EBA consults on draft guidelines for third-party risk management for non-ICT related services

The European Banking Authority (EBA) has published a consultation paper on its draft guidelines for managing third-party risk with regards to non-ICT related services. The guidelines will revise and update its prior 2019 outsourcing guidelines in line with the Digital Operational Resilience Act (DORA). The guidelines reaffirm that financial entities' management bodies remain fully accountable for all activities, including those outsourced to third-party service providers (TPSPs), particularly when critical or important functions are involved. The guidelines specify steps to be taken for the lifecycle of third-party arrangements, covering risk assessment, due diligence and termination processes, and stress the need for adequate resources to manage associated risks. To promote consistency with DORA, the draft guidelines allow financial institutions to maintain a single unified register for both ICT and non-ICT services, reducing administrative burden by limiting the level of information to be documented. A transitional period of two years is provided for financial entities under the scope of the updated guidelines, to review and amend existing third-party arrangements and update their non-ICT registers accordingly. The deadline for comments on the consultation is 8 October and a virtual public hearing is scheduled for 5 September.

Return to main website.