Reduce risks, strengthen compliance, and optimise your vendor relationships with our proven strategies and tools
Outsourcing is booming – and so are the risks. Whether IT systems, cloud solutions or entire business processes: financial institutions are outsourcing more than ever. Yet responsibility remains firmly with the institution itself. Supervisors are watching closely – and requirements are rising. With MaRisk, BAIT and the EBA Guidelines, the regulatory framework is already in place. From 2025 onwards, the European DORA Regulation will raise the bar significantly: every institution must systematically manage its third parties, comprehensively document risks, and demonstrate digital resilience. Those failing to act in time risk not only regulatory sanctions but also operational outages and reputational damage. That is why a robust outsourcing and third-party management framework has become essential – and a decisive competitive advantage.
From January 2025, the European DORA Regulation must be implemented on a mandatory basis.
It obliges all financial institutions to systematically manage ICT risks – including those arising from third parties.
The forthcoming EBA Guidelines on Third-Party Management (currently in draft) will tighten the existing framework.
From 2026, it will establish a uniform framework across Europe – aligning requirements with the DORA Regulation and avoiding regulatory overlaps.
The Minimum Requirements for Risk Management (MaRisk) have long provided the binding framework for outsourcing management and implement the EBA Guidelines in national regulation.
No institution can bypass MaRisk – it forms the foundation on which all further national and European requirements are built.
From strategic decisions through risk assessments and contract design to monitoring and exit strategies: every phase comes with its own regulatory requirements and practical challenges. Those who approach the process in a structured way can make outsourcing and third-party management not only regulatory compliant, but also efficient and value-adding.
In the initiation phase, the purchasing department and specialist department select the appropriate service provider and the services it offers. After the pre-selection process, the service provider must complete a due diligence questionnaire. The scope of the questionnaire depends on the classification of the service: if it supports a critical/important function or is outsourced, the requirements are significantly stricter. The results of this survey form the basis for further risk analysis.
The core of risk analysis is the evaluation of due diligence results: What specific risks arise from using the service provider? The classification is crucial here – is it a service that supports critical/important functions, or is it outsourcing? This determines how extensive the control and monitoring measures need to be.
The contractual arrangement forms the basis for effective outsourcing- and third-party management. Depending on whether the service supports a critical/important function or has been classified as outsourcing, the requirements vary considerably. In any case, a written contract is required. For critical/important services and outsourcing, significantly more extensive requirements must be taken into account.
During the onboarding phase, the service is prepared for use. This includes notification to the BaFin (in the case of critical/important functions or outsourcing), entry in the outsourcing and information register, and the design of the emergency plan. At the same time, the service is integrated into internal processes and systems.
After the service provider has been on boarded, the ongoing control and monitoring phase begins. Institutions must maintain an outsourcing and/or information register, monitor KPIs, manage incidents and report regularly to senior management. The scope of these obligations depends on whether the service supports critical/important functions or is classified as outsourcing.
Every critical/important service and outsourcing arrangement must have a plan B. Exit strategies and business continuity plans ensure that business operations can continue if a service provider fails. Here, too, the competent authority requires a differentiated approach: detailed emergency scenarios, substitutability analyses and resilience tests are mandatory for outsourcing or critical/important services, while no emergency plans are necessary for other services.
Beyond the operational lifecycle, outsourcing and third-party management also require a clearly structured frameworkt hat is mandated by supervisors (e.g. MaRisk AT 9, EBA Guidelines, DORA).This spans from strategic orientation and policies through to work instructions and supporting documents. It ensures that governance, responsibilities and processes are firmly embedded within the institution, transparently documented and demonstrable to supervisors at any time.As such, it provides the foundation for effective management across all phases of the lifecycle.
Consistent implementation in day-to-day operations – from selecting and assessing providers, through contracts and reporting, to ongoing management and contingency planning. Our practical insights, case studies and whitepapers demonstrate how institutions can meet regulatory requirements efficiently while creating added value.
Whitepaper
The EBA is extending its outsourcing rules to cover All third-party relationships by 2028 — meaning institutions must now redefine their entire third-party strategy.
Our white paper Outlines the concrete steps to take and shows you how to leverage this transformation strategically.
Let’s review together how you can put regulatory requirements into practice – efficiently and effectively
30 minutes for more clarity – book your appointmentFree & non-binding · 30 minutes · Remote
