On July 8, 2025, the European Banking Authority (EBA) initiated a process to replace its existing Guidelines on outsourcing by publishing a consultation paper on the "sound management of third-party risk." This move aims to align the current rules for managing non-IT third-party service providers with the new requirements of the Digital Operational Resilience Act (DORA), which focuses on ICT risk.
The EBA noted the need for this alignment, stating: "The conditions for the management of third-party risk... for non-ICT related functions... are not harmonised to the same extent as for... ICT services [under DORA]. A close alignment... should be made to ensure a level playing field and foster supervisory convergence."
Key Proposed Changes
To align with DORA, the draft guidelines propose several key changes:
Broader Classification of Arrangements: The new rules would apply to all "third-party arrangements," a broad category that includes existing outsourcing arrangements as a subset. This means more contracts will fall under the risk management framework. The focus for exclusion shifts from services the firm wouldn't normally perform itself to arrangements that do not have a material impact on the firm's risk or operational resilience. ICT services covered by DORA are explicitly excluded from these specific guidelines.
Focus on "Functions" over "Arrangements": Previously, firms assessed whether an entire outsourced arrangement was critical. DORA shifts the focus to the criticality of the function being supported by a third party. The new guidelines will likely adopt this approach, requiring firms to identify critical functions and manage the associated third-party risks accordingly.
Unified Register of Information: Firms are already required to maintain an outsourcing register. DORA adds a requirement for a "Register of Information" for all ICT service contracts. The EBA proposes aligning the format of the outsourcing register with this new DORA register, allowing firms to manage information on both ICT and non-ICT services consistently, potentially within a single register.
Next Steps
The consultation is open for comments until October 8, 2025.
Once the guidelines are finalized, a two-year transition period will be granted. During this time, firms must review and amend their third-party arrangements and update their registers to comply with the new requirements.