Whitepaper: New EBA Guidelines on Third-Party Risk Management

Everything Banks, Investment Firms and Payment Institutions Need to Know — Practical and Concise

Third-Party Management

Whitepaper

August 27, 2025

EBA Guidelines - Sound Management of Third-Party Risk

EBA Guidelines - Sound Management of Third-Party Risk

Abstract illustration of a protective shield with a lock symbol in front of a network of connected nodes – representing security, resilience and third-party risk management in the financial sector.

Background:

On July 8, 2025, the European Banking Authority (EBA) published a draft of new guidelines on third-party risk management, fundamentally reshaping how institutions must manage outsourcing and third-party relationships.

By 2028, financial institutions will be required to implement comprehensive adjustments — with significant implications for management, governance, contracts and due diligence processes.

This white paper provides you with:

👉 A concise overview of the new EBA requirements

👉 A comparison of EBA 2019 vs. EBA 2025 guidelines

👉 Insights into the interaction with DORA (Digital Operational Resilience Act)

👉 Concrete recommendations for action and a roadmap tailored to your institution

What you will learn from this white paper:

✓ Which responsibilities managing directors will personally assume in the future

✔ Why third-party risk is not only a regulatory requirement but also a strategic issue

✔ Which documentation and register obligations institutions will face ✔ How contracts and due diligence processes need to be adapted

✔ How to use the transition period until 2028 to combine compliance and efficiency

✔ An in-depth analysis of the planned regulatory changes

Target audience:

Managing Directors, Outsourcing and Third-Party Risk Managers, as well as legal experts from banks, payment institutions and investment firms.

Make the most of the preparation period now — those who act early will avoid the mistakes of delayed DORA implementation.

Request whitepaper now

Vielen Dank! Wir haben Ihre Nachricht erhalten und senden Ihnen das Whitepaper schnellstmöglich zu
Oops! Bitte überprüfen Sie Ihre Eingaben oder versuchen Sie es in wenigen Minuten erneut. Sollte das Problem bestehen bleiben, kontaktieren Sie uns bitte direkt
Treppenstufen-Diagramm mit vier Phasen des Projektmanagements: Gap-Analyse, Projektplan, Ressourcen und Umsetzung, dargestellt mit passenden Icons.

EBA Guideline 2025: Paradigm shift in third-party risk management

The new EBA guideline on third-party risk management marks a paradigm shift: in future, all non-ICT third-party relationships must be managed according to stricter standards – not just traditional outsourcing. Specific changes include new registration requirements in line with the DORA standard, explicit strategic commitments on the part of management, expanded due diligence (ESG, AML/CFT, supply chains) and stricter contractual requirements. The transition period until 2028 may seem long, but it is ambitious given the organisational and contractual adjustments that will be required.

More information