EBA consults on draft guidelines on third-party risk management with regard to non-ICT related services

On 8 July 2025, the European Banking Authority (EBA) issued a consultation paper on the draft guidelines on the sound management of third-party risk.

The draft guidelines revise and update the previous EBA guidelines on outsourcing, published in 2019, in line with the Digital Operational Resilience Act (DORA). This includes:

• Providing specific criteria for the application of the proportionality principle, ensuring consistency with DORA.
• Allowing financial institutions to store consistent information for both ICT and non-ICT services, including the possibility of using one single register. The level of information to be documented has been limited to reduce the burden on both financial entities and Member State competent authorities.
• Financial entities falling under the scope of the draft updated guidelines have a transitional period of two years to review and amend their third-party arrangements (TPA) and to update the register for non-ICT TPA.

Next steps

The deadline for the submission of comments is 8 October 2025.

The EBA will hold a virtual public hearing on 5 September 2025 09:00 to 13:00 (CET). The deadline for registering is 1 September 2025.