Skip to main content
Perspective:
Perspective
23 Sep 2025
10 minute read

EBA Consultation Paper: Draft Guidelines on the Sound Management of Third-Party Risk

Navigating the key changes and no-regret actions for financial services firms

Danny Griffiths
Paul O’Hare
Louis Wihl
Sophie Bright

At a glance

The European Banking Authority’s (EBA) 2025 consultation paper on third-party risk marks a significant shift from the 2019 EBA Guidelines on Outsourcing:

  • Focusing solely on non-ICT third-party services (to ensure interoperability with the Digital Operational Resilience Act (DORA)), it proposes harmonising third-party registers of information (ROI), contractual obligations and key definitions (such as the definition of critical and important functions) with DORA. This harmonisation aims to streamline compliance across various regulations, including CRD and MiFID II, while incorporating international best practices from bodies like the Financial Stability Board (FSB) and Basel Committee on Banking Supervision (BCBS).
  • Reflecting an evolution from a focus solely on outsourcing arrangements to a broader consideration of third-party arrangements, acknowledging the significance and potential risks associated with using third-party service providers to deliver both outsourcing and non-outsourcing arrangements.
  • Applying the guidelines to an expanded scope of entities, including a wider range of investment firms, MiCAR-authorised issuers of asset-referenced tokens, and non-bank lenders subject to the Mortgage Credit Directive (MCD).

The consultation period closes on October 8th 2025. The commencement date for compliance is still to be confirmed with a two-year transition period planned for existing non-ICT third-party services following finalisation.

Background

The EBA’s Draft Guidelines on the Sound Management of Third-Party Risk represent a significant shift in supervisory thinking. Moving beyond the previous focus solely on outsourcing, these draft guidelines— intended to replace the 2019 EBA outsourcing guidelines—now acknowledge the broader systemic risk posed by all Third-Party Service Providers (TPSPs1), regardless of whether the relationship is considered an outsourcing arrangement.  This expansion reflects a growing awareness of disruptions caused by non-outsourced TPSPs.

DORA has further accelerated this evolution. To ensure regulatory harmonisation and a unified framework, the European Supervisory Authorities (ESAs) are reviewing existing third-party risk management (TPRM) guidance. This includes:

  • EIOPA: Withdrawal of its outsourcing guidelines for cloud service providers in December 2024, anticipating DORA's application.
  • ESMA: Issuance of revised outsourcing guidelines for cloud service providers (applicable from 2021), clarifying scope to avoid overlap with DORA and potential regulatory arbitrage.
  • EBA: Publication of a revised consultation paper that significantly advances the TPRM landscape for financial entities, emphasising interoperability with DORA and extending its focus to non-ICT third-party arrangements.

While structurally similar to its 2019 predecessor, the EBA's consultation paper significantly broadens its scope. It now encompasses all TPSPs, excluding ICT providers, enabling a cross-firm view of concentration risk and a comprehensive assessment of all critical service providers. This reflects the latest thinking from UK regulators, emphasising the materiality of services rather than solely focusing on whether they meet the definition of outsourcing for example, under CP17/24, the Bank of England refer to material third-party arrangements, recognising their interest in operational incidents for all material third-party arrangements. Maintaining a strong emphasis on proportionality in applying the proposed requirements, the overarching goal remains harmonisation—creating a unified TPRM framework for EU firms that applies equally to outsourcing and non-outsourcing arrangements, and to both ICT and non-ICT third-party relationships. This guide will delve into the key changes and outline no-regret actions for financial services firms to proactively address these evolving regulatory expectations.

What are the drivers for introducing this consultation paper?

  1. Increased Complexity and Interdependence: The financial services landscape has become increasingly intricate and interconnected, with firms heavily reliant on a vast network of TPSPs. This dependence creates significant vulnerabilities; disruptions or failures within a TPSP's operations can have cascading effects with potentially severe consequences for the financial system.
  2. Emerging Vulnerabilities and Threats: The rise of cyber threats, geopolitical instability, and other unforeseen events has heightened the risk profile of TPSPs. The need for robust TPRM frameworks is paramount to mitigate these emerging challenges.
  3. Regulatory Harmonisation and Interoperability: A key objective is to create a unified and harmonised approach to TPRM across the EU, also recognising the emergence of regulations such as MiCAR (Markets in Crypto-Assets Regulation), the IFD/IFR (Insurance and Financial Distribution/Insurance and Financial Reinsurance), and amendments to CRD/CRR (Capital Requirements Directive/Regulation) since 2019 which necessitate a reassessment and realignment of TPRM frameworks to maintain consistency.
  4. Enhanced Supervisory Oversight: The consultation paper reflects a shift in supervisory focus from individual firm oversight to a more systemic perspective. Competent authorities now need to monitor the collective systemic exposure to TPSPs, particularly those located in third countries (i.e. a country that is not a member of the European Union). This necessitates more robust requirements for managing relationships with third-country providers, including measures to address situations where local laws might impede access, audit rights, or cooperation with supervisors. The aim is to mitigate the risks associated with concentration and dependencies on third-country providers.

The EBA's updated guidelines significantly elevate the management body's TPRM responsibilities. Instead of delegating TPRM, the management body must now directly oversee a comprehensive strategy, regularly review third-party risks (especially for critical functions), ensure robust business continuity plans, and approve and review internal audit plans specifically addressing third-party arrangements. This signifies a move towards proactive, strategic TPRM, emphasising accountability and independent verification.

No regret actions:

  • The management body must formally approve and regularly review internal audit plans to ensure comprehensive assessment of third-party arrangements. This includes scheduling regular audits of TPSP relationships and establishing a clear process for reviewing material changes to these relationships.
  • The TPRM strategy and policy should explicitly outline the management body's responsibilities and include a supplementary Responsibility, Accountability, Consulted, Informed (RACI) matrix to clarify roles and responsibilities across the entire organisation.
  • Given the expanded responsibilities, the management body may require training to ensure they possess the necessary expertise and understanding to effectively oversee TPRM.

Firms are obliged to replace their "Outsourcing Policy" with a comprehensive Third-Party Risk Management (TPRM) Strategy and Policy. Given the expanded scope of third-party relationships covered firms should ensure their existing outsourcing policy is updated or a new policy is developed which clearly differentiates between ICT and non-ICT services (highlighting the convergence with DORA where relevant) and between authorised and unauthorised TPSPs (as detailed in paragraph 50 of the Consultation Paper).

No regret actions:

  • Firms must update their “Outsourcing Policy” to a TPRM Strategy and Policy which is formally defined, approved, and regularly reviewed by the management body.
  • Firms should ensure the additional requirements for identifying, assessing, monitoring, and mitigating associated risks are included in the policy along with clearly defined roles, responsibilities, and reporting lines (as per the governance requirements).

The EBA has transposed from DORA the requirement to keep a register of information, now expanded to include non-ICT third-party arrangements with the same fields and structure as DORA, to enable a unified view of ICT and non-ICT third-party arrangements. This creates a unified register for both ICT and non-ICT TPSPs, enabling consistent monitoring of systemic risk, concentration risk, and critical dependencies, informing the annual designation of Critical Third-Party Providers. The register must include comprehensive information (detailed in Section 10 “Documentation Requirements” of the Consultation Paper) including any function to be subcontracted, updated at least every two years or upon renewal, and retain documentation for terminated arrangements for at least five years. There are additional fields required for non-ICT third-party arrangements e.g. the type of contractual arrangement chosen and the total annual expense or estimated cost of each direct TPSP. For CIF third-party arrangements, the register should also address incremental considerations such as the existence of an exit plan from the TPSP.

No regret actions:

  • Identify and categorise all non-ICT third-party arrangements, paying particular attention to any non-outsourcing or intragroup arrangements that may not have been previously subject to TPRM oversight;
  • Document all third-party arrangements, including those that are not critical or important in a register aligned to the DORA requirements, and begin to develop a framework to support both the ICT and non-ICT register, and identify how to obtain on a consistent basis the incremental data points required from non-ICT providers (e.g. TPSP responsibility for managing subcontractor risks, including location and parent company assessments).

The EBA consultation paper aligns its definition of Critical or Important Functions (CIFs) with DORA's definition. Significantly, it also expands the risk assessment requirements for CIFs to now include credit risk, market risk, ESG risk, and AML/CFT risk, in addition to the existing considerations of short- and long-term viability, operational resilience, legal and reputational standing, and recovery/resolution planning. This comprehensive assessment must consider both the importance of the function and the potential for disruption caused by TPSPs.

No regret actions:

  • Review all existing third-party arrangements to ensure compliance with the upcoming guidelines. This requires reassessing existing arrangements to determine whether they meet the revised definition of a CIF and, if not, removing their CIF designation.
  • Expand risk assessments of non-ICT arrangements supporting CIFs to explicitly include credit, market, ESG, and AML/CFT risks (where coverage does not currently exist).
  • Review and update existing risk assessment frameworks to incorporate these risk considerations in a proportionate manner.
  • Map subcontractor supply chains for all arrangements supporting CIFs.

Unlike the 2019 guidelines, the new proposals set out minimum contractual requirements for all in-scope third-party arrangements – not just those for CIFs. This includes nearly all contracts which do not relate to ICT (as those contracts are already subject to DORA), the only exceptions being a small list of contract types which are expressly excluded (such as very low risk service arrangements, contracts for utilities and arrangements for legally required services). As with DORA it is likely that many in-scope contracts will not be compliant with some of the mandatory requirements, such as the obligation to identify in the written agreement the physical location services will be provided from and where all data is processed.

Following the same approach as DORA, in addition to the generally applicable minimum contractual requirements the proposed guidelines also establish a more stringent set of requirements for CIF-supporting arrangements only. This includes mandatory exit strategies and adequate transition periods within contracts, requiring TPSPs to fully cooperate with wide rights of on-site inspections and audits and an obligation to include precise quantitative and qualitative service levels.

No regret actions

  • Whilst it would be premature to begin repapering exercises before the requirements are finalised, entities in-scope should begin the planning process to ensure they can complete the key actions of identifying and updating relevant contract templates, guidance notes and checklists, ensuring the new terms are reflected in new contracts once the guidelines are in force and identifying and repapering all ongoing in-scope contracts within the anticipated two year transition period. Organisations should consider having the ability in their contract tooling to quickly identify contracts that may require uplift when the final guidance is issued.

Financial entities (FEs) must conduct thorough due diligence and risk assessments on all third-party arrangements (TPAs). The principle of proportionality in due diligence is re-emphasised. Financial entities must select and assess prospective TPSPs, ensuring the level of detail in the due diligence process is appropriate to the criticality or importance the function.  The 2019 guidelines are expanded to include the assessment of “other relevant risks” including credit risk, market risk, ESG risk and /AML/CFT risk (as detailed in paragraph 37 of the Consultation Paper).

There are also incremental requirements with regards to CIFs under paragraph 81 of the Consultation Paper emphasising how FEs should ensure that the TPSP has sufficient capacity, resources, expertise and a strong business reputation to deliver the service; appropriate internal controls and risk management procedures, including supply chain risk management; plans to mitigate geographic dependencies and business disruptions; comprehensive contingency and disaster recovery plans; necessary authorisations; and full auditability, including onsite, by the financial entity, third parties, and regulators. Subcontractor usage must also be carefully considered.

No regret actions:

  • Determine whether any non-ICT arrangements would require remediation to align with the new requirements. Prioritise your assessment efforts on CIFs, focusing on those with the highest potential for disruption and the most significant impact on the firm's overall resilience and viability.
  • Consider expanding the existing risk assessment framework to explicitly include credit risk, market risk, ESG risk, and AML/CFT risk for all TPAs (if not already assessed).
  • Formalise and document selection and assessment criteria for TPSPs that explicitly address capacity, resources, expertise, reputation, internal controls, risk management (including supply chain risk management), contingency and disaster recovery planning, authorisations, and auditability.
  • Ensure there is a clear audit trail / documentation of all due diligence activities, risk assessments, and mitigation strategies.

 

The proposed guidelines largely reinforce the oversight requirements from the 2019 framework, though the terminology has shifted from “oversight” to monitoring. The primary expectation remains that financial entities will monitor third parties on an ongoing, risk-based basis, with a particular focus on CIFs. The most significant change is to scope – the oversight principles now apply to the broader universe of third-party arrangements covered by the proposed new guidelines.

No regret actions

  • Assess whether your current oversight processes and tools can be scaled to cover the wider scope of third-party arrangements, beyond outsourcings.
  • Evaluate whether the KPIs you have in place are sufficiently versatile to measure the performance of a wider variety of service types.

The consultation proposals for exit strategies are substantively similar to the 2019 guidelines, with additions requiring financial entities to consider in their exit planning the concentration risk at entity level and the possibility of significant breaches by a TPSP of applicable laws, regulations or contractual terms. There is also an increased emphasis on ensuring exit plans are realistic, based on plausible scenarios and reasonable assumptions. The key change is again the broader scope of the guidelines, with the requirements applying to the widened scope of third-party arrangements.

No regret actions

  • Identify whether the change in scope, from outsourcings to all third-party agreements, gives rise to any gaps in your organisation’s compliance with the requirement to have exit strategies in place covering CIFs performed by TPSPs.
  • Begin to plan testing of the exit strategies against the new requirements, ensuring you have considered elements such as concentration risk.

Conclusion

Ultimately, the EBA’s proposed updates to the guidelines mark a decisive shift from a focus on outsourcing to a more comprehensive and prescriptive framework for all non-ICT third-party risk which explicitly complements DORA. By aligning closely with DORA the EBA is seeking to create a complete and consistent supervisory regime. For firms which have recently been through the process of preparing for DORA, much in the new guidelines will therefore feel familiar. Many of the processes put in place and the lessons learned from DORA will be useful in achieving compliance with the new guidelines.

The consultation remains open until 8 October 2025 and whilst the final text may change, the direction of travel is very clear. Firms can use the period from now until the revised guidelines are finalised and published, at a date to be confirmed, to complete the no-regret actions, plan and identify budget. All of this will ensure your organisation is in the best possible position to comply, in turn strengthening your operational resilience.

____________________________________________________________________________

References

1. In the EBA Consultation Paper on EBA Draft Guidelines on the sound management of third-party risk “Third-party service provider” means an undertaking providing or supporting a function under an arrangement with a financial entity.

EIOPA revokes previous guidelines to avoid duplications and overlaps with DORA

EBA Final Report on EBA Guidelines on outsourcing arrangements

ESMA Final Report Guidelines on outsourcing to cloud service providers

Consultation Paper 17/24 - Operational resilience: operational incident and outsourcing and third-party reporting

Get in touch

Danny Griffiths

Danny Griffiths

Partner
+44 (0)20 7007 9296
Paul O’Hare

Paul O’Hare

Partner
+44 (0)20 7303 3545
Louis Wihl

Louis Wihl

Director
+44 (0)20 7303 7947
Sophie Bright

Sophie Bright

Senior Manager
+44 (0) 20 7303 4412

Our thinking

Key Themes and Observations on CP17/24 Operational Resilience

In an increasingly interconnected world, operational resilience is no longer a luxury but a necessity, especially for the financial services industry. 
Perspective
5 minute read
Blog

How can risk culture elevate ERM as we navigate the future of risk and compliance?

We operate in an increasingly changing world, where organisations must react and adapt to regulatory expectation as well as the pace of technological change.
Perspective
11 minute read
Blog

Modern Operational Risk Modelling

For many Financial Services firms, the answer to their ICARA or ICAAP Operational Risk capital quantification challenge is using the Scenario-based LDA approach – its accurate, as-simple-as-possible and easy to implement.
Perspective
7 minute read
Blog

Risk and Control Self-Assessment (RCSA) - The Ten Steps to RCSA Redemption

Risk and Control Self-Assessment (RCSA) - The Ten Steps to RCSA Redemption
Perspective
5 minute read
Blog