The European Banking Authority (EBA) has launched a public consultation on new draft guidelines to strengthen third-party risk management across the European Union (EU) financial sector.
The move updates the EBA’s 2019 outsourcing rules, expanding regulatory scrutiny beyond information and communication technology (ICT) services to a broader range of non-ICT third-party arrangements.
While the EU’s Digital Operational Resilience Act (DORA) set the bar for digital service oversight, the EBA’s proposed update fills a critical gap by applying similar standards to outsourced services such as administrative support, customer care, and regulated financial operations.
The consultation runs until Oct. 8, with a two-year implementation window following the finalization of the rules.
From server rooms to support desks: expanding risk control
The updated guidelines mark a pivotal shift in how third-party services get regulated across the financial sector. Whereas DORA focuses solely on digital and ICT-related risks, the EBA’s revised rules reflect financial operations’ growing complexity and interdependence by targeting non-tech services as critical to day-to-day functionality.
Under the new rules, financial institutions must manage the full life cycle of third-party arrangements, from due diligence and contracting to ongoing monitoring and structured exit strategies.
Firms must document detailed information in a centralized register for high-risk or critical functions. The EBA also recommends integrating these new records with existing DORA ICT registers to streamline compliance and reduce redundancy.
The guidelines avoid duplication by excluding ICT services already governed by DORA while promoting a more precise and comprehensive approach to third-party risk management.
New rules, new players: who’s now under the microscope?
In addition to the broader risk categories, the EBA is significantly expanding the range of organizations subject to these updated guidelines. Beyond traditional financial institutions such as banks and payment service providers, the rules now apply to:
- Certain investment firms
- MiCAR-authorized issuers of asset-referenced tokens
- Non-bank creditors regulated under the Mortgage Credit Directive
These newly in-scope organizations must implement robust internal controls and governance systems to manage outsourcing risks effectively. A key focus is leadership accountability. Senior management must actively oversee all material outsourced functions.
The EBA offers a two-year grace period for revising existing contracts and updating third-party registers. However, any new outsourcing agreements entered into after the rules take effect must comply immediately.
What’s next?
To gather industry feedback, the EBA will host a virtual public hearing on Sept. 5. Registration closes on September 1.
As outsourcing reshapes financial services, the EBA’s latest move ushers in stricter oversight, broader accountability, and stronger safeguards, extending well beyond IT functions. Aligned with DORA’s digital resilience goals, the new rules expand regulatory focus to cover the full range of third-party services across the EU financial sector.
Read more Unity Communications and industry news on our main BPO News page.
Naeem, R., & Treacy, S. (2025, July 9). EBA to extend its outsourcing guidelines to cover all third party risks outside DORA. Linklaters LLP. Retrieved July 16, 2025, from https://financialregulation.linklaters.com/post/102krzx/eba-to-extend-its-outsourcing-guidelines-to-cover-all-third-party-risks-outside-d
Briones, J. A. (2025, July 10). EBA expands outsourcing rules, tightens oversight for financial firms. Outsource Accelerator. Retrieved July 16, 2025, https://news.outsourceaccelerator.com/eba-expands-outsourcing-rules/
