Response to consultation on draft Guidelines on the sound management of third-party risk

Question n. 1 for Public Consultation: Are subject matter, scope of application, definitions and transitional arrangements appropriate and sufficiently clear? 

1) Scope of application 

Compared to the 2019 EBA Guidelines on Outsourcing, the current draft Guidelines (from now on “GLs”) expand the scope of application from “outsourcing” to all “third-party arrangements". This scope expansion from classic outsourcing to  an extended population third-party services will place a heavy burden on financial institutions, as this additional portfolio will, in terms of volume, be significantly larger than the current outsourcing arrangements; institutions will now have to track a far broader universe of contracts - many of them for services with little or no material risk – meaning that a significant additional workload will arise. Whilst we understand the regulatory objective and need for expanded supervisory oversight, the scope expansion will result in additional effort that financial institutions in other jurisdictions do not face. 

With the extension of scope envisaged in the GLs, it is essential to ensure that expectations remain proportionate and risk-based – particularly given the volume and diversity of arrangements in scope – to ensure that requirements remain operationally feasible. In this regard, we see opportunities to strengthen proportionality further in areas such as contractual requirements and the register, which as currently drafted, would impose disproportionate administrative burdens on financial entities. We also recommend strengthening the risk-based approach: this will acknowledge regulatory preferences for comprehensive scope coverage whilst ensuring that low-risk, non-critical arrangements face calibrated requirements that reflect their limited impact on operational resilience. For example, the full set of requirements for a third-party provider or a subcontractor supporting a critical or important function should not apply where the provider’s failure would have no or only minimal impact on the function. 

The regulatory focus should thus be on those service providers who play a material role in the delivery of the service supporting a CIF, rather than assuming all providers linked to a CIF are critical irrespective of their impact to continuity. In this regard, we would welcome if the EBA could clarify whether the reference to “services that do not have material impact on the financial entities’ risks exposures or on their operational resilience” under Paragraph 32(f) could be used as a criterion for determining which third-party arrangements are in scope of the Guidelines. 

2) Alignment with DORA 

We broadly support the intended objective of harmonising third-party risk management (TPRM) across the Union and aligning the GLs with DORA, levelling the playing field and harmonizing TPRM expectations across ICT and non-ICT arrangements in the EU. This, however, appears to have been implemented only partially. Indeed, the GLs adopt a hybrid approach, splicing together DORA-inspired rules and retaining elements of the 2019 EBA Guidelines on Outsourcing. This layered framework risks introducing expectations that go beyond DORA's requirements, divergent methodologies and unnecessary complexity, undermining the benefits of simplification and convergence. The layered approach blurs the boundary between the two frameworks, raises the threat of gold-plating and could undo many of the efficiency gains that a single, convergent regime should deliver. This confusion is particularly acute when institutions try to map critical or important functions (CIFs) onto the old and new tests in parallel, which could complicate institutions’ efforts to streamline their CIF assessments and maintain consistency with DORA. 

This hybrid approach is reflected in several sections of the GLs, in particular as regards the “critical or important function” definition and test, the definition of “subcontracting”, expectations on contractual provisions and the register of information. 

• “Critical or important function” definition and assessment: We welcome that the GLs align the definition of “critical or important function” to the DORA Regulation.  Nevertheless, the “critical or important function” assessment and the associated identification criteria for criticality established in Title II, Section 4 have been transcribed from the 2019 EBA Guidelines, despite not being included in DORA. This approach introduces a layered assessment that is not only more prescriptive than DORA's, but also fundamentally diverges from the objective to align the EBA’s framework with DORA, which could potentially complicate firms’ efforts to streamline their CIF assessments. It is therefore necessary to align the approach to determining “critical or important functions” under the two frameworks to help drive consistencies in the way risk is managed for the provision of both ICT and non-ICT services.
• Definition of “subcontracting”: the GLs retain the 2019 definition of “subcontracting” (previously “sub-outsourcing”) as opposed to adopting DORA's framing of subcontractors that “effectively underpin (...) services supporting critical or important functions” (i.e., material subcontractors). By sticking with the 2019 wording, the GLs casts the net wider than DORA’s “material subcontractor” threshold. Treating every subcontractor supporting a CIF as equal/automatically material, regardless of their role, level of importance or potential impact to the provision of the CIF diverges from a risk-based approach. This hinders supervisory and oversight objectives and diverts risk management resources away from monitoring providers that present the most material risks.  In order to properly reflect a risk-based approach to supply chain scope, the GLs should align in terminology and/or conceptually with DORA to support a consistent approach across regimes.  
• Contractual provisions: The expectations on contractual provisions in the GLs closely align with the requirements set out in Article 30(2) and (3) of DORA for arrangements supporting critical or important functions (CIFs). At the same time, the GLs retain certain elements from the 2019 EBA Guidelines, and certain provisions only partially reflect DORA's expectations or language and form. This includes phrases such as “impediments capable of altering the performance (...)”; for clarity, these carry-overs should be swapped for the DORA wording “circumstances evidenced throughout monitoring deemed capable of altering performance” under 28(7)(c). The EBA should ensure absolute consistency between the GLs and DORA, except to the extent that the provision is ICT-specific. In this regard, we welcome the removal of the 2019 data security terms, penetration testing requirements and ICT-specific termination triggers from the 2019 EBA Guidelines that have no DORA counterpart.
• Register of information: Requirements related to the data to be maintained in the register of information should not exceed nor deviate from the requirements for the DORA RoI. More specific comments about the RoI can be found under Title III. 

We would also like to draw attention to the inconsistent and/or interchangeable use of the terms “function”, “service”, “arrangement”, and “activity” throughout the GLs, which creates confusion and complexity, and does not align with the approach taken under DORA. For example:  

• Paragraph 54 states that “When functions are provided by a TPSP (…) the conditions, including the financial conditions, for the service provided by a TPSP should be set at arm’s length”. It is unclear whether the EBA intends to distinguish between the outsourcing of a whole function and the provision of a supporting service to that function, or whether the terms are being used interchangeably.
• The sentence “critical or important functions provided by TPSPs” (referenced multiple times throughout the GLs) is misleading as third-party providers do not themselves “provide” a bank’s function. The appropriate terminology should be “services provided by TPSPs supporting critical or important functions”. 

To reduce duplication and ambiguity, we would strongly recommend the EBA to adopt and align to a consistent layered terminology:  

• Function: refers to the bank’s own functions, operations or business lines (i.e., consistently with ‘critical or important functions’ which are framed around the key services provided by a bank); 
• Service: refers to the service delivered by the third-party service provider to support the bank’s functions; 
• Arrangement: refers to the contractual relationship with the third-party provider under which a service is provided;
• Activity: refers to the specific processes or tasks within a function, which may be supported by third-party services. 

We also highlight that the following provisions go beyond the letter of DORA and risk creating national overlays:  

• Business continuity (paragraph. 58): Linking TPRM continuity planning to the Internal Governance Guidelines could amount to gold-plating, echoing practices already seen in some jurisdictions.
• Documentation (para. 61): Reinstating a five-year retention requirement for terminated contracts contradicts DORA negotiations, where this obligation was deliberately removed. 

The GLs should avoid introducing obligations that were expressly excluded during the DORA process. We therefore recommend removing the cross-reference in Paragraph 58 and the retention rule in Paragraph 61 to ensure consistency with DORA and to prevent divergent national practices. 

Finally, we recommend that the GLs explicitly state that Regulation (EU) 2022/2554 (DORA) constitutes the specialized and exclusive legal framework for ICT third-party risk management. Any EBA guidance should limit its scope to non-ICT services, avoiding duplication of obligations or reinterpretation of aspects already regulated by DORA and its technical standards (particularly RTS 2024/1773 on arrangements relating to critical or important functions). 

3) Harmonisation and convergence 

The ICT / non-ICT split is another pain-point. Whilst authorities emphasise the goal of convergence, the GLs maintain this distinction. This obliges institutions to make a subjective judgment when identifying contracts with both ICT and non-ICT elements. In multidisciplinary arrangements that distinction can be artificial and labour-intensive without offering any discernible risk-management benefit. We therefore propose that authorities allow for overlap or flexibility in classification, enabling firms to apply a consistent and risk-based approach to oversight without needing to retrospectively reassess existing DORA-classified arrangements or justify their classifications to authorities. If the EBA does not intend to allow for such overlap, we would invite the EBA to consider issuing principles-based guidance (and, if possible, practical examples) to support firms' assessments in circumstances where a service contains both ICT and non-ICT elements. 

Additionally, to ensure the GLs achieve their stated objective of harmonising third-party risk management expectations across the EU, we urge the EBA to actively monitor and guide NCAs toward a uniform interpretation and application of the GLs. The gold-plating of expectations was a challenge seen in the application of the 2019 Outsourcing Guidelines. It will be particularly important that the common framework established by the EBA is preserved as firms apply requirements for the broader population of third-party arrangements. 

4) Intragroup vs external third-party service providers (TPSPs) 

The GLs do not sufficiently reflect the generally lower risk profile of intragroup outsourcing compared to external third-party service providers (TPSPs). The somewhat unbalanced approach may discourage the use of efficient and well-controlled intragroup models. It should be ensured that supervisory expectations are proportionate to the actual risk profile, avoiding unnecessary burdens on intragroup arrangements that already benefit from integrated oversight. 

In the “Background and rationale” Section of the GLs Consultation paper, concerns over concentration risk, subcontracting, and operational complexity are more valid in the context of external TPSPs, where oversight is more limited and contractual enforcement may be weaker. Supervision and concentration risks raised in paragraphs 34 and 35 of the Section are in fact more manageable in intragroup arrangements. Intragroup arrangements benefit from shared governance structures, aligned incentives, and integrated compliance frameworks, which significantly reduce these risks. In practice, intragroup arrangements offer greater transparency, control, and responsiveness, which mitigate many of the risks that are more pronounced in external TPSP relationships. Currently, the GLs do not sufficiently distinguish between these fundamentally different contexts. While it is briefly acknowledged in the rationale and objectives of the consultation paper that financial entities may have a higher level of control over intragroup TPSPs, this point is underemphasized and not reflected in the overall tone of the guidelines.  

5) Intended addressees 

Clarification is also required as to the intended addressees of the GLs, as the guidelines are also addressed to financial holdings and mixed financial holdings, and are expected to be applied (groupwide) on a consolidated basis. Indeed, we note that, amongst others, insurance and reinsurance undertakings remain subject to the distinct outsourcing framework as prescribed in the Solvency II Directive and Delegated Regulation. Contrary to DORA that created uniform requirements for all types of financial entities, we understood form the EBA-public hearing that no cross-sector harmonisation for TPR is expected to be realised in the near future. In order to avoid any confusion on a cumulative approach of the different regimes, especially in a group context, the scope of the GLs should be clarified more exhaustively. More concretely, we would welcome an explicit statement that the groupwide consolidated approach is limited only to those financial entities of that group that are also directly addressees of the GL. 

6) Definitions 

6.1 Definition of “Outsourcing arrangement” 

We would welcome clarification from the EBA on the following points: 

1) Whether the concept of “outsourcing” will continue to exist as a distinct category within the new framework or be fully replaced by the classification of “third-party arrangements”; 

2) whether “outsourcing” will remain a relevant term for categorisation and reporting purposes, or whether all third-party relationships will be treated uniformly under the GLs. 

Given that the concept of “third party arrangement” already encompasses “outsourcing”, maintaining a separate definition of “outsourcing” in the GLs is redundant and risks causing confusion about their scope. Because the operational requirements are tied to the risk profile of the function, maintaining the "outsourcing" label creates a distinction without a practical difference in compliance. A non-outsourcing third-party arrangement supporting a critical function is subject to the exact same rigorous oversight as an outsourcing arrangement for a critical function. We therefore seek clarification from the EBA on whether financial institutions will still be required to identify, track and/or tag their outsourcing arrangements - including those supporting critical and important functions - amongst their population of TPAs for any purpose under the GLs. 

6.2 Definition of “Third party arrangement" 

The definition of a “Third-party arrangement” should consider the aspect of a “recurrent or an ongoing basis” for the services provided, in line with the definition of outsourcing arrangement. A third-party arrangement should qualify as such only when the third-party service provider provides it on an ongoing basis. 

7) Date of application and transitional provisions: 

Concerning the review period for third-party arrangements involving critical or important functions - particularly paragraph 19 - we stress that a 2-year period to review and remediate all existing third-party arrangements in scope of these GLs would pose significant challenges, particularly in light of the DORA experience¹. Particularly for new entities in scope, such review process requires substantial changes in succession of process steps and the related internal policy framework, as well as considerable resources and staffing; the short timeline proposed in the GLs risks causing operational disruption and increased compliance costs. The implementation timeline provided for during the introduction of the original Guidelines in 2019 would therefore not be sufficient today. We therefore strongly recommend introducing a more realistic (i.e., extended/deferred) and phased-in deadlines to prevent operational disruption and excessive compliance costs. Specifically, we advocate for the following: 

• Remediation by the later of the next contracting event or two years from the date of application. Firms that already have contractual arrangements aligned with the 2019 EBA Guidelines and member state outsourcing requirements should not be expected to reopen and renegotiate contracts solely to align wording with the updated Guidelines.
• Considering the potential volumes expected for non-ICT contracts to be adjusted, the GLs should differentiate the transitional period based on the type of contracts within scope. Specifically, we propose a two-year period solely for contracts that have already been recorded as outsourcing arrangements, and a longer period for the remaining types of contracts.
• Prioritise arrangements supporting CIFs, allowing for flexibility for non-critical arrangements. 

We also suggest clarifying that the transitional period refers not only to contracts remediations but also to full alignment to the provisions of the guidelines (e.g. register of the contracts).  

We also note that, as currently drafted, the GLs require firms to implement the contractual provisions on the day after the publication of the final rules if a contract was due to renew at that point. This would introduce significant legal and operational risk, as firms would not have had sufficient time to properly assess and incorporate the contractual requirements into their processes. We therefore recommend introducing an 18-month window between the publication of the final GLs and the beginning of the implementation period. 

Question n. 2 for Public Consultation: Is Title II appropriate and sufficiently clear?

Section 2 – Management of third-party risks by financial entities within groups 

Paragraph 25 requires that, in accordance with Article 109(2) of Directive 2013/36/EU, the GLs also apply on a consolidated and sub-consolidated basis taking into account the prudential scope of consolidation. To avoid any confusion on the entities in scope of this consolidated approach, we would welcome an explicit clarification that the consolidated and sub-consolidated approach is limited to regulated financial entities that are also individually in scope of these GLs (i.e., the financial entities as described in Paragraph 12).   

Section 3 – Sound management of third-party risks 

• Paragraph 30: To ensure uniform application in third-party risk management, we suggest that the GLs clarify what is meant by "at least on a recurrent or ongoing basis", by establishing, if appropriate, a minimum duration or frequency threshold for a service to be considered within the scope (this could be, for example, 1 year). This would make it easier to determine whether very short-term or sporadic services should be subject to the full requirements of the GLs, unless they are explicitly excluded by other criteria.
• Paragraph 31 and Footnote 42: The GLs establish that when a non-ICT service arrangement also involves the use of ICT services as defined under DORA, the financial entity must determine whether the use of that ICT service is "material" to trigger the application of DORA. This differentiation can generate uncertainty and operational complexity for firms (whether these are managing complex or less complex arrangements involving a single or multiple functions), forcing entities to develop subjective assessment to distinguish which is “predominantly” ICT and dual classification and management processes for services that can intrinsically have mixed ICT and non-ICT components. An example of this is a corporate travel management service (explicitly excluded in these GLs), which would nevertheless rely on a SaaS that handles personal data, credit card information, etc. We propose that the GLs allow for overlap or flexibility in classification; this would enable firms to apply a consistent and risk-based approach to oversight without needing to retrospectively reassess existing DORA-classified arrangements or justify their classification to authorities. If the EBA does not intend to allow for such overlap, we invite the EBA to consider issuing principle-based guidance to support firms’ assessments of hybrid services.
• Paragraph 32: we would like to make the following observations related to Paragraph 32:
  • The text of this paragraph is almost an entire copy of Paragraph 28 of the 2019 EBA Guidelines on Outsourcing. We welcome the EBA's desire to retain this scope limitation, but in practice this paragraph gave rise to divergent interpretations. We note that the (mitigating) outsourcing criterion "functions that normally fall within the scope of functions that would or could realistically be performed by institutions" is no longer restated in the current draft. In order to obtain a uniform application of the GLs, we suggest that that the exclusion be further strengthened and expanded to support a proportionate approach and, as far as possible, fully aligned with the approach of DORA (and the clarifications provided by ESAs in this context).
  • In addition to the functions already listed as being out of scope of the Guidelines, we recommend introducing a specific reference to ICT services falling under the scope of DORA. Particularly, we note that the reference to “market information services (e.g. provision of data by Bloomberg, Moody’s, Standard & Poor’s, Fitch)” is now missing. To avoid misunderstanding it should be clarified that it is due to the fact that they are considered ICT services under DORA.
  • Furthermore, regulated financial services provided by regulated financial entities should be exempted from the GLs. This would reduce the compliance burden for firms with multiple intra-financial arrangements, without detriment to sectoral resilience given existing regulatory coverage. It would also align with the broader supervisory convergence goal of the EBA – namely ensuring that regulators – not firms - bear the burden of oversight for services already under direct regulatory scrutiny. In this regard, we suggest reusing the DORA exclusion for regulated financial services provided by regulated financial entities (cf. ESAs Q&A DORA30 - 2999) in the GLs.
  • We also suggest confirming that formal arrangements with public authorities are out of scope.
  • We note that the service categories outlined under Paragraph 32(f) were previously excluded on a functional basis (“would otherwise not be undertaken by the institution,” EBA GL Outsourcing 2019, para. 28(g)). Now they are excluded on a risk-based basis (“material impact on risk exposure or operational resilience”). While we acknowledge the helpful clarification provided by the EBA at the recent public hearing that the prudential focus, and intent of the exclusion at paragraph 32(f), is to focus the scope of the Guidelines that have a material impact on the firm’s operational risk and operational resilience, we remain concerned that the current language in this section may not clearly convey a materiality threshold aligned with that stated prudential objective. The reference to “risk exposures” at 32(f) is potentially too broad and ambiguous – particularly in contrast to the substantially higher threshold of material impact to a firm’s operational resilience. Practically speaking, a wide range of low-risk or ancillary services could be construed as having a material impact on a firm’s risk exposures. If the intention is to exclude services that are not material from a prudential risk management perspective and to therefore set a relatively high bar and – focusing on services that could, if disrupted, materially impair the financial entity’s ability to deliver its critical service or function – we urge the EBA to clarify this threshold. An appropriate materiality threshold would also serve to substantially reduce the burden to firms operationalising the EBA’s requirements across the expanded scope of third-party arrangements.
  • “Capacity services” should be included in the examples of “acquisition of services that do not have material impact on the financial entities risk exposure (…)”. This point gave rise to uncertainty under the 2019 EBA Guidelines on Outsourcing. It is by no means the intention to completely exclude "capacity services" (the use of external workers within one's own organization; a high number of such arrangements imply very low FTE’s), but rather to allow the proportionality principle to be applied on such arrangements.
  • Under Paragraph 32(g), we recommend that the wording be adjusted to include “telephone services” (rather than “telephone lines”).
  • Finally, we recommend excluding all ancillary and instrumental services essential to the operation of buildings (i.e., building services and services for people). 

Section 4 – Critical or important functions 

We support the use of DORA’s definition of “critical or important function”. However, the GLs also bring back the 2019 assessment criteria, potentially creating a “dual test” that re-introduces complexity and undermines the simplification that DORA deliberately achieved. While we welcome the EBA’s clarification at the recent public hearing that the CIF criteria in the Guidelines are non-mandatory and intended to support firms in assessing their CIFs, this clarification alone is not sufficient to mitigate the risk of divergence in supervisory implementation. In practice, supervisory authorities historically treat these considerations as de facto requirements, leading to inconsistent expectations across Member States and divergence in how firms classify CIFs under DORA and the GLs. In addition, firms will have already defined a process for identifying CIFs using the DORA definition, and it is not in keeping with the intended purpose of these new GLs to invite the possibility of reassessment. As such, to ensure harmonisation and supervisory convergence, we strongly urge the EBA to remove paragraphs 34 to 37 and only retain the CIF definition; this approach would allow firms to continue to utilise and evolve their existing methodologies aligned to DORA and apply the same methodology under both frameworks, in line with the objective of harmonisation.  

Alternatively, if the EBA ultimately retains the additional guidance set out in paragraphs 34 to 37, the EBA could help mitigate this risk by providing an explicit statement in the GLs clarifying that:  

(i) the CIF assessment methodology is intended to be fully aligned with DORA;  

(ii) that those considerations are not intended to be mandatory / exhaustive; and  

(iii) that they are not to be interpreted as expanding the scope of CIFs beyond DORA (although we note that this would not address the risk of divergence between CIFs within a TPRM context and CIFs within an operational resilience context as outlined below). 

As a general remark, we consider the formulations in Section 4 to be overly broad, particularly when compared to the definition of “critical or important functions” in Article 3(22) DORA. Paragraphs 33 to 37 leave significant room for interpretation and could ultimately result in financial institutions classifying almost all TPSP arrangements as “critical or important,” given that some connection to a supervised activity or potential risk can almost always be identified. If a full deletion of the criteria cannot be achieved, then, in line with DORA, the focus should only be on those services where a failure or deficiency would significantly impair the financial institution, or lead to non-compliance with licensing conditions and obligations. 

In Paragraph 37(b), the criteria for determining whether a function should be classified as critical or important are supplemented and expanded compared to DORA.  

• Contrary to DORA, the GLs refer to market and credit risks: such an expansion would effectively introduce a new system that applies only to third-party arrangements falling under the GLs, but not to those under DORA. 
• Furthermore, the provisions in Paragraph 37(b)(ii), (iii) and (iiii) would mean that any non-ICT service that - in the event of failure - could have an impact on operational, legal, reputational or other relevant risks would automatically be deemed critical or important. This contradicts the principle of proportionality and a risk-based approach. A narrow interpretation would significantly broaden the scope, since almost every failure of a third-party provider could, in some way, affect such risks – even if only to a minimal extent. At a minimum, it should be clarified that only relevant, i.e. material impacts are to be considered. 
• In addition, the introductory wording does not fully align with the subsequent content. The enumerations could be misinterpreted as implying that any direct link to supervised activities and/or any risk would already trigger classification as “critical or important.” This would also contradict the principle of proportionality. A clarification that the assessment should focus exclusively on material risks and damage potential is therefore essential.  
• Lastly, while Paragraph 37(b)(v) refers to AML/CFT risks and ESG risks, these are not included in DORA. To maintain alignment with the ICT framework, we suggest that this reference be deleted. We also question the reference to AML/CFT risks , which are also explicitly excluded from the scope of the Guidelines (see Rationale 11).   

The inclusion of additional criteria for assessing a CIF in the GLs not only poses a risk of broadening the scope of CIFs beyond what is intended under DORA, but risks broadening the scope of functions that qualify as critical from a resilience perspective and causing material complications for firms’ operational resilience frameworks.  

The CIF definition is already expansive due to the inclusion of the second limb in Paragraph 33.a – i.e., where the failure of the function would materially impair the continuing compliance of a financial entity (...) with its obligations under applicable financial services law. A large portion of operations within a bank could be considered as having the potential to impair continuing compliance given the range of various laws under which the sector operates (e.g. employment law, tax law, environmental rules). While this is clearly an important consideration in a firms’ broader risk and control frameworks, it introduces a low threshold for CIF designation – one that risks capturing a wide range of functions that may have a high inherent risk (and may require the application of enhanced due diligence, monitoring and control requirements), but do not support resilience-critical operations and therefore do not need to be subject to resilience-related controls (e.g., scenario analysis, joint resilience testing or incident reporting – which are widely recognised as being the most complex and resource intensive to execute). We note that this issue was explored in the IIF’s paper “Third-Party Risk Management and Operational Resilience in Financial Services” (June 2025). It outlines the risk of over-expanding the scope of what is considered “critical” for resilience through criteria that conflates concepts of inherent risk and criticality. The analysis may provide helpful detail and context as the EBA considers the practical implications of this complex challenge. 

To that end, while internal control functions play a vital role in risk management and compliance, not every function or every task supporting would typically give rise to the kind of operational risk or resilience concerns that would warrant their classification as a CIF. To provide an example, classification of internal audit as a CIF could result in an application which supports basic team collaboration in the audit function being treated with the same degree of criticality as an application which is vital to the bank’s ability to clear Euros. These two applications self-evidently do not hold the same ability to disrupt the financial stability of the EU economy or the safety and soundness of the firm or markets. Any regulation which requires or implies equivalence in the criticality of these applications will de-facto lead to an inappropriate application of controls to one or the other. In practice, financial entities are likely to address this by creating a multi-tier structure of “functions” considered CIFs for the purpose of compliance and those which are considered CIFs for the purpose of truly managing the resilience of the entity. This creates additional governance and complexity for financial entities while not benefitting risk management or resilience.

Question n. 3 for Public Consultation: Are Sections 5 to 10 (Title III) of the Guidelines sufficiently clear and appropriate?

Section 5 - Sound governance arrangements and third-party risk 

Paragraph 38 appears to conflate two different document – the strategy and the policy on the sound management of third-party risks – which may be maintained under different responsibilities. We suggest the following rewording: “Such strategy should (include - to be removed and replaced with) refer to the policy on the sound management of third-party risks (…).” 

Furthermore, we recommend clarifying that a regular assessment of risks by the financial institution itself – rather than by the management body, as currently foreseen – should be sufficient. 

Under Paragraph 40, the reference to Paragraph 30 is unclear and should thus be clarified. It is stated that the risks associated with any arrangements with TPSPs, “including the ones referred to in paragraph 30”, should be assessed in accordance with these GLs. However, it is important to note that Paragraph 30 pertains to the definition of what constitutes an arrangement with a TPSP and specifically excludes certain types of arrangements from the scope of these GLs. Detailed individual risk assessments in accordance with Section 11.2 – also for arrangements or services that are not even covered by the GLs – would be wholly disproportionate. We recommend clarifying that arrangements not covered under Section 3 are not included in the financial institution’s operational risk management on a general basis.  

We consider Paragraph 41 to be redundant; the GDDPR already applies in any case, and this is reiterated under Paragraph 47(g) of the GLs. 

Paragraph 43 sets out general requirements that are already addressed under CRD and the EBA Guidelines on internal governance, and their repetition under the GLs may create unnecessary uncertainty. For example, it is unrealistic to expect the management body of a financial institution to oversee all (potential) conflicts of interest at TPSPs (Paragraph 49(c)). In this context, we suggest inserting a cross-reference to para. 45, which already requires the establishment of an appropriate role for this purpose. 

Regarding Paragraph 46, we would like to make the following observations: 

• There appears to be an error in the text of paragraph 46(a), which should reference Paragraph 43 rather than Paragraph 36.
• We recommend clarifying the wording in point (c) as follows: “where internal control functions of the financial entity or tasks thereof are provided by TPSPs (…).”
• In addition, point (d) duplicates Paragraph 44 and could therefore be deleted. 

The requirement under Paragraph 47(f) appears unrealistic depending on how “appropriate timeframe” is interpreted. It also does not take into account the possibility of remedial measures in case of deficiencies at the TPSP. We therefore recommend that point (f) either be deleted or replaced with a more general reference to appropriate business continuity management and exit strategies. 

Section 6 - Policy on third-party risk management 

To optimize regulatory consistency and facilitate internal management of third-party risk, it is positive that the GLs encourage entities to develop a unified third-party risk management policy that addresses both ICT risks (under DORA) and non-ICT risks (under the GLs), clearly delineating the specific responsibilities and processes for each category, under a common governance. We note, however, that in some instances, the intended objective of aligning the GLs with DORA – on which we further expand in the sections below – is not fully reflected in the text of the GLs.  

We would like to make the following observations on Paragraph 49: 

• Under point (d), a footnote akin to footnote 51 should be added: “This role and the reporting-line can be combined with the one in charge of monitoring the arrangements concluded with ICT third-party service providers on the use of ICT services under Article 5(3) of DORA.”; 
• Under (f)(iv), we kindly recommend specifying that reference to the renewal processes of third-party arrangements should be included in the policy “where applicable”; 
• Point (h) should be replaced by a reference to Section 14. 

We would also like to make the following comments on Paragraph 50: 

• The first sentence should be rephrased as follows: “The policy on third-party risk management should differentiate, where relevant, between the following:”. We consider that, particularly with regards to point (a), institutions should have flexibility to decide whether the policy referred to here covers only the services within the scope of the draft EBA-Guidelines, or also ICT services subject to DORA.
• Furthermore, we note that the requirement under point (a) to distinguish between ICT from non-ICT arrangements is also problematic. In multidisciplinary contracts, such classification can be subjective and resource-intensive without producing tangible supervisory benefits – particularly given regulatory expectations are substantively aligned. We therefore propose that the EBA allows for overlap or flexibility in classification, enabling firms to apply a consistent and risk-based approach to oversight without needing to retrospectively reassess existing DORA-classified arrangements or justify their classifications to authorities.
• With regard to point (b), the proposed subdivision introduces a significantly more granular categorisation of TPSPs. Currently, categories include outsourcing (critical/non-critical), other third-party arrangements, and under DORA, critical/non-critical ICT services. The enumeration in this provision is even more extensive, which would require institutions to reflect and map additional categories, likely also within the register. By contrast, DORA requires only two categories.  

Section 7 - Conflict of interests 

We recommend deleting Paragraph 54 from the GLs. A similar requirement was originally proposed in a delegated act under DORA but was not retained in the final text. At that time, the following justification was provided:  

“There should be no additional requirements for TPSPs that are part of a group or a member of an institutional protection scheme owned by the financial entity. A mandatory requirement to set intra-group conditions at arm's length within a regulation is legally questionable, as this would interfere with entrepreneurial freedom of decision. The term is also unclear and compliance with this provision would be verifiable only to a limited extent. Verification can always be very complex and time-consuming, e.g. assessment of fair market price.” 

Section 8 - Business continuity plans 

We would like to make the following comments on Paragraph 55: 

• First, we recommend making explicit reference to time-critical processes or functions. The mere classification of a function as critical or important does not automatically imply that it is also time-critical. A cumulative approach should therefore apply, whereby both characteristics – criticality and time-criticality – must be met for the provision to apply.  
• Second, regarding the requirement for TPSP involvement in BCP testing, we note that while such involvement may be appropriate, practical constraints (e.g., provider size and market position) may limit institutions' ability to ensure participation. We recommend incorporating proportionality considerations that acknowledge commercial realities versus regulatory aspirations.
• Finally, Paragraph 55 seems to imply that each CIF will have a singular BCP. However, in practice there may be multiple BCPs relevant for a CIF, or multiple CIFs under a single BCP. The EBA should clarify that these approaches are allowed. 

Paragraph 56 states that “Business continuity plans should take into account the possible event that the quality of the provision of the critical or important function provided by a TPSP deteriorates to an unacceptable level or fails.” It is unclear what “unacceptable level” refers to and how this aligns to existing definitions of business impact. 

We question whether Paragraph 57's provisions more appropriately constitute Exit Strategy requirements rather than BCP documentation, which typically focuses on operational continuity measures. We seek clarification on this definitional distinction to ensure appropriate implementation. Additionally, under this paragraph, firms are required to list specific causes of disruption in their BCPs. This is redundant. Effective BCPs focus on maintaining continuity of critical services regardless of the cause of disruption. Detailing potential causes adds no practical benefit to resilience outcomes and risks turning BCPs into box-ticking exercises. This requirement should be deleted, and the focus should be on recovery objectives, testing, and governance to ensure continuity regardless of the disruption source. 

Paragraph 58 introduces an explicit requirement that business continuity plans align with EBA Guidelines on internal governance, echoing gold-plating seen in the PRA and CBI rules. This requirement, however, deviates from DORA's contractual expectations, and as such, should be removed. 

Section 9: Internal audit function 

We recommend updating Section 9's specific reference to the Internal Audit function to reflect that such activities may be undertaken by any independent and appropriately qualified party. We contend that the current formulation presents potentially significant resource implications for Internal Audit functions that may prove disproportionate to risk management objectives. 

Paragraph 59 refers to the “establishment” of the audit function. This needs to be further clarified in order to be in a position to appreciate the notion. 

Section 10: Documentation requirements 

The GLs indicate that they seek to ensure coherence and a reduction of discrepancies between the DORA Register of Information (RoI) for ICT services and the RoI for all third-party non-ICT arrangements. Indeed, Paragraph 63 states that “the register shall be consistent to the extent possible, when not merged, with the register of information under Article 28(3) DORA, and financial entities are encouraged to avoid any discrepancies between those two registers.” We also note that the letter sent by the ECB to Financial Entities indicated that  "the ECB is committed to ensuring that significant institutions maintain and report a single, unified register". The letter also stated that "Consequently, the current ECB collection of outsourcing registers will be discontinued in 2025 and replaced by the new DORA RoI" and that "The scope, template and definitions for this reporting will align with the respective DORA ITS". It further stated that "This future set-up will ensure that there will be a single point of data collection for all third-party dependencies, ensuring continuity in reporting processes, tools and data management". 

Whilst we acknowledge the EBA’s intention in having a “lighter register” given the expanded scope of services, and offering flexibility in terms of alignment with the DORA register, in practice, the current approach outlined in the GLs risks creating unintended complexity for firms and the possibility of divergence in implementation across firms and member states. A misalignment in RoI requirements creates substantial operational burden (i.e., high impact on the processes, tools, information management associated with services provided by third parties) and associated costs, fundamentally undermining the stated objective of regulatory convergence. In addition, without the clear expectation of an aligned approach, firms may face supervisory scrutiny and pressure to justify decisions not to merge or fully align registers, undermining rather than supporting the broader EU simplification and convergence agenda.  

While alignment between the two registers is desirable, we also stress that proportionality must be maintained. A unified, but proportionate register for all third-party arrangements (both ICT and non-ICT) could be achieved by with the following caveats:  

• ensuring the broader population of third-party arrangements are not subject to unnecessary reporting requirements – i.e., flexibility or exclusion of data requirements for lower-risk arrangements, especially non-ICT, non-outsourcing arrangements; and
• providing optionality for data fields that are not applicable to all third-party arrangements – i.e., ensuring any data-related or ICT-specific fields are optional where not applicable. 

The scope of the register should be tightened to focus on subcontracting arrangements which effectively underpin CIFs – aligning with DORA and enabling the merged submission the EBA aspires to move towards. 

Below we expand on the main differences between DORA and GLs' requirements that prevent the maintenance of a single register of information: 

• Template of the Register and data format requirements:
  • DORA: the DORA data structure is designed as a relational database, and the report has specific characteristics, with a predefined value taxonomy (EBA:XXX), a predefined number of columns and N rows, aligning only a single value in each field. There are also specific validation rules for the Register.
  • GLs: the GLs do not define the data structure, formats, or concrete specifications for the report or quality rules, which suggests that discrepancies will arise in the reporting format, value taxonomy, and validation rules.
  • We therefore request that format requirements and reporting specifications be included at the same level of detail and in line with DORA's requirements where appropriate (as outlined above) to avoid maintaining two separate reports, validation rules and different taxonomies.
• Conflation of service v contract: Certain requirements, including within the register, at times appear to conflate the third-party service with the contractual arrangement through which it is delivered.  These are distinct concepts and conflating the two can lead to operational and compliance challenges for firms. Oversight, classification and register reporting requirements should attach to the service, not the contract that gives effect to it. We encourage the EBA to ensure regulatory expectations reflect this distinction more clearly. The distinction matters because: 
  • A single legal agreement may cover multiple services captured in service-level documents (with differing risk ratings and characteristics); or vice-versa when Master Service Agreements are used; 
  • Service provision evolves over time without necessarily triggering a contractual change; 
  • Contracts may be re-papered for various reasons without any meaningful change to the underlying service.
• Terminated or expired contracts: The GLs establish that financial entities must retain terminated third-party arrangements and supporting documentation for an appropriate period of at least 5 years. This is contrary to DORA requirements, bearing in mind that this retention period was removed from DORA during the legislative process. We therefore request confirmation regarding whether terminated agreements must be submitted in the RoI. However, if the intended objective is to align with DORA, this requirement should be removed altogether.
• Information requirements:
  • There are new information fields required in the GLs that are not requested in DORA:
    • Date of next contract renewal: DORA only asks for the next renewal date if the contract allows for extensions.
    • Additional provider information (contact details, corporate tax ID...).
    • Service description.
    • Service Category and Subcategory.
    • Type of subcontracted function (only for critical functions).
    • Country where the subcontracted service is performed (only for critical functions).
    • Date of the last assessment performed of the TPSP's substitutability.
    • Reintegration assessment date (only for critical functions).
    • Detailed identification of the alternative provider (only for critical functions), which implies LEI/EUID + contact details, corporate tax ID... and including the ultimate parent company.
    • Fields required for all, when DORA only asks for critical functions: Notice period(s) for the institution & Notice period(s) for service provider; Country where the service is provided;
    • Data storage location, if applicable.
  • The extended scope of the register represents a significant expansion of reporting relative to previous regulatory expectations and potentially will introduce a material operational burden without an obvious value add to risk management or supervisory objectives. This risks turning into an administrative challenge unless proportionality is sharpened: low-risk, data-light, non-ICT arrangements should not be saddled with the same level of detail as genuinely critical engagements.  

Under Paragraph 61, the GLs require financial institutions to retain documentation of terminated third-party arrangements in the register and to keep supporting documentation for “an appropriate period of at least five years.” This provision goes beyond the requirements of the DORA information register and should not be reintroduced in the EBA Guidelines.  

We note that the five-year retention requirement was deliberately removed from DORA during the legislative process, including from the ITS on the information register. Reintroducing it here would therefore be inconsistent with DORA and constitute gold-plating. Instead, FAQ 52 on DORA should be applied: "In accordance with the final text of the ITS as published in the EU Official Journal, there is no requirement to include into the register terminated or expired contracts. "  

We generally welcome the possibility of maintaining a central register for institutions belonging to the same group or institutional protection scheme (cf. Paragraph 62). However, as long as DORA does not provide for such a possibility, this option does not represent a genuine relief for documentation purposes (see also Paragraph 63).  

We also note that Paragraph 27(d) requires that an institution-specific register must be capable of being generated at short notice. This implies that the documentation must be maintained in such a way that the central unit, with the involvement of the institution, can update and reflect the institution’s individual contracts at entity level. A real simplification could arise if reporting obligations could be fulfilled centrally (see also Paragraphs 65 and 67). An example would be the central notification of planned arrangements with a group provider that support critical or important functions. 

We would like to make the following observations on Paragraph 63: 

• Requirements under subparagraph (a) appear at times to conflate the third-party service with the contractual arrangement through which it is delivered. Oversight, classification and register reporting requirements should attach to the service, not the contract that gives effect to it. The distinction matters because: 
  • A single legal agreement may cover multiple services captured in service-level documents (with differing risk ratings and characteristics), or vice-versa when Master Service Agreements are used; 
  • Service provision evolves over time without necessarily triggering a contractual change; 
  • Contracts may be re-papered for various reasons without any meaningful change to the underlying service.  

We therefore encourage the EBA to ensure regulatory expectations reflect this distinction more clearly. 

• The requirement under point (b) to provide an end date and reason of the termination should not apply as services that have been terminated during the reporting period would not be captured in the register. There is no clear risk management benefit, and historical versions of the register could be reviewed by authorities if needed. Retaining this requirement adds unnecessary complexity and should be removed. With the register templates constantly evolving, gathering backdated information for terminated contracts would be impractical in certain cases. Additionally, DORA only requires notice periods for third-parties supporting CIFs which should be reflected in the Guidelines;
• Points (e) and (h) should be amended to refer to the “services” provided by the TPSPs, not the functions;
• Under subparagraph (g), the requirements to provide the "name of its ultimate parent company” and “other relevant contact details” go beyond DORA. It is also unclear what the benefit to supervisory oversight and objectives TP contact details provides – noting that these are also constantly changing. These should be removed.
• We support the use of LEIs (cf. Point (g)) to support supervisory and oversight objectives. However, the industry is concerned that extending the requirement to procure LEIs for all third-party arrangements, in particular non-outsourcing arrangements, will present significant challenges in practice, without offering a clear risk management benefit. Notably, there is currently no standardised approach to the information entities could be required to submit to obtain an LEU – in some cases, the information requested is onerous and has no bearing on LEI issuance. To ensure the requirement remains proportionate and does not impose an undue operational burden on financial entities (whilst also supporting supervisory objectives), we propose limiting mandatory LEI collection to third-parties delivering services supporting CIFs, and/or introducing flexibility in the requirement for non-CIFs (e.g., “if applicable”, or allowing the use of other identifiers). This flexibility should be extended to subcontractors and their parent companies with whom financial entities do not have a direct relationship with.
• With regards to subparagraph (h), we note that DORA only requires the country where the service is provided for third-party services supporting CIFs, which should be reflected in the GLs.
• Paragraph 63(i) states that the register of information should include information on “whether or not (yes/no) the function provided by a TPSP is considered critical or important (...).” It is unclear whether the reference is to the firm’s assessment of the criticality the bank function that the third-party service supports, or the firm’s risk assessment of the third-party service itself (including whether it is material to that CIF – noting that just because a service supports a CIF, it does not automatically mean it’s critical). The reference should be amended to “whether the function is considered critical or important”. 

We would also like to make the following comments on Paragraph 64: 

• We recommend removing the requirement to include in the register the “outcome and date of the last assessment performed of the TPSP's substitutability” (point (d)) as it goes beyond the requirements under DORA, the ECB Outsourcing Register for Significant Institutions and the CBI Outsourcing Register. Additionally, the date of the last criticality assessment is already provided, which should sufficiently evidence this data field.
• With regards to subparagraph (e), we note that DORA does not require the date of the last reintegration assessment or the impact of discontinuing the CIF with RTO. These requirements should be removed.
• The requirement to report in the register “the estimated annual budget cost of the third-party arrangement for the past year, together with the currency” (point (h)) is operationally challenging to assess – particularly at service level – and is likely to be commercially sensitive and the third party’s confidential information.  It is also unclear what supervisory value this information provides. The cost of a third-party arrangement does not meaningfully reflect its inherent risk or criticality (i.e., a high-cost contract may relate to non-critical service, while a lower-cost contract may underpin essential services).  Cost also does not reliably indicate the degree of operational dependency or the extent to which a service may be substitutable. As such, cost should not be treated as a proxy for risk exposure and it is unclear what supervisory value this data provides – particularly given the challenges of accurately apportioning service-level cost across multiple legal entities. We therefore recommend removing this requirement. 

Paragraphs 63(g) and 64(c) require providing personal data such a Passport Number and National Identity Number for individuals acting in a business capacity. It should be ensured that all data maintained in an information register is in line with the GDPR. Therefore, we recommend not maintaining personal data in an information register. 

Paragraph 65 requires financial entities to make available the register to the competent authority in a processable electronic form. We  are of the view that this requirement should be consistent with DORA, where adequate and appropriate. In particular, the reference to a “commonly used database format, comma separated values” should directly follow from DORA. DORA itself provides for such options in the legislative text. 

The requirement under Paragraph 65 to submit the full set of extensive register information for planned services supporting critical or important functions is highly burdensome. For groups or institutions belonging to an institutional protection scheme, centralised submission by a central unit should in any case be permitted. With a view to reducing unnecessary administrative burden, we kindly recommend deleting this provision altogether. 

The requirement under Paragraph 68 to inform competent authorities of “material changes and/or severe events regarding their third-party arrangements that could have a material impact on the continuing provision of the financial entities’ business activities” should be limited to contracts that support critical or important functions.

Question n. 4 for Public Consultation: Is Title IV of the Guidelines appropriate and sufficiently clear?

Section 11 – Pre-contractual analysis 

11.1 Supervisory conditions for contracting with third-party service providers  

We are of the view that the conditions for cooperation agreements under Paragraph 72(c) should be moved to Title V of the Guidelines. In addition, competent authorities should be required to provide adequate information on the agreements they themselves have concluded; financial institutions are generally not in a position to assess whether all of the specified conditions are met.   

11.2 Risk assessment of third-party arrangements 

Compared to the 2019 EBA Guidelines, risk-assessment duties (Paragraphs 73 and 74) now span beyond merely operational risk consideration to expressly consider reputational, legal and concentration risks as separate risk attributes. This broadens the expectation beyond a risk-based and operationally feasible approach. Under DORA (Article 5 of the RTS on the ICT Policy), these risk factors are explicitly scoped to the provision of ICT services supporting CIFs. By contrast, Paragraph 74 sets out a broad expectation for the financial entity to assess the impact of third-party arrangements on all relevant risks.  The risk assessment requirements should support clear alignment with DORA and a proportionate approach to scope to reduce operational complexity for firms. 

As per Paragraph 76, a detailed weighing of mitigated risks against newly arising or intensified risks for every single third-party arrangement is not practicable, given the volume of such arrangements per institution. At most, such an exercise could be envisaged only for critical or important third-party arrangements within the meaning of Paragraphs 34 and 35.  

Paragraph 76(a) requires financial entities to conduct their concentration risk assessment at entity level. While we acknowledge the importance of identifying and managing concentration risk, it is important to recognise that third-party arrangements are often contracted at group level.  As such, meaningful assessment of concentration risk is typically most effective at the group level.  Requiring individual legal entities to conduct entity-level concentration risk assessments may therefore not materially improve risk outcomes, particularly where those entities have limited ability to manage or mitigate group-level arrangements. We therefore propose a proportionate approach that allows entities to rely on group-level assessments where appropriate – otherwise, this could result in a compliance exercise with limited value for actual risk management and supervisory oversight. 

We are also of the view that the requirement under Paragraph 76(b) to assess aggregated risks concerning groups of institutions and institutional protection schemes is too far-reaching. Such analyses can only be carried out at a central (group-wide) level. Individual institutions will not have access to all relevant information and can only provide their own perspective. 

We support the EBA’s focus on subcontracting risks (cf. Paragraph 77), particularly in cross-border contexts. However, the expanded expectations may significantly increase the volume and complexity of concentration risk assessments. We recommend following a proportionate, risk-based approach that aligns with strategic oversight priorities and avoids unnecessary operational burden. Additionally, it is unclear what is the additional risk that may arise if the subcontractor is located “in a different country from the TPSP”, but not in a third country. Finally, we recommend that the term “long and complex chains of subcontracting” be further clarified. 

11.3 Due diligence 

The due diligence expectations should support clear alignment with DORA to avoid gold-plated expectations. For example, paragraph 81(c) requires firms to assess geographic risk dependencies (i.e. relating to the economic, financial, political, legal and regulatory jurisdictions where the service is provided). Whilst financial entities routinely assess location-related risks (including risks linked to the jurisdiction where services are delivered and data is processed / stored), this requirement introduces a granular and disproportionate burden. This level of due diligence also goes beyond current practice and is not required under DORA.  In addition, the effort required to obtain the necessary information about TPSPs's ethical behavior (cf. Paragraph 83) is disproportionate and not commensurate with the benefits of the provision. We therefore recommend deleting this requirement, or at least reducing it to a more appropriate level (e.g., directed at financial entities that fall within the scope of the CSDDD). 

Section 12 – Contractual phase 

Given the broad number of TP arrangements now caught, even beyond the outsourcing baseline, some of the requirements simply don’t work in all TP contexts. For example, paragraph 85 (c), (g) and (h) relating to information on data processing and storage location, data confidentiality and data access aren’t going to be relevant for all non-ICT service arrangements especially where there is only an inbound flow of data. The GLs should allow for some flexibility or optionality in the application of these requirements. 

Section 12.1 - Subcontracting of critical or important functions 

We kindly request textual harmonisation between Article 30(1) DORA and Paragraph 84 of the GLs with regard to the requirement for all contracts. Particularly, it should be clarified that the requirement is not for the use of a document (in figures = 1), but rather to the written form of the contract as such, regardless of whether the overall contract may consist of various contractual components and annexes. 

Under Paragraph 85, the insufficient distinction between services supporting important functions and other services would result in a large number of contracts having to be amended, creating significant additional burden for institutions. Until now, minimum contractual clauses were only required for critical or important functions. The GLs extend these minimum clauses to all outsourcing arrangements. This is not proportionate, creates significant implementation effort for financial institutions, and risks further concentration on a small number of large providers. The list also goes beyond DORA, which focuses its most stringent contractual requirements in ICT services supporting CIFs. 

In addition, the requirement to include a choice-of-law clause in all contracts (cf. Point (e)) – even where both parties are domiciled domestically – is unnecessary. It will be extremely difficult to renegotiate contracts with all TPSPs to include such clauses. Most TPSPs are not subject to prudential regulation and are not familiar with these requirements. DORA already demonstrated the challenges of negotiating minimum contractual content with ICT providers. Under the GLs, the number of TPSPs covered could be far higher than under DORA, resulting in a multiple increase in workload, while many relevant TPSPs will have no reference to or awareness of these Guidelines. 

We also note that certain elements within Paragraph 85 – particularly sub-paragraphs (b), (e), (f), (h), and (j) - are either not required or exhibit discrepancies when compared to DORA, and the rationale remains unclear. For example, Paragraph 85(h) of the GLs does not incorporate the following provision “in an easily accessible format” as stated in DORA, Article 30(2)(d). These discrepancies risk undermining the objective of harmonized regulation across the EU and may result in unnecessary complexity and compliance burdens. In light of this, we request to remove the requirements, or alternatively, align the GLs to DORA to mitigate contractual burdens and streamline relationships with TPSPs. Similarly, Paragraph 85(j) goes beyond the letter of DORA (cf. Article 30(3)(e)), in the sense that the latter does not foresee any obligation to monitor non-critical or non-important functions. This higher requirement for non-ICT services should be removed under the GLs. 

Finally, we note that under Paragraph 85(l) there is a wrong reference to Section 12.4, which does not exist. It should be Section 12.3 instead. Sub-paragraph (m) should also be amended to include “where relevant”. Furthermore, if the purpose of Paragraph 85 is to ensure consistency with DORA, the wording should be aligned with Article 30. Currently, the GLs refer to “functions” but not “services” provided by TPSPs. 

With regard to Paragraph 86, we would like to make the following remarks: 

• It is not feasible to formulate meaningful quantitative targets for every type of service, as required under subparagraph (a). We therefore recommend amending the wording to “quantitative and/or qualitative performance targets.”
• The requirements set out under subparagraph (c) are not required under DORA. These discrepancies risk undermining the objective of harmonized regulation across the EU and may result in unnecessary complexity and compliance burdens. In light of this, we request to remove this requirement.
• Paragraph 86(e)(i) makes reference to Section 12.1 of the GLs; this should be changed into Section 12.2.
• Under subparagraph (f), the wording “exit strategies” should be amended into “exit options”. Strategies are internal determinations of the financial institution, not a contractual element. 

We note that the GLs did not adopt DORA’s framing of subcontractors that “effectively underpin (the ICT) service that supports critical or important functions” (i.e. “material subcontractors”). It is important to note that not every subcontractor linked to a CIF is deemed material – it depends on whether the subcontractor plays a material role (i.e., “effectively underpins” the service supporting a CIF). There is therefore a risk that the GLs diverge from DORA’s risked-based focus on “material subcontractors”, dilute supervisory attention, and misallocate risk management resources. It would also be prudent to clarify the rationale behind the omission of the provisions outlined in Article 4(1)(a) and (h) of this Delegated Regulation. For these reasons, we recommend aligning the requirements of DORA with those set out in these GLs. 

Under Paragraph 90(a), the GL require the written agreement to specify “any types of activities that are excluded from subcontracting”; DORA, however, under Art. 4(1) of the RTS on Subcontracting, requires the contractual arrangement to identify “which ICT services support critical or important functions or material parts thereof are eligible for subcontracting”. This represents a different approach – exclusion of activities vs. inclusion of eligible services – and could result in broader subcontracting under the GLs than under DORA. Alignment with DORA should be ensured. 

With regards to Paragraph 90(i), and the and the reference to “in a timely manner and as soon as possible”, we would welcome clarification from the EBA that it is for firms to demonstrate how they have met the requirements to act in a timely manner.  

With respect to Paragraph 96, the wording of the second and third subparagraphs, while largely consistent with DORA, omits the phrase “or material parts thereof”. We would appreciate clarification on whether this omission is intentional, and in any case, recommend ensuring full alignment with DORA. 

Section 12.2 - Access, Information, and Audit Rights 

Alignment with DORA should also be ensured with regards to Paragraph 100, which requires audit rights also for the provision of functions that are not critical or important. For the sake of harmonisation, we kindly recommend aligning this requirement with DORA and removing the audit right in relation to non-critical or non-important functions. 

12.3 - Termination rights 

In line with preceding comments, harmonization of Paragraph 109's requirements with DORA is recommended to ensure legal certainty and avoid divergent application. Specifically: 

• The inclusion of the wording “where necessary” (“The financial entities should be able to terminate the third-party arrangement where necessary, in accordance with applicable law”) given that these termination cases are mandated by DORA, could inadvertently increase the contractual burden and compliance negotiations with TPSPs.
• While DORA requires a “significant” breach of laws for the termination of a third-party arrangement, Subparagraph (a) lowers this threshold to any breach. We therefore kindly request alignment with DORA.
• Similarly, while DORA requires “evidenced” weaknesses for the termination of a third-party arrangement, Subparagraph (d) only requires “weaknesses”. This raises practical questions for contract negotiations, in particular who decides whether a weakness exists. Additionally, while DORA refers to “confidentiality of data, whether personal, otherwise sensitive, or non-personal,” the GLs refer only to “confidential, personal or otherwise sensitive data or information.” We would appreciate it if the EBA could clarify whether the same data categories are covered.
• Finally, under Subparagraph (e), the GLs introduce a termination right triggered when instructions are given by a competent authority. This clarification is useful, given the discussions under DORA regarding when an authority may be unable to effectively supervise. However, the different wording compared to DORA risks divergent applications between the two frameworks. We kindly request clarification whether this deviation is intended. 

Section 14 – Exit Strategies 

In general, we recommend including explicit derogations or exemptions for service agreements within group- and IPS-related structures. Such agreements are typically designed as permanent arrangements. Within groups and institutional protection schemes, sufficient control and influence mechanisms usually exist, such that the risk of provider failure or unexpected termination is very low.  

We also point out that it is largely unfeasible for financial entities to test exit strategies and conduct continuity tests independently, rather than relying on the service providers for these responsibilities. 

With regards to Paragraph 118, we note that: 

• Developing detailed exit strategies and plans for largely theoretical scenarios, as required under Subparagraph (a), would create unnecessary administrative burden. Potential negative events (e.g. operational disruptions) and countermeasures are already addressed within BCM and risk assessments. The occurrence of such events does not necessarily imply the need to exit the arrangement. Even in cases of material underperformance, institutions generally retain influence over the TPSP. Depending on the nature of the arrangement, it may therefore be sufficient to focus on practical and reasonable response options.
• It should also be made clear at the very beginning of this Paragraph that the requirements apply only to TPSPs supporting critical or important functions. Currently, this limitation appears only under subpoint (b) of para. 118; it should be brought upfront. 

As regards Section 14 (Exit Strategies), we note that in paragraph 119 the draft guidelines state that “When developing exit strategies, financial entities should: …. c. perform a business impact analysis that is commensurate with the risk of the processes, services or activities provided by TPSPs, with the aim of identifying what human and financial resources would be required to implement the exit plan and how much time it would take. This should be subject to a regular review taking into account the current situation;”. We deem it should be clarified whether the guidelines require a Business Impact Analysis on the Exit Plan. 

Question n. 5 for Public Consultation: Is Annex I, provided as a list of non-exhaustive examples, appropriate and sufficiently clear?

While the Annex can be useful as a classification tool, in practice it risks functioning as a presumptive list, particularly when combined with the re-introduced 2019 criteria. This undermines DORA’s principle-based approach, which intentionally simplified the identification of critical or important functions. The Annex should therefore not serve as a parallel CIF test, as reliance should rest solely on DORA’s definition. 

Commenting on the list of functions, we note that Annex I includes two types of services that could be provided by third parties, namely “Secretarial services” and “Travel and entertainment services” that fall under the functions that are explicitly excluded from the scope of the draft Guidelines as per Paragraph 32(f): 

“the acquisition of services that do not have material impact on the financial entities’ risks exposures or on their operational resilience (e.g. advice from an architect, providing legal opinion and representation in front of the court and administrative bodies, cleaning, gardening and maintenance of the institution’s or payment institution’s premises, medical services, servicing of company cars, catering, vending machine services, clerical services, travel services, post-room services, receptionists, secretaries and switchboard operators)”. Such discrepancy risks creating implementation uncertainty and undermining regulatory clarity. The list needs therefore to be amended accordingly to ensure consistency with Paragraph 32(f). It is recommended that EBA remove these examples from the categories listed in Annex I, or at minimum clarify their exclusion under art. 32(f). Additionally, consideration could be given to using the Annex to explicitly define exclusions for functions that are low risk and ancillary, ensuring they are not encompassed by the GLs. 

Alignment is also required as to what is considered a “service” and which kind of third-party arrangements or services fall under the GLs. Annex I indicates services which typically do not fall under a risk-based approach for third-party risk management, including “Insurance services” and “Talent acquisition & hiring”. With regards to the former, the contracting of an insurance policy is a legal agreement in which an insurance company agrees to indemnify the insured if a covered event or risk occurs. It does not require continuous action on the part of the third party and therefore would not affect the continuity of the bank; it is a guarantee. In summary, the purpose of financial entities contracting insurance policies is to mitigate and/or transfer risks, rather than operational service provision. Therefore, including them in the scope would not be consistent with the spirit of these third-party risk management guidelines. It should therefore be clarified whether insurance services are considered third-party arrangements, specifically if the insurance benefits a third party or involves functions like using an insurance intermediary. 

We also note that the Annex originated from Level 1 and 2 categories required by the previous yearly reporting ECB collection of Significant Institution's outsourcing registers with the following differences: 

1. The “AML/CFT” category and related level 2 categories are missing. We would kindly ask confirmation that AML/CFT services are not under the scope of the application of the GLs.
2. In the “Internal control functions” category, the following subcategories are missing:

• Risk management function – Liquidity risk management
• Risk management function – Market risk management
• Risk management function – Operational risk management (non-IT)
• Other 

We would like to clarify whether their omission is intentional or the result of an oversight. 

3. In the “Investment services” category, the following subcategories are also missing:

• Reception and transmission of orders
• Safekeeping and administration of financial instruments for the account of clients, including custodianship and related services
• Underwriting of financial instruments & placing of financial instruments on a firm commitment basis
• Other 

We would like to clarify whether their omission is intentional or the result of an oversight. 

Name of the organization