EBA Expands Third-Party Risk Management: Closing the Gap Beyond DORA

Scope of Application

The guidelines will apply to:

• Credit institutions and investment firms (CRD/IFD)
• Payment and e-money institutions (PSD2/EMD)
• Issuers of asset-referenced tokens (MiCAR)
• Mortgage credit providers (MCD)

Together with DORA, this creates a dual regime:

• ICT third parties → supervised under DORA
• Non-ICT third parties → supervised under EBA Guidelines

Implementation Timeline

• 8 July 2025 – Consultation paper published
• 8 October 2025 – Consultation closes
• Late 2025 – Final guidelines expected
• Early 2026 (TBD) – Guidelines enter into force
• +2 years – Transitional period for legacy contracts and governance alignment

Key Changes and Alignment with DORA

• Third-Party Scope
  • Covers all arrangements (outsourcing, non-outsourcing, intragroup). ICT providers remain exclusively under DORA.
• Governance and Accountability
  • Boards and senior managers must actively oversee third-party risk, with emphasis on critical or important functions (CIFs). Mirrors DORA’s governance model.
• Proportionality, Risk Assessment and Due Diligence
  • Third parties must be classified by criticality and importance, with proportionate oversight applied based on size, complexity, and risk profile, leveraging DORA’s approach. In addition, the EBA guidelines align with DORA’s broad risk lens, extending risk assessments to areas such as ESG and AML/CFT, and introducing enhanced scrutiny for non-EU providers.
• Third Party Inventory and Exit Planning
  • Expands registers to capture all third-party relationships with granular data points, mirroring DORA’s register of information. All CIF third parties must have tested exit strategies and BCPs in place to address concentration risk, in line with DORA’s exit management rules.
• Contractual Safeguards and Monitoring of Third Parties
  • Contracts must include clear provisions on audit rights, subcontracting limits, termination clauses, and exit strategies. All legacy contracts must be updated within two years to meet these requirements, in line with DORA standards for ICT contracts. Ongoing oversight requires KPIs, independent reviews, self-certifications, and continuity testing, with internal audit mandated to review third-party arrangements. These measures are consistent with DORA’s monitoring regime.
• Supervisory Oversight
  • National competent authorities will integrate TPRM into SREP and on-site reviews. Unlike DORA, however, the EBA guidelines does not enable supervisors to have direct oversight powers over third parties.

Practical Implications for Organisations

• Broader TPRM Coverage: Companies can no longer treat non-ICT services as “outside the spotlight.” Facilities management, data vendors, intragroup arrangements, and other non-ICT services must now meet formal risk management standards.
• Legacy Contracts: Updating existing contracts and governance structures will require significant planning and resources.
• Integrated Risk Management: Firms with fragmented vendor oversight may need to centralise registers, risk classification, and reporting to comply efficiently.

Market-Wide Perspective

The guidelines signal convergence between ICT and non-ICT TPRM. Financial institutions are encouraged to adopt consistent frameworks across all third-party types, raising the bar for vendor management practices and supervisory scrutiny.

Next Steps

• Conduct a gap analysis against the new EBA TPRM guidelines requirements.
• Develop and implement a two-year roadmap to address gaps in third-party registers, contracting, policies and procedures, etc while ensuring proportionate oversight.
• Engage boards and senior management in overseeing both DORA and EBA-aligned TPRM frameworks.
• Contact us for an expert support on your compliance journey.