From Outsourcing to Third Party Arrangements: The New EBA Guidelines on Third-Party Risk Management 2/2

Part 2: Assessment and Impact for Financial Institutions

In the first part of our analysis, we presented the key contents and innovations of the EBA consultation draft on the “EBA Guidelines on the sound management of third-party risk”. It became clear that the guidelines significantly expand the previous outsourcing framework.

In this second part, we focus on the practical implications: What do the new requirements mean specifically for banks, payment and e-money institutions as well as other affected companies? Where do the greatest challenges arise – and what opportunities emerge from the harmonisation with DORA and other regulatory frameworks?

Recommended Actions

The new EBA Guidelines are far more than a technical update. They change the way institutions must manage their third-party risks – both strategically and operationally. In order to make effective use of the two-year transitional period, financial institutions should act early and adapt their existing structures. It is particularly important to avoid duplication between the EBA Guidelines and DORA and instead build an integrated risk management system.

Specifically, the new requirements give rise to the following areas for action:

• Strategic anchoring: Development or updating of a third-party strategy at board level; clear documentation of management responsibility.
• Organisation and processes: Adaptation of internal policies to all third-party arrangements; establishment of clear interfaces between DORA ICT processes and the EBA Guidelines.
• Risk assessment: Conduct of holistic risk analyses including legal, operational, reputational and concentration risks; establishment of scenario analyses and stress tests; review of substitutability and reintegration.
• Registers and documentation: Expansion of the existing outsourcing register to a TPA register; recording of additional data such as costs, identification characteristics of service providers and categorisation according to Annex I; consideration of linking with the DORA register to avoid duplicate reporting.
• Contract design and exit strategies: Adaptation of existing contracts to the new formal and material requirements; ensuring extended audit rights; contractual agreement of transition phases; detailed and tested exit strategies for TPAs supporting critical functions.

These measures show: Third-party risk management will become a central control instrument in the regulatory framework of institutions. Those who use the transitional period to systematically close gaps will not only be on the safe side regulatorily, but can also strengthen internal resilience and efficiency in dealing with external service providers.

Practical Relevance

The new guidelines take into account the fact that regulated companies operate in an increasingly complex ecosystem of service providers. The EBA addresses developments that have gained importance in recent years: the growing dependence on external providers and the clear expectation of supervisors for a holistic resilience strategy.

While DORA, as an EU regulation, has created a binding, EU-wide uniform framework for ICT third-party risks, the EBA Guidelines remain “soft law”, applied on a comply or explain basis by national supervisory authorities. For this reason, the new guidelines focus on “non-ICT services”, while DORA, as lex specialis, covers all ICT services.

Ambiguity in Distinction

The formal division of responsibilities may seem advantageous at first glance: DORA clearly applies to outsourcing in the ICT sector, and the EBA Guidelines apply to all other services. However, in practice, the disadvantages prevail:

The parallel implementation of two regimes causes considerable additional effort for affected financial institutions: Processes must be aligned with two regulatory frameworks, continuously coordinated and documented. Overlaps – for example in due diligence, contract design or monitoring – lead to duplication of effort and uncertainties.

This is exacerbated by the practically unmanageable separation into ICT and non-ICT services: Modern services are usually digitally integrated and cannot be clearly assigned. The responsibility for correct classification lies solely with the institutions – with unclear definitions and without clear demarcation by the supervisors. Even the EBA struggles with this distinction: Annex I of the new guidelines is intended to specify non-ICT services more clearly, but lists (not exhaustively) almost exclusively hybrid services that cannot easily be assigned to either regime.

Risk of Fragmentation in Risk Management

This regulatory split carries the risk that institutions view risks separately, leading to breaks in risk and control understanding. This threatens a split between ICT third-party risk management on the one hand and other third-party risk management on the other.

Although the EBA itself calls for a holistic, institution-wide risk management, it effectively creates the basis for organisational silo structures by dividing into ICT and non-ICT services. For institutions, this means: overlapping requirements, redundancies in implementation and significant need for interpretation – all of which are real implementation risks that can also lead to supervisory measures.

Impact at National Level

The requirements of the new guidelines would have to be integrated into national law, which in Germany could be done via Section 25b KWG, for example. This section has so far not provided for a distinction between ICT and non-ICT services. On the other hand, there is an undeniable practical need to clarify the relationship between the regulation of ICT third-party service relationships through DORA and outsourcing through other regulations.

Furthermore, a revision of AT 9 of the various MaRisk appears unavoidable. The draft consulted by BaFin in August 2025 for securities institutions still strictly follows the previous AT 9 and thus already seems outdated. It remains open whether BaFin will align its requirements more closely with the EBA Guidelines in the future and reduce national particularities.

Outlook

With its distinction between ICT and non-ICT services, the EBA follows the line of other European supervisors, such as the “Principles on third-party risks supervision” published by ESMA on 12 June 2025, and also takes up demands from practice. In its consultation paper on the revision of its Guidelines on Internal Governance dated 7 August 2025, the EBA has reinforced this distinction.

It therefore seems likely that this path will continue to be pursued.

However, it remains open how quickly the revised guidelines will actually come into force. Given the ongoing consultation period and the planned two-year transition period, it is foreseeable that institutions will need to begin preparations early. The greatest challenge is likely to lie in the classification practice: Which services fall under DORA, which under the EBA Guidelines – and how can duplicate structures be avoided?

In the long term, it will become clear whether supervisors will maintain the rigid separation between ICT and non-ICT services or whether an integrated approach will prevail that brings together all third-party risks within a single framework. From the institutions’ perspective, this would be the more practical solution. Until then, the following applies: those who start implementation now can avoid regulatory risks and at the same time sustainably strengthen their resilience in dealing with third parties.