The EBA's Proposed Expansion Of Third-party Risk Management Requirements

The European Banking Authority (EBA) is preparing to usher in a Digital Operational Resilience Act (DORA)-style regime, but this time for non-ICT third-party arrangements. Its proposed draft guidelines significantly expand its former 2019 outsourcing guidelines and will lead to an overhaul of third-party risk management within EU financial services. This briefing sets out the key changes and next steps for firms in scope. If implemented, the new guidelines will introduce a much broader, more prescriptive framework for third-party contracts outside DORA, introducing new requirements, greatly expanding scope, and imposing new contract and governance standards across the sector.

1. Why is the EBA raising the bar on third-party risk?

Financial entities are increasingly dependent on third-party service providers (TPSPs) for cost reduction, scalability, efficiency and access to specialist resources—even for activities not traditionally classified as "outsourcing". The material risk exposures created for financial entities, consumers, and the wider system have prompted regulators to extend third-party risk controls to other third-party arrangements. In addition, the aim is to align requirements for all non-ICT services with DORA-level safeguards, while preserving DORA's exclusive scope for ICT contracts.

Expanded scope of financial entities

The draft guidelines apply to a wider group than previously. The 2019 guidelines were limitedto EEA credit institutions,CRD investment firms, payment and electronic money institutions. The draft guidelines would also apply to:

• Investment firms subject to EU IFR unless classified as "small and non-interconnected"

• Issuers of asset-referenced tokens (ARTs) under MiCAR

• Creditors under the EU Mortgage Credit Directive (non-bank mortgage lenders)

• Financial holding companies and mixed financial holding companies that have been subject to approval under CRD

In addition to applying on an individual basis, for certain types of entities, the draft guidelines also apply to the wider group as follows:

• Credit institutions and CRD investment firms must apply the draft guidelines on a consolidated and sub-consolidated basis

• In-scope IFR investment firms must apply the guidelines on a consolidated basis

• ART issuers must apply the guidelines on a group-wide basis

2. Not just outsourcing – which contracts are caught?

The draft guidelines represent a major shift: "third party arrangements" (TPAs) now capture anynon-ICTarrangement for a third party to provide or support a function for a financial entity (including intra-group arrangements). Functions that would never have been performed internally will be brought into scope.

The new guidelines set out some categories of functions that could be provided by a third-party service provider, including:

• administrative services;

• cash management services;

• customer services;

• depositary tasks & administration for UCI;

• finance, treasury, accounting and reporting;

• internal control functions,

• investment services;

• lending;

• payment services;

• securities; and

• ART issuance.

3. Excluded functions

The EBA nevertheless carves out some functions:

• functions legally required to be performed by a TPSP (e.g. statutory audit)

• global network infrastructures (such as Visa and Mastercard)

• clearing and settlement arrangements between clearing houses, central counterparties, and settlement institutions and members

• global financial messaging infrastructures subject to oversight by relevant authorities (e.g. SWIFT)

• correspondent banking services

• acquisition of services that do not have material impact on financial entities' risks exposures or operational resilience (e.g. legal opinion, advice from an architect, cleaning)

• utilities subject to regulated framework, such as gas and electricity

All ICT arrangements remain subject to DORA and are out of scope; however, the distinction between ICT and non-ICT in multidisciplinary contracts may prove to be complex in practice. Certain stakeholders have called for further guidance and more flexibility in classification, as strict boundaries between ICT and non-ICT may not reflect operational realities and can complicate compliance when arrangements have both ICT and non-ICT elements.

4. Mandatory terms for all third-party arrangements

The standout change is that all TPAs must now include a core set of minimum contractual protections, not just contracts that support "critical or important" functions. This brings a much higher administrative and operational burden as financial institutions must catalogue and include these terms in a significant number of contracts covering lower-risk services.

Core mandatory contractual requirements include:

• Service description, start/end dates, location of service/data, financial terms

• Access, information, and audit rights (for entity and competent authority)

• Confidentiality/data arrangements, data return/transfer rights

• Continuity, termination, and exit/transition rights

• Provisions ensuring regulatory and supervisory cooperation

For critical or important functions, more stringent and granular requirements are specified, including clear service levels, insurance obligations, enhanced audit and reporting controls, and strict rules on subcontracting. The criteria for identifying "critical or important functions" are intended to align with DORA, yet the new guidelines still incorporate legacy assessment criteria—some respondents to the consultation have expressed concern that this hybrid approach potentially creates inconsistency and increases compliance complexity.

5. Rules on subcontracting

For critical or important functions, the new guidelines mirror DORA in requiring:

• Contractual clarity on whether and how subcontracting is permitted

• Thorough risk assessment before subcontracting, plus continuous monitoring and reporting on subcontractor performance

• Prior notice of material changes to subcontracting, with a clear right for the financial institution to object to, or approve, those changes

• Audit and access rights flowing down to all subcontractors

• The right to terminate contracts if subcontracting occurs without explicit permission or if material changes occur without approval

6. Registers of contract information

Entities must maintain an electronic, up-to-date register covering all TPAs, but distinguishing between those deemed to support critical or important functions and other third-party arrangements. There can either be two parallel (consistent) registers – one for DORA for ICT services and another for non-ICT services - but ideally, there would be a single, merged register.

7. Proportionality

Although these new requirements present a significant additional compliance burden, the principle of proportionality is central throughout the guidelines. The EBA expects financial entities to apply all requirements—whether on governance, risk assessment, monitoring, or documentation—in a manner that is commensurate with the size, risk profile, and complexity of the institution, as well as the nature, scope, and risk of each third-partyarrangement.

When considering how the proportionality principle applies, the draft guidelines direct banks, investment firms and ART issuers to consider additional factors set out in the sector-specific governance guidelines the EBA has published under CRD, IFR and MiCA respectively.

8. Timescales

The draft guidelines were published in July 2025, with the consultation period closing on 8 October 2025. Once they come into force, the new regime will repeal the 2019 Guidelinesand will apply immediately to new contracts from the date of entry, but a two-year transition period is planned for existing non-ICT third-party service arrangements.

It is possible that the new guidelines will be finalised by the end of 2025.

9. UK position

The UK has adopted a different approach from the EU in relation to operational resilience in financial services firms. Rather than creating separate frameworks for ICT and non-ICT services provided by TPSPs, the UK Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) have overarching principles in relation to the adequacy of the systems that firms operate, as well as any outsourcings they undertake. These have been supplemented by more detailed operational resilience rules for certain categories of larger or more complex firms, such as UK banks, insurers and some larger solo-regulated FCA firms.

In addition, in December 2024, the FCA and PRA published proposals to introduce new requirements for banks, insurers and more complex FCA solo-regulated firms to notify the regulators of material TPAs (whether or not they constitute an outsourcing), as well as broader operational incident reporting requirements for all firms. Final rules are expected to be published later this year.

Broadly speaking, the proposed UK requirements relating to the notification of material TPAs to the regulators would apply to arrangements which are of such importance that disruption or failure in their performance would cause intolerable harm to the firm's clients, would pose a risk to the stability of the UK financial system, or would cast doubt on whether the firm can continue to meet the conditions necessary to maintain its regulatory authorisation.

While respondents to the FCA and PRA's consultations have raised concerns about the potential scope of these obligations, they nonetheless seem considerably narrower in practice than the EBA's proposed guidelines. In particular, the EBA's proposals (subject to the proportionality principle) apply to all TPAs unless they are specifically carved out, albeit with certain obligations only applying in relation to critical or important functions. While the UK approach is primarily based around identification and notification of relevant TPAs, the EBA obligations are also more extensive in terms of imposing additional requirements around the content of contractual arrangements and their associated governance.

10. What next?

It is important not to underestimate the compliance and operational burden that the proposed guidelines will place on in scope entities, if implemented. While many firms may seek to adapt their existing DORA compliance frameworks, the new guidelines require firms to track and uplift a far larger universe of contracts than the 2019 guidelines encompassed. Firms will need to renegotiate and update contracts with a wide array of service providers—many of whom may be less accustomed than ICT or traditional outsourcing vendors to the detailed contractual and operational requirements now laid out by the EBA.

It will be important to assess the final guidelines once they are published but, to get ahead of the upcoming changes to third party arrangements, in-scope financial entities can begin to:

• review and catalogue all non-ICT third-party arrangements (both those previously classified as outsourcing and those that were not)

• assess which functions are critical or important

• compare current documentation (such as checklists, templates, and governance policies) against the new guidelines and begin to update these materials -financial entities already subject to DORA are likely to be able to adapt their existing DORA compliance processes and materials for this purpose

• set up— or, if already in place, update and maintain— a register of all third-party arrangements

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.