From outsourcing to third-party arrangements: New EBA Guidelines for third-party risk management in relation to non-ICT services

Introduction

In recent years, the European regulatory framework on operational resilience has undergone a significant transformation, accelerated by Regulation (EU) 2022/2554 (DORA) entering into force.

Third-party provider management is one of the most affected areas, particularly for companies delivering ICT services. It’s progressively emerged as a crucial element for the operational stability of financial intermediaries.

From this turning point, the European Supervisory Authorities (ESAs – EBA, ESMA and EIOPA) have launched a coordinated path aimed at strengthening and harmonising the rules on third-party risk management.

The objective is to create a consistent framework to address the growing complexity of operational dependencies on external providers, a phenomenon that has now become structural for the financial system.

The draft of the new EBA Guidelines on the sound management of third-party risk (EBA/CP/2025/12) is designed to align the existing framework with DORA provisions and significantly broaden the regulatory approach. The Guidelines don't just replace the previous outsourcing rules, they introduce a comprehensive vision of third-party relationship management, including non-ICT services and strengthen oversight of a risk that has become strategic for operational continuity and business model sustainability.

In this article we look at the main innovations and their effects on organisational models, governance, and internal processes of financial institutions, providing a practical reading key to navigate the implementation phase.

 

Regulatory evolution and timetable

On 8 July 2025, the EBA launched a public consultation to define the new regulatory framework on third-party risk management. The aim is to strengthen governance and resilience of the European financial system. The proposed framework builds on DORA but expands its scope, moving beyond the limited outsourcing approach and introducing a holistic view of dependencies on external providers, both ICT and non-ICT.

The consultation closed on 8 October 2025 with broad market participation. Stakeholders highlighted several key concerns, including:

• clarifying the definition of ICT services compared to non-ICT services;
• the risk of excessive expansion of the scope of application;
• greater precision in defining critical or important functions; and
• specific guidance for intragroup risk management.

The final version of the Guidelines is expected by April 2026, although a delay is possible. After publication, we expect an implementation period, including a “grace period” of (likely) two years to update contracts and the third-party register.

Regulatory implications are significant:

• replacing the EBA Guidelines on outsourcing arrangements (2019);
• updating national regulations, such as Bank of Italy Circular 285;
• converging initiatives by other ESAs: ESMA has already issued principles on third-party risk supervision, while EIOPA has scheduled a review of outsourcing requirements for 2027.

Overall, a multi-year process of regulatory harmonisation is emerging, with DORA as the foundation of an integrated approach to operational resilience of the financial system.

 

Key innovations of the new EBA Guidelines

Expansion of scope

The new Guidelines extend both the subjective and objective scope. In addition to banks and investment firms, they now also cover:

• investment firms not classified as small and non-interconnected;
• issuers of asset-referenced tokens subject to the MiCAR Regulation; and
• financial creditors under the Mortgage Credit Directive.

At the same time, the framework is no longer limited to outsourcing or ICT services but covers the full spectrum of Third-Party Arrangements (TPA), meaning any agreement with external providers, including intragroup arrangements. DORA is still the reference regulation for ICT services, while the new Guidelines extend similar principles to non-ICT services, ensuring regulatory consistency.

Critical or important functions

The Guidelines strengthen the concept of critical or important functions, in line with DORA. A function is considered critical if it being disrupted might significantly affect financial stability, regulatory compliance, or operational continuity.

The concept also extends to recovery and resolution scenarios, consistent with the BRRD Directive, placing greater emphasis on provider substitutability and overall resilience.

Harmonisation with the DORA register

The Guidelines introduce the possibility of a single third-party register integrating ICT and non-ICT services, replacing the outsourcing register. Governance is also strengthened across the entire lifecycle of supplier arrangements, with greater involvement of control functions and internal audit.

 

Operational impacts and organisational transformation

The new Guidelines don’t just require formal compliance but imply a substantial revision of operating models. The main actions are structured across four areas.

Governance evolution

Many institutions currently show fragmented third-party risk management. The Guidelines require:

• clearly assigned internal responsibilities;
• active Board oversight;
• a formalised policy;
• integration into the overall risk management framework.

The main challenge will be simplifying governance by coordinating different roles (procurement, vendor management, outsourcing, risk management) and ensuring adequate expertise.

Process integration

The Guidelines define a full lifecycle approach to supplier management:

• Pre-contractual analysis with due diligence and risk assessment.
• Contractual phase with strengthened clauses and audit KPIs.
• Ongoing monitoring with periodic reviews and audit rights.
• A defined and tested exit strategy.

The main difficulty will be balancing standardisation and flexibility, adopting common templates while maintaining adaptability to operational specificities.

Contract review

Contractual alignment represents one of the most complex interventions. The new rules require:

• more stringent performance metrics;
• audit and access rights for the institution and supervisors;
• subcontracting rules; and
• review of existing contracts.

Renegotiation with long-standing suppliers may be challenging, making it necessary to prioritise critical contracts, define alternative negotiation strategies and assess supplier portfolio rationalisation.

Supporting tools and technologies

The Guidelines encourage the evolution of Third-Party Risk Management tools:

• a unified supplier register;
• continuous performance monitoring systems;
• integration between procurement, GRC, risk and compliance platforms.

The real challenge will be avoiding duplication between ICT and non-ICT frameworks and building an integrated information ecosystem.

 

Concluding remarks

The new EBA Guidelines mark a structural shift, moving the focus from outsourcing to comprehensive third-party risk management. The effects will impact not only financial institutions but also suppliers, who will have to comply with more rigorous standards.

But there are still some areas to be considered:

• discretion in defining the scope of application;
• difficulty in ensuring uniform conditions across sectors;
• absence of a supervisory framework for critical non-ICT providers (unlike what’s envisaged under DORA).

Institutions that have already built a solid foundation under DORA start from an advantageous position, but extending the framework to non-ICT services will require further adjustments. The time available for implementation will be limited, and many activities can already be initiated now.

A strategic approach, going beyond mere compliance, will allow institutions to transform regulatory obligation into an opportunity: greater operational resilience, reduced risk, and strengthened stakeholder trust, elements that are now essential for competitiveness in the contemporary financial system.