New EBA Guidelines on Third-Party Risk Management

Everything Banks, Investment Firms and Payment Institutions Need to Know — Practical and Concise

Third-Party Management

Whitepaper

January 13, 2026

EBA Guidelines - Sound Management of Third-Party Risk

EBA Guidelines - Sound Management of Third-Party Risk

Abstract illustration of a protective shield with a lock symbol in front of a network of connected nodes – representing security, resilience and third-party risk management in the financial sector.

Background:

On July 8, 2025, the European Banking Authority (EBA) published a draft of new guidelines on third-party risk management, fundamentally reshaping how institutions must manage outsourcing and third-party relationships.

By 2028, financial institutions will be required to implement comprehensive adjustments — with significant implications for management, governance, contracts and due diligence processes.

This white paper provides you with:

👉 A concise overview of the new EBA requirements

👉 A comparison of EBA 2019 vs. EBA 2025 guidelines

👉 Insights into the interaction with DORA (Digital Operational Resilience Act)

👉 Concrete recommendations for action and a roadmap tailored to your institution

What you will learn from this white paper:

✓ Which responsibilities managing directors will personally assume in the future

✔ Why third-party risk is not only a regulatory requirement but also a strategic issue

✔ Which documentation and register obligations institutions will face ✔ How contracts and due diligence processes need to be adapted

✔ How to use the transition period until 2028 to combine compliance and efficiency

✔ An in-depth analysis of the planned regulatory changes

Target audience:

Managing Directors, Outsourcing and Third-Party Risk Managers, as well as legal experts from banks, payment institutions and investment firms.

Make the most of the preparation period now — those who act early will avoid the mistakes of delayed DORA implementation.

Request whitepaper now

Vielen Dank! Wir haben Ihre Nachricht erhalten und senden Ihnen das Whitepaper schnellstmöglich zu
Oops! Bitte überprüfen Sie Ihre Eingaben oder versuchen Sie es in wenigen Minuten erneut. Sollte das Problem bestehen bleiben, kontaktieren Sie uns bitte direkt
Diagram illustrating the distinction between MaRisk (non-ICT outsourcing) and DORA (third-party ICT services), with a three-tier classification of institutions in accordance with the 9th amendment to MaRisk

9th MaRisk Amendment: What the New Institution Classification Means for Your Firm

The 9th MaRisk Amendment marks a genuine shift in regulatory logic: fewer detailed rules, greater reliance on principles, and a new institution classification that determines which proportionality reliefs a firm may actually use. At the same time, the amendment draws a clearer boundary between MaRisk and DORA: ICT services will no longer fall within AT 9, removing the previous double treatment. What this means in practice: more discretion in outsourcing risk analysis, a revised role for the outsourcing officer, continued register obligations despite the deletion of the formal MaRisk provision, and a sharper distinction between ICT-related and non-ICT continuity requirements.

More information
Treppenstufen-Diagramm mit vier Phasen des Projektmanagements: Gap-Analyse, Projektplan, Ressourcen und Umsetzung, dargestellt mit passenden Icons.

EBA Guideline 2025: Paradigm shift in third-party risk management

The new EBA guideline on third-party risk management marks a paradigm shift: in future, all non-ICT third-party relationships must be managed according to stricter standards – not just traditional outsourcing. Specific changes include new registration requirements in line with the DORA standard, explicit strategic commitments on the part of management, expanded due diligence (ESG, AML/CFT, supply chains) and stricter contractual requirements. The transition period until 2028 may seem long, but it is ambitious given the organisational and contractual adjustments that will be required.

More information