EBA Guideline 2025: Paradigm shift in third-party risk management

Third-Party Management

Blog

October 1, 2025

EBA Guideline 2025: Paradigm shift in third-party risk management

EBA Guideline 2025: A Paradigm Shift in Third-Party Risk Management

On 8 July 2025, the European Banking Authority (EBA) published the draft of its new Guideline on Third-Party Risk Management for consultation. What may appear at first glance to be a technical update of existing outsourcing rules in fact represents a fundamental shift: in future, institutions will be required to manage not only traditional outsourcing but also all non-ICT third-party arrangements under uniform, more stringent standards.

From Outsourcing to Third-Party Risk: The New Regulatory Framework

The previous 2019 EBA Guideline primarily focused on outsourcing agreements in the narrow sense. The new draft significantly expands the scope and introduces the broader concept of "Third-Party Arrangement". Outsourcing thereby becomes a subcategory within a much wider risk perspective.

Specifically, this means: All agreements with external service providers – irrespective of their formal set-up – fall under the Guideline, provided they do not concern ICT services. ICT services have been governed since January 2025 by the DORA (Digital Operational Resilience Act). For the first time, this creates a seamless regulatory framework for the entirety of third-party risk management.

What changes in practice for affected institutions?

Extended scope

In addition to credit institutions and investment firms, the Guideline now also applies to issuers of Asset-Referenced Tokens (ARTs) under MiCAR as well as mortgage credit providers under the Mortgage Credit Directive. The circle of regulated institutions is thereby significantly broadened.

New register requirement

Institutions will in future be required to maintain a comprehensive register of all non-ICT third-party arrangements – consistent with the DORA register for ICT services. This must include detailed information on:

  • Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)
  • Substitutability and reintegration
  • Exit plans
  • Estimated annual costs

The requirements are explicitly aligned with the DORA standard.

Strengthened management responsibility

The management body remains – as already stipulated in the 2019 Guideline – fully and non-delegably responsible for third-party risk management. What is new, however, is the explicit obligation to define, approve and regularly review a comprehensive strategy covering all non-ICT third-party arrangements. This extends the strategic obligation already required under DORA for ICT services consistently to all other third parties. The established principle remains: institutions must not become “empty shells” – adequate own substance and governance capability must be ensured at all times.

Stricter due diligence and risk assessment

The review of operational, legal and reputational risks required since 2019 is substantially expanded. New requirements explicitly include:

  • ESG risks
  • AML/CFT risks
  • International human rights and environmental standards

These aspects were not explicitly addressed in the previous Guideline. Institutions will also be required to conduct detailed analysis of complex subcontracting chains and their specific supply chain risks, as well as review the business continuity and contingency plans of service providers. The requirements for assessing third-country providers, already in place since 2019, are refined and supplemented by concrete review criteria relating to political stability and local insolvency regimes.

Stricter contractual requirements

Contracts will in future need to include the following elements:

  • More precise service-level agreements with quantitative and qualitative performance metrics
  • Unrestricted audit rights for institutions and supervisory authorities
  • Binding transition periods for exit scenarios

Subcontracting will only be permitted under strict conditions, and the primary service provider must ensure that all obligations are effectively passed on to subcontractors.

Why is this relevant now?

Third-party risk management is evolving from a compliance requirement to a strategic management tool. Institutions that fail to act in good time risk not only supervisory measures but also operational disruptions and competitive disadvantages. The transition period until 2028 may appear lengthy – yet in view of the required organisational, procedural and contractual adjustments, it is in fact ambitious.

At the same time, alignment with DORA offers considerable opportunities: institutions that implement both frameworks in an integrated way will establish consistent governance structures, increase transparency and sustainably strengthen their operational resilience.

First steps: What institutions should do now

  1. Launch a gap analysis: Assess current structures against the new requirements and identify action areas as well as critical gaps.
  2. Develop a project plan: Based on the gaps identified, design a prioritised implementation plan with concrete milestones, responsibilities and timelines – including contract reviews, register build-up and organisational adjustments.
  3. Allocate resources: Ensure sufficient budget and staffing in line with the project scope – this is a management task, building on the gap analysis.
  4. Start implementation: Gradually execute the measures defined in the project plan, combining quick wins with structural transformations.

Outlook

In the upcoming articles of this series, we will examine the requirements in detail: from the delineation to DORA to specific register obligations and practical implementation recommendations. The aim is to provide compliance officers, outsourcing officers and senior management with a hands-on guide for the forthcoming transformation.

Would you like to know where your institution stands? Contact us for a non-binding initial assessment of your specific needs – based on your existing structures and individual challenges.

EBA Guideline 2025: Paradigm shift in third-party risk management

EBA Guideline 2025: A Paradigm Shift in Third-Party Risk Management

On 8 July 2025, the European Banking Authority (EBA) published the draft of its new Guideline on Third-Party Risk Management for consultation. What may appear at first glance to be a technical update of existing outsourcing rules in fact represents a fundamental shift: in future, institutions will be required to manage not only traditional outsourcing but also all non-ICT third-party arrangements under uniform, more stringent standards.

From Outsourcing to Third-Party Risk: The New Regulatory Framework

The previous 2019 EBA Guideline primarily focused on outsourcing agreements in the narrow sense. The new draft significantly expands the scope and introduces the broader concept of "Third-Party Arrangement". Outsourcing thereby becomes a subcategory within a much wider risk perspective.

Specifically, this means: All agreements with external service providers – irrespective of their formal set-up – fall under the Guideline, provided they do not concern ICT services. ICT services have been governed since January 2025 by the DORA (Digital Operational Resilience Act). For the first time, this creates a seamless regulatory framework for the entirety of third-party risk management.

What changes in practice for affected institutions?

Extended scope

In addition to credit institutions and investment firms, the Guideline now also applies to issuers of Asset-Referenced Tokens (ARTs) under MiCAR as well as mortgage credit providers under the Mortgage Credit Directive. The circle of regulated institutions is thereby significantly broadened.

New register requirement

Institutions will in future be required to maintain a comprehensive register of all non-ICT third-party arrangements – consistent with the DORA register for ICT services. This must include detailed information on:

  • Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)
  • Substitutability and reintegration
  • Exit plans
  • Estimated annual costs

The requirements are explicitly aligned with the DORA standard.

Strengthened management responsibility

The management body remains – as already stipulated in the 2019 Guideline – fully and non-delegably responsible for third-party risk management. What is new, however, is the explicit obligation to define, approve and regularly review a comprehensive strategy covering all non-ICT third-party arrangements. This extends the strategic obligation already required under DORA for ICT services consistently to all other third parties. The established principle remains: institutions must not become “empty shells” – adequate own substance and governance capability must be ensured at all times.

Stricter due diligence and risk assessment

The review of operational, legal and reputational risks required since 2019 is substantially expanded. New requirements explicitly include:

  • ESG risks
  • AML/CFT risks
  • International human rights and environmental standards

These aspects were not explicitly addressed in the previous Guideline. Institutions will also be required to conduct detailed analysis of complex subcontracting chains and their specific supply chain risks, as well as review the business continuity and contingency plans of service providers. The requirements for assessing third-country providers, already in place since 2019, are refined and supplemented by concrete review criteria relating to political stability and local insolvency regimes.

Stricter contractual requirements

Contracts will in future need to include the following elements:

  • More precise service-level agreements with quantitative and qualitative performance metrics
  • Unrestricted audit rights for institutions and supervisory authorities
  • Binding transition periods for exit scenarios

Subcontracting will only be permitted under strict conditions, and the primary service provider must ensure that all obligations are effectively passed on to subcontractors.

Why is this relevant now?

Third-party risk management is evolving from a compliance requirement to a strategic management tool. Institutions that fail to act in good time risk not only supervisory measures but also operational disruptions and competitive disadvantages. The transition period until 2028 may appear lengthy – yet in view of the required organisational, procedural and contractual adjustments, it is in fact ambitious.

At the same time, alignment with DORA offers considerable opportunities: institutions that implement both frameworks in an integrated way will establish consistent governance structures, increase transparency and sustainably strengthen their operational resilience.

First steps: What institutions should do now

  1. Launch a gap analysis: Assess current structures against the new requirements and identify action areas as well as critical gaps.
  2. Develop a project plan: Based on the gaps identified, design a prioritised implementation plan with concrete milestones, responsibilities and timelines – including contract reviews, register build-up and organisational adjustments.
  3. Allocate resources: Ensure sufficient budget and staffing in line with the project scope – this is a management task, building on the gap analysis.
  4. Start implementation: Gradually execute the measures defined in the project plan, combining quick wins with structural transformations.

Outlook

In the upcoming articles of this series, we will examine the requirements in detail: from the delineation to DORA to specific register obligations and practical implementation recommendations. The aim is to provide compliance officers, outsourcing officers and senior management with a hands-on guide for the forthcoming transformation.

Would you like to know where your institution stands? Contact us for a non-binding initial assessment of your specific needs – based on your existing structures and individual challenges.

Treppenstufen-Diagramm mit vier Phasen des Projektmanagements: Gap-Analyse, Projektplan, Ressourcen und Umsetzung, dargestellt mit passenden Icons.

Institutions must take action by 2028 – what exactly will change?

On 8 July 2025, the European Banking Authority (EBA) published its draft guidelines on third-party risk management for consultation. What at first glance appears to be a technical revision of the existing outsourcing regulations actually marks a fundamental change: in future, institutions will have to manage not only traditional outsourcing arrangements but all non-ICT third-party relationships in accordance with uniform, stricter standards.

Request whitepaper now

Vielen Dank! Wir haben Ihre Nachricht erhalten und senden Ihnen das Whitepaper schnellstmöglich zu
Oops! Bitte überprüfen Sie Ihre Eingaben oder versuchen Sie es in wenigen Minuten erneut. Sollte das Problem bestehen bleiben, kontaktieren Sie uns bitte direkt
Abstract illustration of a protective shield with a lock symbol in front of a network of connected nodes – representing security, resilience and third-party risk management in the financial sector.

EBA Guidelines - Sound Management of Third-Party Risk

The EBA is extending its outsourcing rules to cover All third-party relationships by 2028 — meaning institutions must now redefine their entire third-party strategy.

Our white paper Outlines the concrete steps to take and shows you how to leverage this transformation strategically.

More information