Response to consultation on draft Guidelines on the sound management of third-party risk
Question n. 1 for Public Consultation: Are subject matter, scope of application, definitions and transitional arrangements appropriate and sufficiently clear?
We are concerned by the proposed scope of the Guidelines, particularly the inclusion of Class 2 investment firms, as well as the potential indirect inclusion of AIFMs and UCITS management companies that are subsidiaries within a banking or investment firm group.
We strongly oppose the inclusion of Class 2 investment firms within the scope of these Guidelines, as we consider that the EBA is exceeding its legal mandate by proposing such a reform to the current framework. While Directive 2019/2034/EU (IFD) grants the EBA, in consultation with ESMA, the authority to issue guidelines on the internal governance of investment firms, the obligations proposed in this consultation extend far beyond the issuance of non-binding guidance. They amount instead to very granular, burdensome obligations — such as detailed documentation requirements or the obligation to maintain a register of third-party providers — for which no Level 1 legislative mandate currently exists. Introducing such requirements would therefore go beyond the Level 1 framework and impose a disproportionate burden on entities that are not typically within the EBA’s direct regulatory remit. Such obligations should be subject to the ordinary legislative process, requiring a proposal from the European Commission and scrutiny by the co-legislators, before they can be applied to Class 2 firms.
It is important to recall that the previous EBA Guidelines on outsourcing arrangements applied only to credit institutions and certain investment firms within the meaning of Article 4(1)(3) CRR (old version, i.e. before the entry into force of IFD/IFR). Under Article 4(1)(2)(c) CRR (old version), companies providing certain MiFID services without permission to trade on their own account or hold client funds or securities — such as MiFID portfolio managers or investment advisers — were explicitly excluded from their scope. Many of these firms are now classified as Class 2 investment firms under the IFD. The proposed extension of scope would therefore bring a large number of firms that were previously out of scope of the EBA Guidelines, requiring significant initial implementation efforts and extensive operational adjustments.
Class 2 firms are generally not systemically relevant and are already subject to comprehensive governance and risk management requirements under the IFD/IFR framework. The IFD requires Class 2 firms to have sound risk management processes, but it does not mandate the kind of extensive documentation, registration and contractual obligations foreseen in these Guidelines. Moreover, investment firms are already subject to outsourcing requirements under MiFID II and relevant ESMA guidance, and layering additional obligations on top of those would run directly counter to the EU’s stated objectives of simplification and regulatory burden reduction.
We are also deeply concerned about the absence of proportionality in the proposed Guidelines. The requirements apply in the same manner to large credit institutions and to small or medium-sized Class 2 investment firms, without appropriate differentiation based on size, nature, complexity or risk profile. In addition, the Guidelines fail to establish any materiality thresholds that would help ensure that the obligations imposed are proportionate to the risks involved. Relatedly, several provisions do not clearly distinguish between all third-party arrangements and those supporting critical or important functions; this lack of clarity affects materiality, supervisory notifications, exit planning and register content.
We note that UCITS management companies and AIFMs that are subsidiaries of banking or investment-firm groups would indeed fall indirectly within the scope of these Guidelines, given that Article 109 CRD and Article 25 IFD require such entities to ensure that their governance, risk management, and internal control arrangements are consistent with group-level requirements. It is precisely for this reason that it becomes particularly concerning when the EBA exceeds its legal mandate by issuing such granular and prescriptive obligations in the absence of a corresponding Level 1 requirement.
For example, the Guidelines would require UCITS management companies and AIFMs that are part of a banking or investment-firm group to provide detailed documentation of all their relationships with third-party service providers, including those that are not considered ICT providers. This mirrors an existing obligation under DORA for ICT providers — with the crucial difference that DORA is established in Level 1 legislation. By contrast, the EBA is here proposing to impose similarly detailed obligations through guidelines, which would significantly intrude into the risk management operations of asset management companies without a clear legislative mandate and without acknowledging that investment funds already conduct adequate risk management in accordance with the UCITS Directive and AIFMD.
It is therefore essential that these entities remain subject primarily to their sector-specific regulatory frameworks — including the delegation and outsourcing provisions under AIFMD, UCITSD, and MiFID II — and are not burdened by additional layers of prescriptive requirements introduced through guidelines that exceed the EBA’s mandate. We note that ESMA is the competent authority for such entities, and that extending the EBA’s Guidelines to these entities would create significant legal uncertainty and overlaps with the existing ESMA framework, especially in group contexts where functions are delegated across entities.
We are also concerned by the apparent lack of cooperation with ESMA in the preparation of these Guidelines. The IFD explicitly requires the EBA to cooperate with ESMA in developing guidelines of this nature. It is unclear whether such cooperation took place, and the resulting misalignment is evident. ESMA itself issued on 12 June 2025 its ‘Principles on Third-Party Risks Supervision’, which notably do not impose prescriptive obligations, such as maintaining a register. The EBA’s approach, by contrast, is far more granular and goes significantly beyond what is necessary. Moreover, the ‘middle-way’ alignment with DORA (partly mirroring DORA while diverging on scope and granularity) creates uncertainty for institutions attempting to implement a coherent framework across ICT and non-ICT arrangements.
Question n. 2 for Public Consultation: Is Title II appropriate and sufficiently clear?
We recommend aligning the definition and criteria with those in DORA (Regulation (EU) 2022/2554, Recital 70), to ensure consistency and legal certainty across ICT and non-ICT third-party risk frameworks. The use of different definitions for ‘critical or important functions’ (CIF) versus DORA creates complexity and cost; the Guidelines should adopt the DORA formulation and clarify the rationale for any deviation. Presumptions that automatically classify internal control tasks or any function requiring authorisation as CIF should be replaced with a risk-based, materiality-driven assessment (including a de minimis threshold). Definitions of ‘subcontracting’ should be aligned with DORA so that only subcontractors that effectively underpin a CIF (i.e. whose discontinuation would jeopardise continuity or security of the main service) are in scope.
Question n. 3 for Public Consultation: Are Sections 5 to 10 (Title III) of the Guidelines sufficiently clear and appropriate?
At the outset, we question the EBA’s legal mandate to introduce such a detailed and far-reaching register requirement for non-ICT third-party arrangements. These obligations go well beyond what is foreseen in Level 1 legislation and risk creating quasi-binding rules in an area already governed by sector-specific frameworks.
Register of information (ROI): The requirement to maintain a separate register for non-ICT TPPs would create overlap and duplication. We suggest aligning the format and data fields with DORA to allow firms to maintain a single consolidated register of all TPPs (ICT and non-ICT) for supervisory purposes. Only arrangements supporting CIF should be reportable to NCAs/ESAs; non-CIF arrangements should be maintained internally at entity level.
Documentation burden: The requirement to retain all terminated contracts for 5 years after termination goes beyond what is foreseen under DORA. We propose removing this obligation to avoid unnecessary administrative burdens and ensure consistency. Several proposed ROI fields appear unnecessary (i.e. requiring both a description and a category, dual identifiers plus corporate registration numbers, and multi-level categorisation in Annex I); these should be trimmed to what is strictly needed for supervision and aligned with DORA’s data model. The Guidelines should clarify what ‘engage in a supervisory dialogue’ means in practice (GL 67) and define ‘severe events’ (GL 68) to avoid over-notification. Proportionality should apply to governance and board oversight so that detailed, recurring board involvement focuses on CIF/high-risk arrangements.
Question n. 4 for Public Consultation: Is Title IV of the Guidelines appropriate and sufficiently clear?
Pre-contractual and onboarding obligations: The draft Guidelines introduce several additional requirements in the due diligence and onboarding phase. We recommend removing requirements that go beyond those already in place under AIFMD II, UCITSD and DORA, in order to avoid duplication and complexity, particularly in cross-border arrangements. Third-country cooperation arrangements should be addressed at the authority/EU level rather than imposed on individual entities. Contractual clauses (i.e. insurance, detailed SLA metrics, unrestricted audits down the subcontracting chain) should be proportionate and permit reliance on recognised third-party reports/pooled audits where appropriate. Subcontracting controls should reflect materiality and align with DORA’s scoping of ‘effective underpinning’ of CIF. Scenario analysis requirements should define what constitutes ‘less complex’ versus ‘large or complex’ entities and avoid enumerating risk categories beyond what is operationally necessary. Exit strategies should be explicitly required for CIF only, with proportionate testing expectations.
Question n. 5 for Public Consultation: Is Annex I, provided as a list of non-exhaustive examples, appropriate and sufficiently clear?
We believe that Annex I should be refined to ensure consistency with existing regulatory frameworks and to avoid inadvertently expanding the scope of the Guidelines to areas already governed by sectoral legislation, such as AIFMD, UCITSD, or MiFID II. The examples included should clearly distinguish between non-ICT third-party providers and those already subject to outsourcing or delegation rules under these frameworks.
We are particularly concerned about the interaction between Annex I and paragraph 32 of the proposed Guidelines, which defines the types of functions excluded from their scope. The current drafting risks significantly altering the nature of key relationships within the asset management sector — most notably between asset managers and their depositaries. Under AIFMD and UCITSD, the depositary’s role is one of independent oversight over the management company. However, if depositaries are not explicitly excluded from the scope of the Guidelines, the relationship could be effectively ‘reversed’, with the asset manager now expected to conduct oversight over the depositary as a third-party service provider. This would fundamentally undermine the regulatory logic of the existing framework and must therefore be avoided.
For this reason, we strongly believe that Annex I should be redrafted to explicitly exclude supervised entities, such as depositaries, custodians, or portfolio managers, when they are providing regulated services under sectoral legislation. Any activities carried out under the UCITS Directive or AIFMD — such as portfolio management delegation or depositary oversight — should be clearly exempted from the scope of these Guidelines, in line with the approach taken in paragraph 32. In such cases, the existing MiFID II and AIFMD/UCITS outsourcing rules should continue to apply, and the EBA Guidelines should not impose additional requirements.
In the same vein, regulated financial entities subject to prudential supervision and financial data providers should be excluded from the TPP scope to avoid diverging oversight requirements and overlap with sectoral regimes.
More broadly, it should be clarified that all services provided between supervised entities are not to be considered non-ICT third-party services for the purposes of these Guidelines. This would be consistent with the approach adopted by the European Supervisory Authorities (ESAs) and the European Commission under DORA, and would ensure that activities such as portfolio management services and related delegation — which are already comprehensively regulated under sector-specific legislation — remain outside the scope of these Guidelines.
Furthermore, we question whether the EBA has a legal mandate to extend its Guidelines in such a way. The proposed approach goes well beyond what is provided for in Level 1 legislation and risks duplicating existing requirements applicable to investment firms and UCITS/AIF management companies. This duplication would not only create legal uncertainty but would also conflict with the EU’s broader policy objective of reducing unnecessary regulatory burdens.
We also consider that a more principle-based approach should be adopted in the context of Annex I. Rather than imposing highly granular categorisation obligations — which require firms to first determine whether a service supports a critical or important function and then further assess whether it qualifies as outsourcing — the Guidelines should require firms to maintain, at a minimum, an overview of the contracts that support their critical and important functions. This would allow for effective oversight without imposing disproportionate and unjustified administrative burdens.
We therefore recommend that the EBA revise Annex I to ensure that supervised entities and regulated services under existing sectoral legislation are clearly out of scope, and that the Annex does not inadvertently reverse oversight responsibilities or expand the Guidelines’ application beyond the EBA’s mandate. At the same time, the Guidelines should adopt a more proportionate and principle-based approach to classification and documentation, focused on outcomes rather than formalistic distinctions.