Mondo Visione Worldwide Financial Markets Intelligence

FTSE Mondo Visione Exchanges Index:

The EBA Launches Consultation On Its Draft Guidelines On Third-Party Risk Management With Regard To Non-ICT Related Services

Date 08/07/2025

The European Banking Authority (EBA) today launched a public consultation on the draft Guidelines on the sound management of third-party risk. The draft Guidelines focus on third-party arrangements in relation to non-ICT related services provided by third-party service providers and their subcontractors with a particular focus on the provision of critical or important functions. These Guidelines revise and update the previous EBA Guidelines on outsourcing, published in 2019, in line with the Digital Operational Resilience Act (DORA). The consultation runs until 8 October 2025.

The draft Guidelines specify the steps to be taken by financial entities for the life cycle of third-party arrangements (i.e. risk assessment, due diligence, contractual phase, sub-contracting, monitoring, exit strategies and termination processes) to ensure consistency with the requirements under the DORA framework to the extent possible. The draft Guidelines provide specific criteria for the application of the proportionality principle.

In addition, the draft Guidelines ensure consistency with the DORA register by allowing financial institutions to store consistent information for both ICT and non-ICT services, including the possibility of using one single register. Taking into account the application of proportionality, the level of information to be documented has been limited to reduce the burden on both financial entities and competent authorities.

To ensure a smooth and efficient transition, financial entities falling under the scope of the updated Guidelines have a transitional period of two years to review and amend their existing third-party arrangements (TPA) and to update the register for non-ICT TPA.

Consultation process

Comments to the consultation paper can be sent by clicking on the "send your comments" button on the EBA's consultation page. The deadline for the submission of comments is 8 October 2025.

The EBA will hold a virtual public hearing on 5 September from 09:00 to 13:00 - Paris time. The EBA invites interested stakeholders to register using this link by 1 September (16:00 CEST). The dial-in details will be communicated to those who have registered for the meeting.

All contributions received will be published following the end of the consultation, unless requested otherwise.

Legal basis

The draft Guidelines have been developed in accordance with Article 74 of Directive 2013/36/EU which mandates the EBA to further harmonise institutions' governance arrangements, processes and mechanisms across the EU. Article 11 of Directive (EU) 2015/2366/EU (PSD2), Article 26 of Directive 2019/2034/EU (IFD), Article 16 of Directive (EU) 2014/65 (MiFID II), Article 34 of Regulation (EU) 2023/1114 (MiCAR) and Article 16 of Regulation (EU) No 1093/2010 have also been taken into account.

 

Documents