ARTICLE
22 July 2025

Third Party Risk Management: EBA Proposals To Expand Its Outsourcing Guidelines To All Non-DORA Third Party Services

KL
Herbert Smith Freehills Kramer LLP

Contributor

Herbert Smith Freehills Kramer LLP logo
Herbert Smith Freehills Kramer is a world-leading global law firm, where our ambition is to help you achieve your goals. Exceptional client service and the pursuit of excellence are at our core. We invest in and care about our client relationships, which is why so many are longstanding. We enjoy breaking new ground, as we have for over 170 years. As a fully integrated transatlantic and transpacific firm, we are where you need us to be. Our footprint is extensive and committed across the world’s largest markets, key financial centres and major growth hubs. At our best tackling complexity and navigating change, we work alongside you on demanding litigation, exacting regulatory work and complex public and private market transactions. We are recognised as leading in these areas. We are immersed in the sectors and challenges that impact you. We are recognised as standing apart in energy, infrastructure and resources. And we’re focused on areas of growth that affect every business across the world.
Explore Firm Details
The end of the traditional regulatory distinction between outsourcing and non-outsourcing arrangements comes one step closer. Non-outsourcings are no longer seen as less risky.
European Union Finance and Banking
Clive Cunningham,Marina Reason, and Kelesi Blundell
Your Author LinkedIn Connections

Background

The end of the traditional regulatory distinction between outsourcing and non-outsourcing arrangements comes one step closer. Non-outsourcings are no longer seen as less risky.

The current EBA outsourcing guidelines 2019 (Outsourcing Guidelines) apply to all "outsourcing" by credit institutions, some investment firms, payment service providers and e-money institutions. "Outsourcing" is basically where the firm arranges for another party to perform a function that it would otherwise do for itself.

Six months after the EU Digital Operational Resilience Act (DORA) regime for management of information and communication technology (ICT) risk went live in January 2025, the EBA is consulting on proposals for new guidelines for the management of risk when firms rely on third party service providers (TPSPs). The proposed new guidelines (TPSP Guidelines) - an upgraded version of the Outsourcing Guidelines - would apply more widely, and be more onerous in some areas, than the Outsourcing Guidelines.

The TPSP Guidelines would operate in parallel with existing regulatory requirements for outsourcing. They do not distinguish between outsourcing and other third party arrangements.

ICT arrangements would not be within scope of the TPSP Guidelines as these are subject to the DORA framework.

Quick read

Firms impacted:

  • AllEU regulated banks/credit institutions and investment firms (including third-country branches), holding companies approved under Article 21a(1) of the CRD IV Directive, payment services institutions and e-money institutions currently subject to the EBA Outsourcing Guidelines; plus
  • Smaller investment firms (i.e. not CRD/CRR-regulated, but excluding small and non-interconnected investment firms under the Investment Firms Regulation), MiCAR-authorised issuers of asset reference tokens (ARTs) and non-bank creditors under the Mortgage Credit Directive.

Headline changes: the TPSP Guidelines would-

  • Apply to more categories of firm than the EBA Outsourcing Guidelines.
  • Apply to all third party service arrangements (except ICT arrangements in-scope of DORA), not just outsourcings.
  • In several areas, raise the compliance bar up to the new DORA standards. Including the content of agreements with TPSPs; restrictions on sub-contracting; and requirements to keep a DORA-equivalent register of information about third party arrangements.

Timing:

  • 8 October 2025: consultation closes.
  • The finalised guidelines will apply to (i) all in-scope existing third party agreements from two years after the date of application; and (ii) all new third party arrangements entered into after a date to be set by the EBA.

Key features of draft TPSP Guidelines

Firms in scope: wider than the Outsourcing Guidelines. The TPSP Guidelines will apply to all EU regulated banks/credit institutions and investment firms (and third-country branches), holding companies approved under Article 21a(1) of the CRD IV Directive, payment services institutions and e-money institutions currently subject to the EBA Outsourcing Guidelines; plus smaller investment firms (i.e. not CRD/CRR-regulated, but excluding small and non-interconnected investment firms under the Investment Firms Regulation), MiCAR-authorised issuers of ARTs and non-bank creditors under the Mortgage Credit Directive.

TPSP arrangements in scope: wider than the Outsourcing Guidelines. The TPSP Guidelines will apply to all TPSP arrangements (not only outsourcing), except those covered by DORA. As under the Outsourcing Guidelines, they apply to services covering all functions, "critical or important" functions and other (with extra provisions applying to the "critical or important" services).

Aims of the TPSP Guidelines: the same as the Outsourcing Guidelines. They specify the internal governance arrangements that firms should implement when they rely on TPSPs.

Content coverage: the same as the Outsourcing Guidelines (but with additional requirements - see below). They cover areas such as:

  • Governance of third party arrangements: management body oversight; a written policy for third party risk management; conflicts of interest management; and the role of internal audit.
  • Arrangements with TPSPs: pre-contractual assessments and due diligence; continuing to meet supervisory conditions; risk assessment; mandatory areas to cover in agreements with TPSP (with additional items for services supporting "critical or important" functions); sub-contracting (including restrictions); access, information and audit rights; termination rights; monitoring of TPSPs; and exit strategies.

Additional requirements: in several areas, the TPSP Guidelines raise the bar to the new, higher DORA standards. Key examples of the uplift include:

  • An explicit requirement for the management body to have (and review) a "strategy" for the management of third party risks (para 38).
  • Minimum annual review of the management body's written policy on third party risk management (para 48).
  • Requirements to identify the senior manager role responsible for monitoring third party arrangements (para 49d).
  • TPSPs should be involved in BCP plan testing (para 55).
  • Requirements to keep an up-to-date DORA-equivalent register of information (with mandatory fields) on all third party arrangements (ch 10). This could be a material extra burden for firms with complex and/or numerous non-DORA arrangements.
  • More granular requirements on risk assessments (para 74).
  • Extra areas for due diligence in relation to third party arrangements supporting "critical or important" functions (ch 11.3).
  • Extra areas to be covered in agreement with TPSPs. Including, for example: more detail around what is involved in monitoring the TPSPs' performance on an ongoing basis; and exit strategies/establishing a mandatory adequate transition period (ch 12).
  • Extra requirements in relation to sub-contracting of critical or important functions by TPSPs. Including, for example: express requirements on financial entities to have a clear and holistic view of the associated risks; and additional content and restrictions to be included in agreements with TPSPs, such as requiring TPSPs to assess location risks, monitor sub-contracted functions, specify subcontractor monitoring and reporting obligations, and ensure business continuity in the event of subcontractor failure (ch 12.1).

What does this mean for firms?

If the TPSP Guidelines go ahead as proposed:

  • Firms which are already subject to the EBA Outsourcing Guidelines will need to assess the additional requirements arising from the expansion of scope to non-outsourcings and also the DORA uplift.
  • Smaller investment firms which are not currently subject to the EBA Outsourcing Guidelines, MiCAR-authorised issuers of ARTs and non-bank creditors under the Mortgage Credit Directive will all need to assess how they comply with the TPSP Guidelines.
  • Firms already subject to DORA should be able to roll out (unless already done) their DORA compliance approach to non-ICT / non-DORA third party arrangements.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Clive Cunningham
Clive Cunningham
Photo of Marina Reason
Marina Reason
Photo of Kelesi Blundell
Kelesi Blundell
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More