On 8 July 2025, the European Banking Authority (“EBA”) began the process to repeal their existing Guidelines on outsourcing arrangements by publishing a consultation paper on ‘the sound management of third-party risk’. This consultation marks the beginning of the regulatory journey to align existing guidance on third-party risk frameworks and the governance of non-Information and Communication Technology (“ICT”) related third-party service providers (“TPSPs”), with the recent requirements introduced by the Digital Operational resilience Act (“DORA”) in relation to ICT risk management frameworks.
“In particular, the conditions for the management of third-party risk and the use of TPSPs for the provision of non-ICT related functions to financial entities are not harmonised to the same extent as for financial entities subject to DORA with regard to ICT services. A close alignment for the management of third-party risk between both frameworks should be made to ensure a level playing field and foster supervisory convergence.”
EBA (2025)
What this means for Irish Regulated Firms
The existing EBA Guidelines on outsourcing arrangements (the “EBA Guidelines”) apply exclusively to credit institutions and investment firms subject to the EU Capital Requirements Directive, payment institutions and electronic money institutions. Under the draft guidelines included in the consultation paper (the “Draft Guidelines”), the scope of the application would be extended to include:
- Investment firms that do not meet all the conditions to qualify as small and non-interconnected under Article 12(1) of Regulation (EU) 2019/2033
- Issuers of Asset-Referenced Tokens subject to the Markets in Crypto-Assets Regulation; and
- ‘Creditors’ as defined in point (2) of Article 4 of the Mortgage Credit Directive (2014/17/EU) which are financial institutions.
While the Draft Guidelines, therefore, are only expected to apply to a sub-set of Irish regulated financial entities, it is worth nothing that the Central Bank of Ireland (the “Central Bank”) confirmed in its own Cross Industry Guidance on Outsourcing (the “CBI Guidance”), ‘that the requirements set out [within the EBA Guidelines] align with and underpin the Central Bank’s own supervisory expectations in relation to the governance and management of outsourcing risk’ and in turn designed the CBI Guidance to be ‘in keeping with the requirements set out in the EBA Guidelines’.
As such, we expect that any changes implemented on the back of the current EBA consultation process will be considered by the Central Bank as they look to conduct a similar review of the CBI Guidance which would apply to all regulated financial entities.
Key Changes Proposed
In order to align EBA guidance to DORA, the key changes which are proposed within the Draft Guidelines are as follows:
Classification of Arrangements
The Draft Guidelines would apply to any form of ‘third-party arrangement’ being those between ‘a financial entity and a third-party service provider, including intragroup third-party service providers, for the provision of one or more functions to the financial entity’. Under this definition, existing outsourcing arrangements would be recognised as a subset of third-party arrangements, indicating that the total number of arrangements in scope of the third-party management framework could be much larger than those recognised currently. ICT services subject to DORA are specifically excluded from the application of the Draft Guidelines.
It should be noted that the types of arrangements which are proposed to be excluded differ from those under the EBA Guidelines. Whereas previously arrangements which related to ‘the acquisition of services that would otherwise not be undertaken by the institution or payment institution’ were specifically descoped, the Draft Guidelines instead look to descope arrangements ‘that do not have material impact on the financial entities’ risks exposures or on their operational resilience’.
Focus on Critical or Important Functions
In practice, when applying the requirements of the EBA Guidelines, firms have typically sought to assess criticality or importance at an arrangement-level. Simply put, if a defect or failure in the performance of the outsourced arrangement could impact the firm’s regulatory compliance, financial performance or business continuity, such an arrangement would be considered critical or .
In contrast, DORA makes it clear that firms are expected to primarily focus on those third-party risks arising from ‘ICT third-party service providers that provide services that support critical or important functions’.
While the EBA Guidelines make reference to the ‘outsourcing of critical or important functions’ throughout, we are more likely to see a stronger shift in focus from the criticality of the ‘arrangement’ to the criticality of the ‘function’ as firms determine the most appropriate and proportionate means of managing third-party risks within their organisation.
Maintenance of Registers
In addition to the ongoing requirement to maintain an outsourcing register under the EBA Guidelines, as part of their DORA compliance programme firms are required to maintain a Register of Information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers.
As part of the Draft Guidelines, the EBA is proposing to amend the format of the outsourcing register to align with the Register of Information, thus allowing firms to store consistent information for both ICT and non-ICT services, possibly within one single register.
Next Steps
The consultation is now open and interested parties are requested to submit their comments ahead of the submission deadline of 8 October 2025.
To ensure a smooth and efficient transition, once finalised, entities in scope of the revised guidelines will be granted a transitional period of two years to review and amend their existing third-party arrangements and to update their outsourcing registers to align with the DORA Register of Information.
Arthur Cox will continue to monitor developments closely, particularly the Central Bank’s response to the EBA’s final guidance and the impact on Irish regulated firms.