Regulation
Click here to view the German version
Financial entities are increasingly partnering with third-party service providers to access specialized expertise, reduce costs, and to improve scalability and efficiency. Whilst this enables focus on core business activities, this growing reliance introduces significant risks to financial entities, their customers, and potentially the wider financial system.
In response, the European Banking Authority (EBA) opened a consultation on 8 July 2025 on the Draft Guidelines on the Sound Management of Third-Party Risk (the Guidelines), which closed on 8 October 2025. The Guidelines are designed to replace the 2019 EBA Outsourcing Guidelines and provide a single EU framework for non-Information and Communication Technology (non-ICT) third-party risk management, to be implemented on a ‘comply or explain’ basis within two years.1
The Guidelines aim to promote consistent, efficient, and effective supervisory practices, while ensuring uniform application of EU law across the financial sector and complimenting existing EU frameworks, including the Capital Requirements Directive (CRD) and the Bank Recovery and Resolution Directive (BRRD). Most importantly, these Guidelines are designed to align with the Digital Operational Resilience Act (DORA), which focuses on ICT third-party risk, harmonizing terminology and practices for firms to manage third-party risk beyond ICT. They also reflect international standards from the Financial Stability Board (FSB) and Basel Committee on Banking Supervision (BCBS), ensuring global consistency.
The Guidelines broaden the scope of the 2019 EBA Outsourcing Guidelines, extending beyond credit institutions and investment firms to include Payment and Electronic Money Institutions, Issuers of Asset-Reference Tokens, and Mortgage Creditors. However, they exclude credit intermediaries and Account Information Service Providers registered only under PSD2 (Annex I, Service 8).
The EBA Guidelines have been designed to sit alongside DORA, which focused on ICT third-party risk, aligning terminology and practices for firms to manage third-party risk beyond ICT.
Implications for firms
The Guidelines materially extend the scope of third-party oversight, requiring firms to expand existing registers of information to capture all third-party arrangements, including non-ICT services that may not previously have fallen within regulatory scrutiny. These enhanced registers should be consistent with the registers of information under DORA and must provide a clear, documented inventory of all non-ICT third-party arrangements including a description of the service, criticality, risk exposure, and sub-contractor dependencies.
The assessment of proportionality operates alongside the identification of Critical or Important Functions (CIFs), ensuring that the intensity of oversight reflects not only the importance of the service but also its complexity, substitutability, and potential market impact.
Firms will need to strengthen due diligence and onboarding processes with a broader range of risk assessments, incorporating not only operational, legal and continuity factors but also additional risks including credit, market, ESG, and AML/CFT risks. Contractual arrangements with non-ICT third parties will require review and uplift to ensure appropriate clauses are in place to mitigate risk, differentiating arrangements that support CIFs and those that do not.
The Guidelines place specific emphasis on assessing and monitoring concentration risk, including reliance on a single provider or sub-contractor that is not easily substitutable, and multiple third-party arrangements with the same or closely connected providers / sub-contractors. Firms are expected to test exit and transition scenarios for material providers and ensure that contingency measures are credible and actionable.
Collectively, these expectations mark a shift toward a more holistic, principles-based, and risk-sensitive approach, embedding comprehensive third-party oversight within governance and resilience frameworks.
To meet the expectations set out in the Guidelines, firms will need to adopt a structured and harmonized approach to third-party risk, aligning across ICT and non-ICT domains.
Beyond regulatory compliance, the proposed framework delivers strategic advantages for firms. It formalizes governance and risk management practices across outsourcing and third-party relationships, enabling firms to achieve greater control and transparency over critical functions, supporting a deeper understanding of the risks inherent in these arrangements. Enhanced contingency and scenario planning frameworks offer a clearer view of potential actions during operational disruptions, enabling more effective response and recovery. Together, the Guidelines foster a more resilient and transparent operating model, empowering firms to navigate third-party dependencies with increased assurance and agility.
How Capco can help
To meet the expectations set out in the Guidelines within the two-year transition window, firms will need to adopt a structured and harmonized approach to third-party risk. A key first step is to undertake a maturity assessment of the existing Third-Party Risk framework and operating model against the Guidelines and industry best practice, identifying gaps and areas where governance and documentation can be aligned across ICT and non-ICT domains.
Capco supports firms in performing these reviews, ensuring consistent assessment and classification of third-party arrangements and transparent application of materiality.
Remediation of existing non-ICT contracts will be essential to close gaps, ensuring contractual clauses are enhanced for compliance. Capco assists by supporting contract remediation to manage contract risk and by uplifting capabilities to strengthen oversight of sub-contracting, concentration risk, and exit strategies. Alongside this, Capco can help to enhance the effectiveness of control environments, integrating proportionality into onboarding, risk assessments, due diligence, and ongoing monitoring.
Leveraging technology and AI-enabled solutions, Capco can help clients mature and automate their Third-Party Risk frameworks and workflows, enhancing efficiency, effectiveness, and auditability. Through these improvements, firms can achieve not only compliance readiness but also a forward-looking, resilient approach to third-party governance and control.
Related Content
Contact us
To find out more about working with Capco and how we can help you overcome any potential challenges, contact our experts via the form below.