EBA to extend its outsourcing guidelines to cover all third party risks outside DORA

The European Banking Authority is consulting on new guidelines for the management of third party risk. The guidelines will replace the EBA’s outsourcing guidelines. Aligned with DORA but extending to non-ICT services, the guidelines set out what financial services firms should do to manage risks arising from their use of third parties. Once finalised, firms will have two years to update their existing contracts and update their registers.

Responding to DORA

EU financial entities have spent the last couple of years implementing the EU’s Digital Operational Resilience Act. DORA requires firms to have an ICT risk management framework and includes specific rules on managing third party ICT risks.

The EBA outsourcing guidelines, finalised in 2019, were a precursor to DORA. A firm “outsources” where it arranges for a third party to perform a function it would otherwise do itself. The EBA’s outsourcing guidelines caused firms to review their arrangements with third parties and update their contracts.

Now the EBA is proposing to update its outsourcing guidelines in response to DORA. The update will clarify that ICT arrangements which are covered by DORA are no longer in scope of the guidelines. They will, however, be extended so that they are not limited to outsourcings but apply to other non-ICT third party arrangements as well.

Scope of application

The revised guidelines will apply to a broader range of financial entities than the previous version. Credit institutions, payment and e-money institutions, and some investment firms continue to be in scope. Firms that will be newly in scope include more types of investment firm, MiCAR-authorised issuers of asset referenced tokens, and non-bank creditors under the Mortgage Credit Directive.

The draft guidelines do not provide an exhaustive list of functions that could be provided by a third party. Examples include administrative services, customer services and regulated financial services (which by definition are not ICT services in the scope of DORA).

EBA expectations

Among other things, the draft guidelines aim to ensure that: 

• the firm’s management body oversees third party arrangements;
• there is a written policy on sound management of third party risks;
• firms have an effective internal control and risk management framework;
• all risks associated with the provision of critical or important functions by third parties are e.g. monitored, managed and reported;
• there are appropriate exit plans for arrangements regarding critical or important functions; and
• regulators can effectively supervise financial entities’ functions that are performed by third parties.

Firms should maintain a register of all third party arrangements. The draft guidelines specify information that needs to be kept on the register, with additional requirements for critical or important functions. The EBA suggests that firms could (but would not be required to) merge this register with the register of ICT services they maintain under DORA.

Next steps

The EBA’s consultation closes on 8 October 2025. Once the guidelines are finalised, they will apply to all new third party arrangements entered into after a date to be specified by the EBA. They will apply to existing third party arrangements from two years after that date of application.