EBA launches consultation on its draft Guidelines on third-party risk management with regard to non-ICT related services

[vc_row][vc_column][vc_column_text]The European Banking Authority (EBA) today launched a public consultation on the draft Guidelines on the sound management of third-party risk. The draft Guidelines focus on third-party arrangements in relation to non-ICT related services provided by third-party service providers and their subcontractors with a particular focus on the provision of critical or important functions. These Guidelines revise and update the previous EBA Guidelines on outsourcing, published in 2019, in line with the Digital Operational Resilience Act (DORA). The consultation runs until 8 October 2025.

The draft Guidelines specify the steps to be taken by financial entities for the life cycle of third-party arrangements (i.e. risk assessment, due diligence, contractual phase, sub-contracting, monitoring, exit strategies and termination processes) to ensure consistency with the requirements under the DORA framework to the extent possible. The draft Guidelines provide specific criteria for the application of the proportionality principle.

In addition, the draft Guidelines ensure consistency with the DORA register by allowing financial institutions to store consistent information for both ICT and non-ICT services, including the possibility of using one single register. Taking into account the application of proportionality, the level of information to be documented has been limited to reduce the burden on both financial entities and competent authorities.

To ensure a smooth and efficient transition, financial entities falling under the scope of the updated Guidelines have a transitional period of two years to review and amend their existing third-party arrangements (TPA) and to update the register for non-ICT TPA.

Consultation process

Comments to the consultation paper can be sent by clicking on the “send your comments” button on the EBA’s consultation page. The deadline for the submission of comments is 8 October 2025.

The EBA will hold a virtual public hearing on 5 September from 09:00 to 13:00 – Paris time. The EBA invites interested stakeholders to register using this link by 1 September (16:00 CEST). The dial-in details will be communicated to those who have registered for the meeting.

All contributions received will be published following the end of the consultation, unless requested otherwise.[/vc_column_text][vc_empty_space height=”15px”][/vc_column][/vc_row][vc_row content_placement=”middle” content_text_aligment=”center” css=”.vc_custom_1746528175594{margin-top: 2% !important;background-color: #ff1949 !important;}”][vc_column width=”2/3″ css=”.vc_custom_1746528612909{margin-top: 2% !important;margin-left: 2% !important;}” offset=”vc_hidden-xs”][vc_empty_space height=”4px”][vc_column_text el_class=”lineheigth custom-vertical-top”]

Consultation paper on draft Guidelines on the sound management of third-party risk

[/vc_column_text][vc_column_text el_class=”lineheigth custom-vertical-bottom”]

https://www.eba.europa.eu/publications-and-media/press-releases/eba-launches-consultation-its-draft-guidelines-third-party-risk-management-regard-non-ict-related

[/vc_column_text][vc_empty_space height=”12px”][/vc_column][vc_column width=”1/3″ offset=”vc_hidden-xs”][vc_single_image image=”18290″ alignment=”center”][/vc_column][/vc_row][vc_row css=”.vc_custom_1745901981465{background-color: #ff1949 !important;}”][vc_column offset=”vc_hidden-lg vc_hidden-md vc_hidden-sm” css=”.vc_custom_1746541763013{margin-right: 8% !important;margin-left: 3% !important;}”][vc_column_text css=”.vc_custom_1752051480284{margin-top: 8% !important;margin-bottom: 5% !important;padding-right: 20px !important;}”]

Consultation paper on draft Guidelines on the sound management of third-party risk

[/vc_column_text][/vc_column][/vc_row]