Response to consultation on draft Guidelines on the sound management of third-party risk
Question n. 1 for Public Consultation: Are subject matter, scope of application, definitions and transitional arrangements appropriate and sufficiently clear?
ALFI (the Association of the Luxembourg Fund Industry) thank the European Banking Authorities (EBA), in consultation with the European Securities and Markets Authority (ESMA), for the opportunity to participate in this consultation on the proposed Guidelines on the sound management of third-party risk.
Our members appreciate the opportunity to share the views of the market practitioners in Luxembourg, with regards to outsourcing to third-party service providers (TPSPs) of non-ICT operational functions.
In order to provide evidence of the industry considerations with regards to those various topics in the context of these guidelines, answers will be provided, focusing on priorities stemming from industry-related consideration and impact assessment.
With regards to Q1, we would like to raise the following concerns:
- Scope:
ALFI analysed the proposed scope considering the viewpoints of our members, which include asset managers, investment fund managers and management companies. With regards to the scope, and, in particular, point c.) thereof (investment firms as defined in point (1) of Article 4(1) of Directive (EU) 2014/65 (MiFID II)), we would appreciate some clarity with regards to investment firms:
While we understand that Investment fund managers (IFMs) are not in scope, certain investment firms may nonetheless be in scope.
In addition, and with regards to point a.) institutions as defined in point (3) of Article 4(1) of Regulation (EU) No 575/2013 (CRR), we consider there is some uncertainty as some IFMs would be in scope under this limb, through the consolidation mechanism. This point is of particular relevance for management companies established as subsidiaries of financial entities could be captured under point a) of the scope.
In this regard, we agree with the point raised by the BVI representative during the Public Hearing on 5 September 2025, highlighting the substantial cost of implementation that Class 2 Investment Firms would be bearing is if included in the scope, while such investment firms are neither of systemic relevance, nor part of the banking sector per se.
We would appreciate a clearer definition and criteria to allow individual IFMs to confirm, without any remaining ambiguity, their exclusion from the scope under both point c.) and a.). In particular we would strongly recommend to clarify the scope definition, so as to avoid diverging interpretations throughout the EU member states and subsequent regulatory arbitrage. In our views, IFMs are already subject to robust regulatory frameworks, including the UCITS and AIFMD directives, as well as sector-specific rules, which clearly set out requirements for managing outsourcing-related risks (e.g., due diligence and oversight). These existing measures provide a comprehensive approach to operational resilience without the need for additional layers of regulation. Introducing further rules at this stage would duplicate existing obligations, divert resources from ongoing digital resilience improvements, and risk undermining the efficiency of IFMs as they prepare for the upcoming AIFMD implementation. The focus should remain on enabling IFMs to strengthen their digital operational resilience within the well-established frameworks already in place.
Moreover, we would like to raise concerns with regards to the significant evolution in the scope of the present guidelines as compared to the 2019 GL: the 2019 version was limited to outsourcing arrangements, while the scope of the current proposed guidelines includes all subcontracting arrangements, enlarging this scope and including internal delegated activities. We would not see merit in this extended scope. Indeed, AIFMD II already includes significant requirements with regards to the oversight of delegated Investment Management functions. Particular care should be taken, to avoid diverging requirements regarding the same service arrangements, across distinct pieces of regulation, and to avoid exposing the industry to further repapering.
Eventually, we would suggest that the Guidelines should clearly address the specific case of regulated financial entities acting as delegates, and explicitly state whether delegation of functions (or part thereof) to regulated financial entities benefits from an exemption, in particular where such delegation is already covered by the requirements in sectoral regulations (such as UCITS V and AIFMD II for IFMs). As the present draft Guidelines do not appear to include such an exemption, clarification in this regard would be needed.
- Definitions:
The definition of a third-party service provider stipulating “undertaking providing or supporting a function” would result in the inclusion of a very large scope of TPSPs, covering not only delegated tasks, but also the provision of various services and consulting activities.
With this at sight, it would be important to define, clearly and without remaining ambiguity, how the principle of proportionality would allow firms to distinguish which service providers are included in the scope and which are not. If such clarification would not be achieved, we fear that this may lead to situations of divergence in interpretation, in particular with regards to the local supervisory practices. In any case, we consider it is therefore important to grant in-scope firm the possibility to perform their own assessment as to whether a specific service provider is in scope of these Guidelines or not. This is relevant for both exclusions of Point 30, 32 and for Annex I. The Guidelines should explicitly recognize and provide for the principle of proportionality, enabling local supervisory authorities and entities to adapt requirements based on size, systemic relevance, and risk exposure, thereby avoiding a stringent one-size-fits-all approach.
With regards to third-party arrangements, we would like to highlight the lesson learnt from the industry in the DORA implementation: as financial market participants experienced repeated challenges in renegotiating individual contractual arrangements with their numerous ICT TPPs, it would be useful, in implementing these Guidelines, to provide a minimum set of contractual clauses subject to regulatory enforcement (provided this set of minimum clauses be consistent with the same elements in the DORA RTS). This would allow for easier review and implementation of the contractual conditions by the financial institutions.
Moreover, we would like to emphasize the requirement for close alignments in areas where the present Guidelines overlap with DORA requirements. In this regard, we would like to draw the attention on the case where a specific service provider, due to the range of services they offer, would fall under both the present Guidelines for the non-ICT services they provide, and other pieces of regulation such as DORA or CRD. In such instances, a close alignment of regulatory requirement is needed, with particular focus on contractual conditions.
With regards to the Transitional Period: while the implementation requirements and details of the transition period would need a clear definition, we are of the view that flexibility should be granted for contract renewals, allowing integration of Guideline related changes during planned contractual review to improve cost efficiency and operational practicality for Financial Entities.
Function: We would suggest an alignment of this definition in the Guidelines with DORA, considering that in DORA, a function would be composed of a series of processes.
Critical and important functions: We would suggest that any misalignment between the Guidelines and DORA should be addressed, to allow for a uniform implementation of similar requirements across the board. In particular, the test with regards to the identification of Critical and Important Functions (CIFs) should be the same under the Guidelines and DORA. In addition, and based on lessons learnt from painpoints in the DORA implementation, we would encourage the Guidelines to stipulate clearly that, where the assessment of whether the service providers are supporting CIF is performed by the FE, the TPSP needs to comply with this assessment made by the FE.
Question n. 2 for Public Consultation: Is Title II appropriate and sufficiently clear?
From a general standpoint, ALFI supports the initiative of the ESAs to streamline the risk management requirements as applied to ICT and non-ICT third party service providers. We agree there is merit in aligning the processes, governance and risk management across the board. Nonetheless, we would like to highlight the fact that, while DORA was aimed at bridging the supervisory gap, for ICT third-party service providers consisting mainly of non-supervised entities, non-ICT third-party service providers would largely consist in supervised entities subject to existing prudential supervision. Hence, the resulting risks presented by ICT and non-ICT TPSPs with regards to risk management and resilience differ, and such distinction should be considered when imposing additional requirements on the financial market participants through the present Guidelines.
Based on these preliminary considerations, ALFI would like to suggest the following edits:
The introduction to the proposed Guidelines states that these Guidelines “provide criteria for the identification of critical or important functions that have a material impact on the financial entity’s risk profile”, we would suggest that “risk appetite” of the financial entity would be more appropriate a term than “risk profile”. In addition, and in the context of Investment firms, the Guidelines should clarify whether only the risk appetite of the investment firm should be considered, or whether the risk appetite to be considered should include consideration of the risk appetite of the individual managed investment vehicles and investment funds.
As detailed in our response to Q1, the definition of CIFs should be aligned with that of DORA. In this regard, we would like to highlight that the following criteria are not included in the definition of a CIF in DORA:
“Assessment of the impact of disruption:
i. short- and long-term financial resilience and viability, including, if applicable, its assets, capital, costs, funding, liquidity, profits and losses;
ii. business continuity and operational resilience;
iii. operational risk and legal risks;
iv. reputational risks;
v. all other relevant risks, including credit risk, market risk, ESG risk and AML/CFT risk;
vi. where applicable, recovery and resolution planning, resolvability and operational continuity in an early intervention, recovery or resolution situation.”
Therefore, and following the present wording, there might be instances were in-scope firms would end up with a different assessment of CIF for their ICT TPSPs and their non-ICT TPSPs. This would create discrepancies and challenges in the implementation. In our view, it would be advisable to avoid a situation, whereby two distinct definitions of Critical and Important would exist.
We would instead suggest alignment with DORA, Regulation (EU) 2022/2554 definition in Recital (70): “The definition of ‘critical or important function’ provided for in this Regulation encompasses the ‘critical functions’ as defined in Article 2(1), point (35), of Directive 2014/59/EU of the European Parliament and of the Council (20). Accordingly, functions deemed to be critical pursuant to Directive 2014/59/EU are included in the definition of critical functions within the meaning of this Regulation”.
Moreover, the definition of “internal control” would benefit from further clarification in the Guidelines. A comprehensive and streamlined definition of the notion of “internal controls”, used across the board in all regulations applied to financial market participants, would remove the present ambiguity. In this respect, we would also see merit in clarifying the case whether, where an internal control function is performed by a TPSP, it would automatically qualify as a CIF.
We would suggest modifying point 32 as follows: ”As a general principle and subject to the assessment of each financial entity, [...]”. This would allow each entity the flexibility to consider its specific operational framework and organisation, thereby capturing the diversity of the industry. We would recommend similar phrasing in point 30 and the Annex.
Eventually, and with regards to the list presented in point 32 of this section of the proposed Guidelines, we would recommend including the following in the list of exemptions:
- Regulated financial entities delegates, given that such financial entities are covered by the risk management requirements in sectoral regulations (such as UCITS V and AIFMD II). This point was already mentioned in our response to Q1 above, in point 1.
- Financial data providers, following the same rationale that led to excluding them from the scope of DORA
Question n. 3 for Public Consultation: Are Sections 5 to 10 (Title III) of the Guidelines sufficiently clear and appropriate?
We would like to highlight a few areas that would benefit from clarification and alignment:
With regards to contractual arrangements, and considering the industry market practices, we would see merit in clarifying the term “contractual arrangements” to allow entities, if needed and appropriate, to also include the Service Level Agreement documents (as some provisions may be specified in the SLA), in complement to the actual contract. This would allow for capturing the diversity of operational frameworks in the industry.
Moreover, we noticed that various required fields for the third-party arrangements in the proposed Register of Information differ from the DORA register. The proposed Register in the present Guidelines would present fewer fields, and some discrepancies with the existing required fields (while some others are aligned with the DORA Register). We are of the view that having different fields would create unnecessary challenges, in particular as entities would likely be looking to maintain a single register for all third-party arrangement, both ICT TPSPs and non-ICT TPSPs. In this regard, we would strongly encourage the ESAs to pursue the implementation of a single common register for both ICT- and non-ICT- TPP.
We would also appreciate the present EBA guidelines to include a template register, that would also align with the DORA Register of Information (ROI), so as to avoid any misinterpretation.
While banks, based on previous version of the level 2 regulatory requirements, already maintain a register of information in the present context, currently different from the DORA ROI, we would be of the view that the present Guidelines offer the opportunity to align the requirements in both registers, in order to foster convergence and to reduce implementation cost. This would be a critical element of regulatory simplification and convergence going forward.
With regards to point 118 concerning the exit strategy, we would advise to use the same wording as in DORA, foreseeing the instance where no alternative provider would be available in the market.
Eventually, we would appreciate some clarification on the present Guidelines’ provision to maintain all terminated contracts in the ROI for a duration of 5 years. This point had been removed from the DORA RTS and we are in favour of removing it as well from these guidelines, to align the requirements for non-DORA third parties (www.eba.europa.eu/sites/default/files/2025-03/31bb6e60-7d10-4405-a8c5-9f04934630ac/20250328%20-%20DORA%20RoI%20reporting%20FAQ%20%28updated%29.pdf question 52 & 53).
Question n. 4 for Public Consultation: Is Title IV of the Guidelines appropriate and sufficiently clear?
We would like to suggest the following improvements to the overall consistency of the different pieces of Regulation:
With regards to pre-contractual assessment, we would strongly suggest removing any discrepancy between the pre-contractual requirements in the present Guidelines and the corresponding pre-contractual assessment within DORA. Convergence of onboarding processes and corresponding assessment requirements for TPSPs, as applied to both ICT and non-ICT TPSPs, is key. Any additional requirements beyond what is already required under DORA, should be removed, as it would cause unnecessary burden and additional costs, ultimately borne by the investors.
Overall, considering the current EU initiatives with regards to simplification of regulatory requirements, and the ongoing initiative for the simplification of DORA in particular, we would emphasize that any simplification in DORA should also be carried forward into these Guidelines.
In particular, we would be of the view that third-party service providers supporting non-critical and important functions should be completely removed from the scope of the Register of TPSPs reported to the NCA and subsequently to the ESA, both in the context of these Guidelines and DORA. Specifically, we would advise that while financial entities would still be required to maintain the full register of information on third-party service providers internally, they would restrict the reporting to the NCA and the ESAs, to those TPSPs supporting CIFs only.
Moreover, as mentioned in our response to Q1 above, and with regards to contractual conditions between financial entities and third-party providers, we would see merit in the Guidelines providing a set of minimum standard clauses, applicable to service providers (and TPSPs supporting critical and important functions specifically), so that such clauses would set a common ground for contractual conditions (re-)negotiations with service providers and clarify the respective responsibilities and duties. Such a minimum set of contractual conditions should be set alongside with DORA Level 2 regulatory elements, to ensure convergence and consistency across the board.
Question n. 5 for Public Consultation: Is Annex I, provided as a list of non-exhaustive examples, appropriate and sufficiently clear?
As a general principle, and as stated in our response to Q4 above, we are of the view that focus should be put on the third-party service providers supporting critical and important functions, while ancillary support providers and consultants should be kept outside the scope.
We are concerned that the heterogeneity of the list included in Annex I, and in particular the heterogeneity in the level of criticality of the various services listed in the Annex, irrespective of the criticality and relevance of the service provided, would be inconsistent with the risk-based approach and proportionality principle which we consider core elements of the present Guidelines.
We would suggest amendments to the Annex, to distinguish the core functions delegated in the operational models of financial entities on the one hand, and the ancillary support or consulting activities on the other hand.
About ALFI
The Association of the Luxembourg Fund Industry (ALFI) represents the face and voice of the Luxembourg asset management and investment fund community. The Association is committed to the development of the Luxembourg fund industry by striving to create new business opportunities, and through the exchange of information and knowledge.
Created in 1988, the Association today represents over 1,500 Luxembourg domiciled investment funds, asset management companies and a wide range of business that serve the sector. These include depositary banks, fund administrators, transfer agents, distributors, legal firms, consultants, tax advisory firms, auditors and accountants, specialised IT and communication companies. Luxembourg is the largest fund domicile in Europe and a worldwide leader in cross-border distribution of funds. Luxembourg domiciled investment funds are distributed in more than 70 countries around the world.