policy (formerly outsourcing policy), but also adopt and monitor an overarching third-party strategy.

Third-Party Register (TPA Register)

In alignment with the information register required under DORA, the existing outsourcing register is being expanded into the Third-Party Arrangement Register (“TPA Register” or “EBA Register”). This register serves as the basis for both internal monitoring and supervisory oversight. The content requirements go beyond what many institutions have implemented to date. Mandatory content in the TPA Register includes:

  • detailed information on the type of contract, group affiliation and use by other affiliated companies,
  • mandatory categorisation of the service according to Annex 1 of the Guidelines,
  • additional identification features of the service provider (LEI, EUID, registration number, VAT ID, etc.),
  • cost transparency, including estimation of annual costs and payment currency,
  • for services involving critical or important functions, exit strategy details must in future be presented in greater detail: it must be shown separately to what extent replacement or reintegration is possible and what costs would arise in the event of the failure of the respective alternative. In addition, the total costs of the arrangement for the previous year and the payment currency used must be disclosed.

The TPA Register thus becomes a central supervisory tool. It should be noted that the TPA Register is only intended to contain TPAs without ICT services – also to avoid possible double reporting to the supervisory authority. Unlike the DORA information register, TPAs must continue to be reported in the TPA Register for up to five years after their termination.

Clarification of the tasks of Internal Audit

The new guidelines also clarify the role of Internal Audit. In future, it must take a risk-based approach, in particular including critical and important TPAs in its audit plan. It must ensure that the third-party management framework is effectively implemented, that function classifications and risk analyses are appropriate and that adequate governance and ongoing monitoring are in place. In addition, the guidelines require a formal follow-up process to ensure that identified deficiencies are remedied promptly.

Tightening of risk analysis requirements

The new guidelines significantly expand and tighten the requirements for TPA risk analysis. Whereas previously an assessment of outsourcing risks was required, the draft now calls for a holistic view of all risk dimensions – including operational, legal, reputational and concentration risks.

Institutions must assess how a TPA affects their ability to identify and manage risks, comply with regulatory requirements and carry out audits. The impact on customer services, the size and complexity of the affected business areas, as well as scalability and transferability (substitutability), must also be considered.

The guidelines also require scenario analyses of potential risk events, including severe operational disruptions. Institutions are to simulate the consequences of poor performance as well as risks arising from processes, systems, personnel or external events. Risks can no longer be viewed in isolation. Rather, institutions must weigh the costs and benefits of an arrangement – including concentration risks (e.g. dependency on hard-to-replace TPSPs or multiple contracts with the same provider) as well as group-wide aggregated risks.

Under the principle of proportionality, smaller institutions may use simplified procedures for risk analyses, but must document the results. Larger institutions, on the other hand, must apply more comprehensive methods, including the use of internal and external loss data.

Contractual design

The previously mandatory written form requirement is being dropped and replaced by the option of using electronic contracts, provided that they remain permanently accessible to all parties. However, an amendment to Section 25b (3) sentence 3 of the German Banking Act (KWG) is required for implementation into German law.

With the extension of the scope to all TPAs, the requirements are now also tightened for non-critical or non-essential outsourcing and other external procurements. Many requirements previously applicable only to material outsourcing will now also apply to all TPAs. Only a few obligations – such as the service provider’s ongoing reporting obligation, the conclusion of liability insurance, regular testing of emergency plans and the unrestricted audit rights of the institution and the supervisory authorities – will remain reserved for TPAs that support critical or important functions.

For TPAs supporting critical or important functions, the audit rights of institutions and supervisory authorities will be expanded. These now explicitly include onsite inspections as well as a conflict rule in case the rights of other customers are affected. Furthermore, it will in future be mandatory to agree on a transitional phase in which the service provider continues to provide services for a certain period after the arrangement ends. Another focus is on exit plans and exit strategies. Institutions must ensure that they remain capable of acting in the event of the failure or termination of a relationship with providers supporting critical functions. Exit plans must not only be in place but also be tested regularly – a point often underestimated in practice.

With regard to the sub-outsourcing of critical functions, the EBA clarifies in the new guidelines that management responsibility remains unaffected by the involvement of subcontractors. The institution is obliged to manage, mitigate and monitor the risks of further outsourcing in a holistic manner.

In addition, the requirements for the use of pooled audits are being tightened: before using them, institutions must thoroughly assess whether these audits actually provide all relevant information needed to fulfil their own supervisory and control obligations.

Third-country relationships

When using service providers from third countries, the EBA emphasises the obligation of institutions to carefully consider the respective local legal situation. This applies in particular to data protection requirements, which often differ significantly from EU law. Institutions must ensure that an equivalent level of protection is guaranteed even for cross-border arrangements.

Next steps and deadlines

  • The public consultation on the draft is open until 8 October 2025
  • A public virtual hearing was held by the EBA on 5 September 2025. However, the available documents do not yet indicate when exactly the revised guidelines will come into force.
  • After their entry into force, institutions will have a two-year transitional period: during this time, all TPAs must be adapted to the new requirements or (if this is not possible in time) reported to the supervisory authority.

With these changes, the EBA is sending a clear signal: the management of third-party risks will in future be even more regulated, standardised and placed in the focus of supervisory authorities. In Part 2 of this series, we will examine the practical implications for banks, payment and e-money institutions, and highlight the greatest challenges and opportunities.

0
0

Josefine Spengler is a lawyer and IT law specialist at Annerton's Berlin office. She has many years of in-house experience as Head of Legal and Data Protection Officer at a payment service provider. As an expert in the IT and FinTech segment, Josefine Spengler advises national and international clients on all issues at the interface between regulatory law and IT law as well as on compliance and AML issues. Josefine Spengler is a regular speaker at events on IT law and regulatory requirements for the IT of financial companies.



By continuing, you accept our privacy policy.
You May Also Like