• EBA unveils draft rules expanding third-party risk oversight beyond ICT contracts

• New framework introduces DORA-level governance for all service providers

• Mandatory contractual clauses apply to every third-party agreement

• Broader scope includes investment firms, token issuers, and mortgage lenders

• Exclusions cover audits, utilities, and global financial messaging services

• Firms must maintain electronic registers of all third-party relationships

• Consultation runs until October 2025, with adoption expected by year-end

• Two-year transition period for existing contracts

The European Banking Authority is preparing to introduce a new regulatory framework that will transform how banks and financial institutions across the EU manage third-party relationships.

The draft guidelines, published in July 2025, build on the Digital Operational Resilience Act (DORA) but apply to non-ICT service providers - a vast expansion from the EBA’s 2019 outsourcing guidelines. 

The changes mark a significant shift in how the regulator views operational resilience, extending oversight to a far wider range of suppliers and contractual relationships.

If implemented, the guidelines will require all financial entities to introduce standardized governance, documentation, and contractual clauses for third-party arrangements. 

Every contract - not just those deemed critical or important - will need to contain mandatory provisions covering service descriptions, data handling, audit rights, confidentiality, and termination conditions. 

For high-risk relationships, even more detailed requirements will apply, including subcontracting limits and insurance obligations.

The goal, according to the EBA, is to bring all non-ICT services up to DORA-level safeguards while maintaining consistency across the EU. 

Financial firms have become deeply dependent on third-party service providers for everything from accounting and treasury functions to lending, customer support, and administrative services. Regulators now see that dependency as a growing systemic risk.

The new framework will apply to a broader set of institutions than before. In addition to banks, credit institutions, and investment firms, the rules will cover electronic money and payment institutions, issuers of asset-referenced tokens under the EU’s crypto framework, and non-bank mortgage lenders. 

Many of these entities will have to apply the standards on a consolidated or group-wide basis.

Some activities, however, remain excluded. Statutory audits, global financial messaging services such as SWIFT, and correspondent banking are out of scope, along with utilities and low-risk professional services such as legal or architectural advice. 

ICT contracts continue to fall under DORA, but industry participants have warned that separating mixed ICT and non-ICT elements could prove difficult in practice.

One of the most notable changes is the requirement for firms to maintain an electronic, up-to-date register of all third-party arrangements. 

This register must distinguish between critical and non-critical functions and align with parallel records kept under DORA. The EBA suggests that a single, integrated register could be the most efficient approach.

While the new regime is expected to increase compliance costs, the EBA emphasizes that the principle of proportionality remains central. 

Financial institutions will be expected to scale their controls based on the size, risk profile, and complexity of their operations. However, even smaller firms will need to review hundreds of existing contracts to meet the new standards.

The guidelines are currently open for consultation until October 8, 2025. Once finalized - potentially by the end of 2025 - they will replace the 2019 outsourcing framework. 

New contracts must comply immediately, while existing arrangements will have a two-year transition period.

The UK, meanwhile, is taking a different path. Regulators at the Financial Conduct Authority and Prudential Regulation Authority have opted for broader principles covering both ICT and non-ICT services rather than distinct frameworks. 

Proposed UK rules would require firms to notify regulators of material third-party arrangements and significant operational incidents, but the scope appears narrower than the EBA’s approach.

For EU financial institutions, the operational challenge ahead is considerable. The new rules will compel firms to identify, assess, and re-paper a far greater number of contracts than before. 

Many smaller vendors unfamiliar with regulatory requirements may resist the new clauses, creating further complexity.

As the consultation unfolds, industry observers say firms should not wait. Cataloging third-party arrangements, identifying critical functions, and aligning documentation with DORA-style standards will be essential steps to prepare for the EBA’s next wave of operational resilience reform.