On 5 September 2025, the European Banking Authority (EBA) held a virtual public consultation with industry stakeholders on its draft Guidelines on the sound management of third-party risk for non-ICT services. These guidelines aim to enhance the harmonisation and oversight of third-party risk management within the EU banking sector and will replace the existing EBA Guidelines on outsourcing arrangements. The public consultation period concludes on 8 October 2025 and the EBA has indicated that the final version of the guidelines should be published by April 2026.
Key objectives and scope
The EBA’s stated intentions in introducing the new guidelines are to:
- Extend the scope of the guidelines to the majority of financial entities operating within the EU banking sector. Whilst the existing EBA guidelines on outsourcing apply to credit institutions and investment firms subject to the Capital Requirements Directive (CRD) and to payment and electronic money institutions, the new guidelines cover all institutions subject to the CRD, certain types of investment firms, issuers of asset-referenced tokens under the Markets in Crypto-Assets Regulation, and certain creditors under the Mortgage Credit Directive (Financial Entities).
- Align third party risk management (TPRM) for such Financial Entities with the principles contained in international standards such as the Basel Framework and the Financial Stability Board toolkit for enhancing TPRM.
- Align TPRM in respect of non-ICT services with that of ICT services under the Digital Operational Resilience Act (DORA) to ensure a consistent approach across the banking sector.
- Recognising that TPRM in relation to ICT-services is now comprehensively addressed by DORA, remove the overlap between the current EBA guidelines on outsourcing arrangements and DORA by focusing exclusively on non-ICT services.
The EBA is keen to emphasise the overarching principle of proportionality, ensuring a tailored approach based on the specific risks faced by each in-scope institution. Once the guidelines enter into force, Financial Entities will have a two-year transition period to update their processes and documentation with respect to existing third-party arrangements (TPAs). The guidelines will apply automatically to all new TPAs from the date that they enter into force.
Content of the new guidelines
The revised guidelines now cover the entire TPA lifecycle and apply to all non-ICT services including those supporting critical or important functions (CIFs) (although more stringent provisions apply to CIFs). Key aspects include:
Updated definitions
The guidelines introduce new definitions for TPAs, third-party risk, third-party service providers (TPSP), intra-group TPSPs, subcontracting, concentration risk and operational resilience.
- Cloud-specific definitions have been removed as the guidelines only address non-ICT services.
- The importance of distinguishing between outsourcings and other TPAs is also largely removed, with outsourcings recognised as a sub-category of TPAs and no distinction between the requirements which apply to outsourcings rather than other TPAs. With some exceptions the new guidelines apply to all types of TPAs for non-ICT services.
Comprehensive TPA lifecycle management
Detailed guidance is provided for each stage of the TPA lifecycle: pre-contractual analysis, contracting, on-going monitoring and exit. The guidelines:
- Provide illustrative criteria to assist Financial Entities with their risk assessments and with the identification of CIFs.
- Stipulate the specific contractual obligations to be imposed upon TPSPs (including with respect to access, information and audit rights, termination rights, and the subcontracting of critical or important functions).
- Provide guidance on the ongoing monitoring of the performance of TPSPs and the appropriate measures to be taken by Financial Entities if shortcomings are identified,
- Require documented exit strategies when CIFs are being performed by TPSPs.
Governance arrangements
A requirement for clear assignment of internal responsibility and governance, and a written policy on TPRM (consistent with DORA), effective oversight of contractual arrangements, and conflict-of-interest management are all highlighted. The guidelines also continue to leverage existing internal governance frameworks (e.g. the Guidelines on internal governance under the CRD).
Classifying functions
Annex 1 to the guidelines provides a non-exhaustive list of service categories to aid in the classification of functions.
Key updates
Key changes from the existing guidelines on outsourcing arrangements include:
- Contractual requirements – Financial Entities are required to ensure their non-ICT contracts contain the same specific terms as are mandated by DORA.
- Business continuity plans (BCP) – Financial Entities are to set out clear procedures to manage internal and external crisis communications when BCPs are activated, and to involve TPSPs in periodic testing.
- Internal audit functions – Financial Entities are to establish a formal follow up process for the timely verification and remediation of critical audit findings.
- Subcontracting of critical and important functions – the guidelines replicate the principles of the DORA Subcontracting RTS with requirements for information to be incorporated into the written agreement with the TPSP.
- Register of TPAs (non-ICT services) – Financial Entities must establish and maintain a register for all TPAs, distinguishing between those in support of CIFs and other TPAs. Although the requirements under the guidelines are less prescriptive than those under DORA, they are consistent with data points to be included in the DORA Register of Information for ICT services. Financial Entities are expressly permitted to merge the two registers into one single register for both ICT and non-ICT services.
Stakeholder concerns and the EBA’s response
The public hearing on 5 September 2025 gave stakeholders the opportunity to raise a number of points, including:
Scope, applicability and proportionality
Concerns were voiced about the inclusion of smaller investment firms (e.g. asset managers and Class 2 investment firms) within the scope of the guidelines, with one stakeholder stating that the existing governance guidelines were already sufficient to deal with TPRM in smaller institutions.
Overlap with other sectoral regulations and directives, and DORA
Questions were raised regarding the overlap with DORA and other sector-specific regulations. Stakeholders sought clarification on which regulations would apply in cases of overlap and how to avoid conflicting requirements.
Definition and classification
Concerns over ambiguity in the guidance on which functions may constitute CIFs and as to the classification of services as either ICT or non-ICT were raised.
Implementation and timeline
Concerns were raised about the feasibility of complying with the guidelines within the stated timeframes, given their scope and the potential for significant changes to existing processes and documentation.
The EBA acknowledged and responded to the concerns raised:
Flexibility and interpretation
The EBA emphasised that the guidelines provide flexibility in interpretation and application. While certain functions are suggested as potentially critical or important, the ultimate determination rests with the Financial Entity. The EBA stressed that the goal is consistency in requirements, regardless of whether a service is classified as ICT or non-ICT and which regime (DORA or the revised guidelines) applies.
No further exemptions
The EBA rejected calls for exemptions for smaller institutions such as asset managers, citing the need for consistent risk management across the financial sector and the alignment of the guidelines with existing regulations applying to such institutions.
Further clarification and review
The EBA committed to reviewing and clarifying several areas, including the guidance on CIFs, the service categorisations in Annex 1, the handling of one-off as opposed to recurrent services, and the interaction of the guidelines with other regulations. It also acknowledged the need for further clarification on the exit plan requirements.
Collaboration and alignment
The EBA highlighted its collaboration with other competent authorities to ensure alignment with existing frameworks and operational resilience initiatives. However, it also acknowledged the need for a balanced approach to ensure proportionality and to avoid creating unnecessary additional administrative burdens for Financial Entities.
Final thoughts
The EBA's proposed new guidelines represent a significant change in how entities in the banking sector will need to manage third party risk in the context of non-ICT services. Whilst bringing non-ICT TPRM into alignment with DORA and other international standards creates a certain level of harmonisation, removing the focus on outsourcing and broadening the applicability of the guidelines to all TPAs also materially expands the scope of arrangements the requirements apply to.
While concerns were raised from stakeholders regarding proportionality and implementation, the EBA's commitment to further clarification and collaboration indicates steps may be taken to address these concerns before the final guidelines are published before April 2026. Stakeholders were invited to follow up with the EBA with specific examples to illustrate any concerns before the consultation closes on 8 October 2025.
If you would like more information about any of the implications of the proposed changes for your organisation, please contact Paul O’Hare, Louis Wihl or Elizabeth Lumb.
/Passle/5d1eec76989b6e0f3cff1041/MediaLibrary/Images/2025-03-06-12-21-57-975-67c99365073a997012a703c6.jpg)
/Passle/5d1eec76989b6e0f3cff1041/MediaLibrary/Images/2024-04-11-08-32-44-906-6617a02c517adccfb8687435.png)
/Passle/5d1eec76989b6e0f3cff1041/MediaLibrary/Images/2024-06-13-08-49-31-667-666ab29be662b0f50b61e397.jpg)
/Passle/5d1eec76989b6e0f3cff1041/MediaLibrary/Images/2024-12-19-21-01-45-486-676489b9da543fe5c20c7c7c.jpg)