Introduction

The soundness and stability of the financial system remain of paramount importance, safeguarded over time by competent authorities at the EU level.

In a context marked by growing competitiveness, accelerated digitalization, increasing demands for robust data management, and rising cost pressure, financial entities across industries are increasingly relying on third-party providers. These arrangements enable institutions to deliver more efficient, value-added solutions to their clients and to differentiate themselves from the competition. This growing reliance on third parties is further driven by multiple factors including ambitions to reduce costs, access specialized competencies, achieve economies of scale and enhance flexibility.

Financial entities are also accelerating their use of intragroup service providers. This trend has led to centralization of certain services and functions within specific centers of excellence, strengthened specialized skills, and enabled the sharing of costs, thereby promoting greater efficiency within the group.

The growing reliance on third-party service providers, while offering significant benefits for financial entities, introduces material operational risks to the financial system, particularly in relation to concentration, resilience and dependency aspects.

Although third-party risk is not a new concept—having been already included in the Basel risk taxonomy—regulatory requirements on the subject have been progressively reinforced at the international level by several key publications. In December 2023, the Financial Stability Board released a publication named “Enhancing third-party risk management and oversight: A toolkit for financial institutions and financial authorities.” This was followed in July 2024 by the Basel Committee on Banking Supervision’s (BCBS) consultative document “Principles for the sound management of third-party risk.” More recently, in June 2025, the European Securities and Market Authority (ESMA) issued its guidelines on “Principles on third-party risks supervision.”

Regulatory developments tied to the management of third-party service providers

It is important to clarify the composition of the third-party ecosystem, encompassing on one side, service providers whose activities qualify as outsourcing arrangements, and on the other, providers of information and communication technology (ICT) or business process services that fall outside the scope of outsourcing.

At the EU level, the reinforcement of regulatory requirements on third-party risk management has focused primarily on the outsourcing framework, most notably through the European Banking Authority (EBA) Guidelines on Outsourcing. These guidelines establish the criteria for qualifying third-party arrangements as outsourcing, require institutions to assess the level of criticality (i.e. critical or important), and set out the corresponding obligations in terms of risk assessment, due diligence, contractual provisions, oversight, and exit strategies.

In Luxembourg, these requirements have been further extended beyond banking institutions to encompass a wider range of financial entities, including investment firms, payment and electronic money institutions, and specialized or support professionals of the financial sector. This was achieved through the entry into force of the CSSF Circular 22/806.

The Digital Operational Resilience Act (DORA) was then introduced, also establishing principles on ICT third-party risk management. DORA marked a shift from a narrow focus on outsourcing of ICT services toward a broader consideration of ICT third-party service providers.

Most recently, on 8 July 2025, the EBA published a consultation paper on its proposed guidelines on the sound management of third-party risk. These proposals aim to broaden the scope of robust third-party management requirements beyond only services qualifying as outsourcing or ICT-related arrangements.

This succession of publications by both EU and international bodies (such as the Financial Stability Board, Basel Committee) underscores and serves as a reminder of the critical importance of third-party risk for the financial sector. Accordingly, market participants are expected to adopt adequate practices to safeguard the stability and resilience of the financial system. A coordinated effort by all stakeholders is imperative.

Requirements for a more robust third-party risk management framework

The EBA Draft Guidelines on the sound management of third-party risks propose a strong alignment with several of the requirements and processes already applicable under the outsourcing and DORA frameworks. The requirements set out in the draft guidelines can be organized around four phases, where the attention must also be given to risks arising from subcontracting chains and concentration on specific third-party service providers:

Finally, and consistent with the outsourcing framework, the draft EBA guidelines clarify that intragroup third-party arrangements are to be subject to the same risk management framework as arrangements with external service providers.
 

Foreseen impacts

The regulatory developments on third-party risk management will have significant implications for financial entities, who are expected to enhance the maturity and robustness of their third-party risk management framework and to ensure that their operational risk management framework is adequately adapted to capture and measure the operational risks arising from the use of third parties.

This evolution also requires a review of entities’ risk appetite frameworks, ensuring that aggregated third-party risk can be measured and aligned with both their overall third-party risk management strategy and their defined risk tolerance.

Once the proposed EBA Guidelines come into effect, they will introduce enhanced requirements when engaging third-party service providers, leading to additional workload to be carefully organized and managed by financial entities to adequately address inherent risks attached to the implicated services.

Similarly, significant efforts will be required to retroactively implement the revised third-party risk management framework for existing arrangements. This process will involve, among other tasks, reviewing and amending existing contractual arrangements, performing all necessary assessments (including criticality, risk, and conflicts of interest), developing exit plans, and conducting more detailed due diligence.

All the above will need to be supported by robust internal governance arrangements across the three lines of defense. These arrangements should be formalized and thoroughly documented to enhance understanding and transparency among all stakeholders, while also enhancing the organization’s overall risk culture.   

Conclusion

In conclusion, the evolving regulatory requirements on third-party risk management attest to the fact that regulators view third-party risks as a material operational threat to the stability and soundness of the financial sector. As highlighted, the use of third-party service providers is widespread in the financial industry, enabling institutions to achieve business objectives and efficiency gains, but it requires robust risk management measures.

To prepare for both current and forthcoming regulatory developments, financial entities are encouraged to proactively review their existing third-party risk management frameworks and plan for their implementation across both new and existing third-party arrangements. This proactive approach allows institutions to manage and distribute over time the significant efforts needed for compliance.

Ultimately, anticipation and proactive planning will be essential for a smooth and successful compliance journey with third-party risk management requirements, while also supporting the development of an appropriate risk culture across the organization.

This article was originally authored for AGEFI and is now shared here for our audience.