Response to consultation on draft Guidelines on the sound management of third-party risk
Question n. 1 for Public Consultation: Are subject matter, scope of application, definitions and transitional arrangements appropriate and sufficiently clear?
We appreciate the opportunity to provide feedback on the European Banking Authority’s (EBA) draft Guidelines on the Sound Management of Third Party Risk. While we support the overarching goal of enhancing governance and operational resilience across the financial sector, we believe the current draft presents several challenges that may hinder its effectiveness. Our comments are structured around four key areas of concern, followed by proposed solutions and a constructive path forward.
1. Disproportionate Burden vs. Value
The Guidelines introduce extensive administrative requirements that may not proportionally enhance resilience. The limited scope of proportionality—focused only on distinguishing critical/important vs. non-critical functions—fails to reflect the nuanced risk profiles of third-party arrangements.
For example, requiring unlimited audit rights and detailed contractual clauses for all contracts supporting critical functions, regardless of actual risk exposure, creates significant overhead. This could divert resources from more targeted resilience efforts and discourage accurate classification of functions to avoid compliance burdens.
Suggested Improvement: Introduce a multi-tiered, risk-based framework that allows entities to calibrate governance and oversight based on actual risk exposure, service criticality, and concentration risk. This would ensure that administrative efforts are aligned with resilience outcomes.
2. Scope Expansion Beyond ICT
The Guidelines effectively extend DORA-style obligations to non-ICT services, despite the fact that systemic and concentration risks are predominantly associated with ICT providers. This expansion of risks outside the scope which affects digital operational resilience with the focus on AI, data, information security and technology, is diluting regulatory focus and may lead to over-administration without commensurate risk mitigation.
Unlike DORA, which includes EU-level oversight for critical ICT providers starting in 2026, the Guidelines do not propose a similar supervisory framework for non-ICT providers. This leaves financial entities to manage systemic risks either themselves or on the national level, without coordinated central oversight and support from the regulators to manage concentration risk arising from non-ICT contracts on the EU-level. In case central oversight for non-ICT service providers is not considered in the guidelines due to such suppliers being regarded less critical, this prioritization from regulatory perspective should also be reflected in the guideline requirements for contractual arrangements and monitoring activities. Currently the guidelines only widen the requirements arising from DORA to non-ICT services. At the same time a coordinated oversight should only be put if feasible and delivering added-value.
Suggested Improvement: Clarify the rationale for extending DORA-like requirements to non-ICT services and consider limiting the scope to arrangements that demonstrably pose systemic risk. Alternatively, introduce flexible and adequate supervisory mechanisms for non-ICT providers to ensure consistency and reduce fragmentation.
3. Implementation Hurdles
The technical implementation of the Guidelines presents several challenges:
- Register incompatibility: The current ICT-focused Register of Information (ROI) does not support data requirements for non-ICT services, making integration and aggregation impossible. It is also not clear from the guideline requirements how the outsourcing registers are expected to be merged with the register of information.
- Taxonomy inconsistencies: Allowing entities to create their own taxonomies for non-ICT service types undermines cross-industry comparability and supervisory analysis and renders data aggregation less value-adding.
- Contractual complexity: Mandating DORA-style clauses in all critical function contracts introduces more administration to non-ICT service providers and such costs are likely to be passed on to financial entities.
Suggested Improvement: Review taxonomies used for the ROI which enable standardization and aggregation in a more efficient manner and ensure clear guidance on how the ESAs support the update of ROI data model and labels in order to be able to accommodate non-ICT and outsourcing contracts into the register in a risk-based and proportional manner.
4. Competitiveness Concerns
Uniform requirements across all financial entities, regardless of size or complexity, risk driving consolidation and reducing competition. Smaller firms may struggle to absorb the compliance costs, leading to market exits or reduced service diversity.
This is particularly concerning in a globally competitive environment, where over-administration may create a new cost base for EU financial entities without proportional benefit.
Suggested Improvement: Embed proportionality more deeply into the Guidelines, with specific carve-outs or simplified requirements for smaller firms. This would preserve market diversity and support innovation.
A Constructive Way Forward
To ensure the Guidelines achieve their intended objectives without unintended consequences, we propose the following:
- Engagement: Continue dialogue with industry stakeholders to refine the Guidelines and ensure practical feasibility.
- Pilot Testing: Consider a voluntary pilot phase to test register formats and ensure streamlining and harmonizing the templates and taxonomies before full implementation.
Supervisory Coordination: Align supervisory expectations across Member States to avoid fragmentation and ensure consistent enforcement.
We appreciate the EBA’s commitment to strengthening third-party risk management and look forward to contributing to the development of a balanced and effective regulatory framework.