Outsourcing and Third-Party Management in accordance with DORA, EBA and MaRisk

Managing outsourcing relationships in compliance with legal requirements – from risk analysis to ongoing monitoring

Effective outsourcing and third-party management will be mandatory for all financial institutions by 2025. Since January 2025, the DORA Regulation has tightened the requirements for ICT third parties, and the EBA is developing new third-party management (TPRM) guidelines for non-ICT services.

Whether IT systems, cloud solutions or entire business processes: financial institutions are outsourcing more than ever. Yet responsibility remains firmly with the institution itself. Supervisors are watching closely – and requirements are rising.

With MaRisk, BAIT and the EBA Guidelines, the regulatory framework is already in place. From 2025 onwards, the European DORA Regulation will raise the bar significantly: every institution must systematically manage its third parties, comprehensively document risks, and demonstrate digital resilience. Those failing to act in time risk not only regulatory sanctions but also operational outages and reputational damage. That is why a robust outsourcing and third-party management framework has become essential – and a decisive competitive advantage.

ICT Services: DORA from 2025

Icon Bildschirm mit Pfeilsymbol symbolisiert die Nutzung von IKT-Dienstleistern

From January 2025, the European DORA Regulation must be implemented on a mandatory basis.

It obliges all financial institutions to systematically manage ICT risks – including those arising from third parties.

Non-ICT Services: new EBA Guidelines from 2026

Icon zum symbolisieren, dass Tätigkeiten ausgetauscht werden was zur Nutzung von Dienstleistern interpretiert werden kann

The forthcoming EBA Guidelines on Third-Party Management (currently in draft) will tighten the existing framework.

From 2026, it will establish a uniform framework across Europe – aligning requirements with the DORA Regulation and avoiding regulatory overlaps.

National Requirements (e.g. MaRisk/KaMaRisk)

dreieckige Flagge mit Stab symbolisiert den heimischen Standort

The Minimum Requirements for Risk Management (MaRisk) have long provided the binding framework for outsourcing management and implement the EBA Guidelines in national regulation.

No institution can bypass MaRisk – it forms the foundation on which all further national and European requirements are built.

Third-Party Management follows a clear lifecycle

From strategic decisions through risk assessments and contract design to monitoring and exit strategies: every phase comes with its own regulatory requirements and practical challenges. Those who approach the process in a structured way can make outsourcing and third-party management not only regulatory compliant, but also efficient and value-adding.

Darstellung eines Kreislaufes inkl. der einzelnen Schritte eines Lebenszyklus für das Auslagerungs- und DrittparteienmanagementsDepiction of a cycle including the individual stages of the lifecycle for outsourcing and third-party management
01. Initiation
02. Evaluation
03. Contract
04. Onboarding
05. Operation/Monitoring
06. Exit

In the initiation phase, the purchasing department and specialist department select the appropriate service provider and the services it offers. After the pre-selection process, the service provider must complete a due diligence questionnaire. The scope of the questionnaire depends on the classification of the service: if it supports a critical/important function or is outsourced, the requirements are significantly stricter. The results of this survey form the basis for further risk analysis.

The core of risk analysis is the evaluation of due diligence results: What specific risks arise from using the service provider? The classification is crucial here – is it a service that supports critical/important functions, or is it outsourcing? This determines how extensive the control and monitoring measures need to be.

The contractual arrangement forms the basis for effective outsourcing- and third-party management. Depending on whether the service supports a critical/important function or has been classified as outsourcing, the requirements vary considerably. In any case, a written contract is required. For critical/important services and outsourcing, significantly more extensive requirements must be taken into account.

During the onboarding phase, the service is prepared for use. This includes notification to the BaFin (in the case of critical/important functions or outsourcing), entry in the outsourcing and information register, and the design of the emergency plan. At the same time, the service is integrated into internal processes and systems.

After the service provider has been on boarded, the ongoing control and monitoring phase begins. Institutions must maintain an outsourcing and/or information register, monitor KPIs, manage incidents and report regularly to senior management. The scope of these obligations depends on whether the service supports critical/important functions or is classified as outsourcing.

Every critical/important service and outsourcing arrangement must have a plan B. Exit strategies and business continuity plans ensure that business operations can continue if a service provider fails. Here, too, the competent authority requires a differentiated approach: detailed emergency scenarios, substitutability analyses and resilience tests are mandatory for outsourcing or critical/important services, while no emergency plans are necessary for other services.

From strategy to policy – the organisational framework

Beyond the operational lifecycle, outsourcing and third-party management also require a clearly structured frameworkt hat is mandated by supervisors (e.g. MaRisk AT 9, EBA Guidelines, DORA).This spans from strategic orientation and policies through to work instructions and supporting documents. It ensures that governance, responsibilities and processes are firmly embedded within the institution, transparently documented and demonstrable to supervisors at any time.As such, it provides the foundation for effective management across all phases of the lifecycle.

Pyramide Drittparteien-Management Stufenweise animierte Darstellung mit sequenziellen Beschreibungen, Linien und linkem Pfeil. 01 02 03 Drittparteienrisikostrategie Legt die grundsätzlichen Leitplanken und Ziele für das Auslagerungs - /Drittparteienmanagement fest. Sie ist eng an die Geschäfts - und Risikostrategie angebunden und wird von der Geschäftsleitung beschlossen Drittparteienrichtlinie Definiert den operativen Rahmen für alle Auslagerungen und alle Drittbezüge fest. Enthält Governance - Vorgaben, Zuständigkeiten und die Grundsätze zur Risikosteuerung. Arbeits - und Prozessanweisungen Beschreiben die konkreten Prozesse und Kontrollen von der Risikoanalyse über Vertragsgestaltung bis zum Monitoring. Detaillierungsgrad
Third-Party Management Pyramid Stepwise animated pyramid with sequential right-hand descriptions, divider lines, and left-side arrow. 01 02 03 Third - Party Risk Management Strategy Defines the basic guidelines and objectives for outsourcing/third - party management. It is closely linked to the business and risk strategy and is decided by the management. Third - Party Management Guideline Defines the operational framework for all outsourcing and third - party procurement. Contains governance requirements, responsibilities and risk management principles. Working and process instructions Describe the specific processes and controls from risk analysis and contract drafting to monitoring. Level of Detail

From theory to practice

Consistent implementation in day-to-day operations – from selecting and assessing providers, through contracts and reporting, to ongoing management and contingency planning. Our practical insights, case studies and whitepapers demonstrate how institutions can meet regulatory requirements efficiently while creating added value.

Treppenstufen-Diagramm mit vier Phasen des Projektmanagements: Gap-Analyse, Projektplan, Ressourcen und Umsetzung, dargestellt mit passenden Icons.

EBA Guideline 2025: Paradigm shift in third-party risk management

Blog

The new EBA guideline on third-party risk management marks a paradigm shift: in future, all non-ICT third-party relationships must be managed according to stricter standards – not just traditional outsourcing. Specific changes include new registration requirements in line with the DORA standard, explicit strategic commitments on the part of management, expanded due diligence (ESG, AML/CFT, supply chains) and stricter contractual requirements. The transition period until 2028 may seem long, but it is ambitious given the organisational and contractual adjustments that will be required.

More information
Abstract illustration of a protective shield with a lock symbol in front of a network of connected nodes – representing security, resilience and third-party risk management in the financial sector.

New EBA Guidelines on Third-Party Risk Management

Whitepaper

The EBA is extending its outsourcing rules to cover All third-party relationships by 2028 — meaning institutions must now redefine their entire third-party strategy.

Our white paper Outlines the concrete steps to take and shows you how to leverage this transformation strategically.

More information

Ready to strengthen your outsourcing and third-party management?

Let’s review together how you can put regulatory requirements into practice – efficiently and effectively

30 minutes for more clarity – book your appointment

Free & non-binding · 30 minutes · Remote

Frequently Asked Questions (FAQ)

What you should know now about third-party and outsourcing management

What is the difference between outsourcing management and third-party management?

Erweiterung

Outsourcing management focuses on the relationship of services for regulated activities. Third-party management (Third-Party Risk Management) is, however, the more comprehensive term and covers all service relationships – regardless of whether they are outsourced or not. With DORA and the new EBA Guidelines, institutions must henceforth systematically record and manage all third-party relationships, not just traditional outsourcing arrangements.

What is the difference between ICT and non-ICT services?

Erweiterung

ICT services (Information and Communication Technology) encompass all IT-related services such as Software-as-a-Service, IT support, data centres, or cybersecurity services. These have been subject to DORA since January 2025. Non-ICT services are all other third-party relationships such as HR services, marketing, consultancy services, or services for risk management, internal audit, or data protection officers. The new EBA Guidelines apply to these services.

When is an outsourcing arrangement "critical" or "important"?

Erweiterung

A function or service is deemed critical or important if its failure would significantly impair business operations or the institution would no longer be able to fulfil regulatory obligations. Rule of thumb: Would a failure of more than 4 hours cause substantial problems? Examples include: payment processing, core banking systems, risk management software, compliance functions. Significantly stricter requirements for contracts, monitoring, and exit strategies apply to critical/important functions.

What is the DORA information register and the outsourcing register?

Erweiterung

The information register is a central documentation of all ICT third-party relationships that institutions must maintain pursuant to DORA Art. 28. The outsourcing register, by contrast, contains only those services classified as outsourcing arrangements or other ICT third-party procurement. Both registers must be kept current at all times and made available to the supervisory authority upon request.

What are the new EBA Guidelines?

Erweiterung

The EBA Guidelines on the sound management of third-party risk (Third-Party Risk Management, consultation draft July 2025) focus on all non-ICT third-party relationships. Key changes: All third-party services not covered by DORA must be registered. There is no longer a focus solely on outsourcing arrangements.

How do the requirements under MaRisk, DORA, and EBA Guidelines differ?

Erweiterung

MaRisk (national) forms the foundation for outsourcing management in Germany and implements the EBA Guidelines. DORA (EU Regulation, since January 2025) specifically governs ICT services with stricter requirements for risk management, documentation, contracts, and testing. The new EBA Guidelines extend the scope to all non-ICT third-party relationships and harmonise them with DORA requirements. However, the new EBA Guidelines must still be transposed by national supervisory authorities.

Got questions?

We are happy to offer you a free initial consultation

Contact us