European Banking Authority launches consultation on draft non-ICT third-party risk management Guidelines aligned with DORA

The European Banking Authority has opened a public consultation on draft Guidelines on the sound management of third-party risk, covering third-party arrangements for non-ICT services provided by service providers and their subcontractors, with particular focus on the provision of critical or important functions. The draft updates and replaces the EBA’s 2019 outsourcing Guidelines, aiming to align expectations with the Digital Operational Resilience Act framework. The draft sets out required steps across the full life cycle of third-party arrangements, including risk assessment, due diligence, contracting, sub-contracting, ongoing monitoring, exit strategies and termination processes, and includes criteria for applying proportionality. It also seeks consistency with the DORA register by enabling consistent information to be stored for both ICT and non-ICT services, including through a single register, while limiting documentation requirements (subject to proportionality) to reduce burden on financial entities and competent authorities. Entities in scope would have a two-year transitional period to review and amend existing third-party arrangements and update the register for non-ICT arrangements. The consultation runs until 8 October 2025. A virtual public hearing is scheduled for 5 September (09:00–13:00 Paris time), with registration open until 1 September (16:00 CEST), and contributions will be published after the consultation closes unless respondents request otherwise.