Response to consultation on draft Guidelines on the sound management of third-party risk

Go back

Question n. 1 for Public Consultation: Are subject matter, scope of application, definitions and transitional arrangements appropriate and sufficiently clear?

NOTE: all suggested text revisions are CAPITALIZED to facilitate reading.

The subject matter, scope of application, and definitions could benefit from a clarification on the applicability of the Guidelines to non-ICT third-party arrangements and outsourcing only.

As ICT services are already in-scope of DORA, it makes sense that these are not in scope of the Guidelines as stated in paragraph 7 (Subject matter). However, aside from paragraph 7 (and to some extent paragraph 50(a)), this scope consideration is not mentioned. The Guidelines would benefit from additional clarification. Such clarification could be included in the definitions or Guidelines themselves. In practice, financial entities and relevant third parties, including ICT third-party service providers and non-ICT service providers, often use the definitions set out in these guidelines to negotiate relevant contractual terms.

To address the issue AWS proposes to amend the definition of "third-party arrangement" in the Guidelines to clarify that provision of ICT services as defined Article 3(21) of DORA is not in scope of these Guidelines. This would help financial entities (and their third parties) properly reflect the scope of the Guidelines in their arrangements and contracts, by ensuring alignment between the negotiating parties. The definition could be revised as follows:

"Third-party arrangement" means an arrangement of any form between a financial entity and a third-party service provider, including intragroup third-party service providers, for the provision of one or more functions to the financial entity, EXCEPT FOR THE PROVISION OF ICT SERVICES AS DEFINED UNDER ARTICLE 3(21) OF REGULATION EU 2022/2554. This includes outsourcing arrangements as a subset.

Further clarification could be added by the title of the Guidelines referring to "EBA Guidelines on the sound management of third-party risk FOR NON-ICT RELATED SERVICES".

There are different ways to achieve this, but additional specification that ICT services are out-of-scope could help financial entities, and their third parties understand how different requirements for third-party risk fit together.

Question n. 2 for Public Consultation: Is Title II appropriate and sufficiently clear?

Question n. 3 for Public Consultation: Are Sections 5 to 10 (Title III) of the Guidelines sufficiently clear and appropriate?

Question n. 4 for Public Consultation: Is Title IV of the Guidelines appropriate and sufficiently clear?

Question n. 5 for Public Consultation: Is Annex I, provided as a list of non-exhaustive examples, appropriate and sufficiently clear?

Upload files

20251007 - AWS Response PC - EBA Guidelines on the sound management of third-party risk (outsourcing non ICT-serv)Final.pdf (272.25 KB)

Name of the organization

Amazon Web Services EMEA SARL

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting

Data

Publications

Media centre