The end of outsourcing? EBA's non-ICT third-party risk framework

The European Banking Authority (EBA) has published a consultation paper on draft Guidelines for the sound management of third-party risk by financial institutions (the Draft Guidelines). This initiative marks an evolution from the EBA's 2019 Outsourcing Guidelines, expanding the regulatory perimeter to address the increasing reliance of financial entities on third-party service providers (TPSPs). 

Once finalised, the Draft Guidelines will repeal the EBA's 2019 Outsourcing Guidelines and deliver a single framework for third-party arrangements that do not involve the provision of ICT services. The direction of travel is clear: non-ICT third-party services will be tested to an equivalent supervisory standard that now applies to ICT third-party services under the Digital Operational Resilience Act (DORA).

We have set out below the key takeaways from the consultation.

1. What is the Scope?
   
   The scope of the Draft Guidelines is expressly limited to non-ICT third-party arrangements (which includes outsourcings and non-outsourcings), as ICT-related third-party arrangements remain wholly governed by DORA.
   
   Financial entities must assess whether arrangements with TPSPs fall within the definition of a third-party arrangement (TPA) and, crucially, whether the TPA relates to a "critical or important function". The Draft Guidelines provide detailed criteria for this assessment, which firms will be familiar with from the existing outsourcing guidelines and DORA.
   
   

2. Who does this apply to?
   
   The Draft Guidelines apply to a wide range of financial entities, including credit institutions, investment firms (excluding small and non-interconnected firms), payment institutions, electronic money institutions, issuers of asset-referenced tokens (ARTs), and certain creditors.
   
   

3. Is this the end of outsourcing?
   
   The EBA's proposals abandon the outsourcing / non-outsourcing distinction and introduce a broader third-party lens (similar to that under DORA and wider operational resilience frameworks being developed by regulators globally).
   
   Outsourcing is now a subset of the wider category of TPAs which includes, for example, professional services, business process support and intra-group shared services. Therefore, TPAs covered by the Draft Guidelines include both outsourcing and non-outsourcing third-party non-ICT arrangements.
   
   

4. How do the Draft Guidelines align with DORA?
   
   The Draft Guidelines only cover the use of non-ICT related services provided by TPSPs, whereas DORA provides the framework for the management of third-party risks with regard to ICT services. In terms of applicability and scope, this will lead to the "splitting" of the Venn diagram as follows:

   
   
   
   Moreover, the EBA's proposals on the risk management framework and contractual obligations are closely aligned with those under DORA. The EBA has sought to ensure the Draft Guidelines are consistent with DORA to ensure a seamless split between the frameworks for ICT and non-ICT services. This importantly removes overlapping obligations that otherwise exist under the currently applicable DORA and EBA Outsourcing Guidelines regimes.
   
   Accordingly, while Firms will need to ensure their third-party risk management framework is able to differentiate between and capture both ICT services and non-ICT third-party services, overall these changes will allow third-party risk management frameworks at firms to be consistent and aligned across different arrangements, reducing compliance burden and creating operational efficiencies.
   
   

5. What about 'critical or important' functions?
   
   The Draft Guidelines retain the concept of 'critical or important' functions as exists under the current EBA Outsourcing Guidelines and under DORA. Helpfully, the EBA has aligned the definition of a 'critical or important function' in the Draft Guidelines with that under DORA.
   
   In line with the existing regimes, more stringent requirements apply to TPAs which support critical or important functions, as compared to those that do not. Accordingly, firms should already have in place compliant frameworks that should not require material changes.
   
   

6. Do we need to (re-)remediate contractual agreements? If so, what are the contractual requirements?
   
   In terms of requirements, the EBA has lifted the DORA Article 30 contractual obligations and repurposed them for non-ICT services. Accordingly, the Draft Guidelines feature familiar provisions on audit/access, location of services and data, subcontracting, and termination.
   
   Firms that have already implemented DORA contractual addendums and EBA outsourcing addendums should be able to leverage much of the work for non-ICT TPAs, easing remediation workloads.

   As such, for most firms we expect the population of agreements that will be in-scope for remediation under the new guidelines to be low. These will essentially be any third-party non-ICT agreements that have not previously been through either an EBA or DORA remediation exercise.
   
   
7. What steps should we be taking?
   
   The obligations under the Draft Guidelines echo DORA and the existing EBA outsourcing guidelines, however it would be prudent for firms to:
   
   

   - map non-ICT TPAs, including identifying any intra-group and "non-outsourcing" arrangements that may have so far sat outside contractual remediation programmes;

   - identify whether any of the non-ICT TPAs identified would require remediation (e.g. if they were previously not remediated as part of EBA or DORA remediation programmes);

   - benchmark existing contractual templates and checklists against the new requirements;

   - in due course, consider uplifts to the risk management frameworks and outsourcing policies to reflect the new guidelines; and

   - begin building a unified data framework capable of supporting two parallel, but consistent, registers.
   
   

8. What else should we know?
   
   The Draft Guidelines require firms to maintain a comprehensive register of TPAs. The data fields for the register broadly mirror those under DORA. Firms are expected, to the extent possible, to keep the register consistent with their DORA register and can, but are not required, to merge the two registers.
   
   
9. How much time do we have?
   
   The consultation closes on 8 October 2025 and it is feasible the guidelines could be finalised by the end of the year.
   
   The finalised guidelines will apply to new contracts from the entry-into-force date. Existing non-ICT TPAs have the benefit of a transitional period, and only require remediation within two years of the coming in to force of the guidelines.
   
   
10. What about ESMA's Cloud Guidelines and other outsourcing rules? 
    
    In a similar move, in the same week, ESMA announced that it was amending its Guidelines on Outsourcing to Cloud Services Providers (ESMA Cloud Guidelines). 
    
    However, rather than repeal the guidelines, ESMA has amended the scope to remove Financial Entities subject to DORA (as for most firms, the application of DORA renders the guidelines obsolete). Accordingly, the ESMA Cloud Guidelines now only apply to certain depositaries that are not subject to DORA.

    
    With the EBA's proposed updates to its guidelines, the above ESMA change and EIOPA having withdrawn its guidelines on outsourcing recently – there is now no overlap between the ESAs 'outsourcing' rules and guidance and DORA.
    
    There are of course still references to outsourcing e.g. in MiFID, Solvency II, PSD II, the FCA's rules, local implementation, etc. which can be conflicting and overlap, but nonetheless this round of changes  represents welcome simplification and clarity from the ESAs and is a step in the right direction for financial entities as well as service providers.