New EBA Guidelines: What Every Financial Institution Should Know About Working with Third-Party Providers

DORA Isn’t the End – More Changes Are Coming

In 2025, the financial sector in Europe will face another wave of regulatory updates. The European Banking Authority (EBA) has published a draft of new guidelines that will change how financial institutions manage risks associated with third-party service providers.

Why is this important? Because the updated guidelines expand the current outsourcing rules and align them with the operational standards introduced by the Digital Operational Resilience Act (DORA).

Who Will Be Affected by the Guidelines?

The draft guidelines apply to a broader range of institutions, including:

• investment firms that do not meet the conditions to qualify as small and non-interconnected (under Regulation 2019/2033),
• issuers of asset-referenced tokens – under the Markets in Crypto-Assets Regulation (MiCA),
• payment and electronic money institutions,
• mortgage lenders, as defined by Directive 2014/17/EU.

In practice, although the guidelines formally target specific categories of entities, their broader impact should not be underestimated.

What’s Changing? Three Key Areas

1. A Broader Definition of Third-Party Collaboration

The new guidelines go beyond traditional outsourcing and cover any form of cooperation with external service providers that support a financial institution’s operations – including intra-group arrangements.

ICT services regulated under DORA are excluded. However, the key criterion now is the material impact of the service on the institution’s operational functioning or risk profile. It will no longer be sufficient to argue that the outsourced activity is not part of the institution’s “core business.”

2. A New Approach to Risk Assessment

Previously, institutions assessed outsourcing risk mainly at the contract level. The new guidelines shift the focus to the underlying function performed by the service provider – regardless of the legal form of the arrangement.

This means institutions will now be expected to identify critical or important functions and apply appropriate oversight – whether the service is delivered through formal outsourcing or other third-party arrangements.

3. One Unified Register for All Agreements

The guidelines propose aligning the outsourcing register format with the one required under DORA for ICT services. This would allow institutions to maintain a single, consistent register for both ICT and non-ICT third-party relationships.

Such an approach improves transparency, supports internal oversight, and meets supervisory expectations for comprehensive operational risk management.

Harmonising Supervision Across the EU

The EBA highlights that the lack of uniform rules for non-ICT third-party services leads to inconsistencies in supervision across Member States. The new guidelines aim to harmonise supervisory practices and improve risk management across the EU financial sector.

What Should Financial Institutions Do?

The consultation is open until 8 October 2025. After it concludes, a 24-month transition period will follow, during which institutions will be required to:

• review and update existing contracts with service providers,
• adjust the format of their third-party service registers,
• revise internal policies and procedures regarding the classification of critical or important functions and services.

What Are the Risks of Non-Compliance?

Failure to comply with the new requirements may result in:

• supervisory sanctions,
• revocation of the institution’s licence,
• personal liability for board members.

Our Recommendation

We strongly recommend starting a review of existing practices now – especially around the classification of critical functions and the documentation of third-party relationships.

If you need support in analysing outsourcing risks or aligning your internal procedures with the upcoming regulations, our team is ready to help.