Skip to main content
European Banking Authority logo
  • Extranet
  • Log in
  • About us
    Back

    About us

    The EBA is an independent EU Authority.  We play a key role in safeguarding the integrity and robustness of the EU banking sector to support financial stability in the EU.

    Learn more
      • Mission, values and tasks
      • Organisation and governance
        • Governance structure and decision making
        • EBA within the EU institutional framework
        • Internal organisation
        • Accountability
      • Legal and policy framework
        • EBA regulation and institutional framework
        • Compliance with EBA regulatory products
      • Sustainable EBA
      • Diversity and inclusion
      • Careers
        • Vacancies
        • Meet our team
      • Budget
      • Procurement
    Close menu panel
  • Activities
    Back

    Activities

    To contribute to the stability and effectiveness of the European financial system, the EBA develops harmonised rules for financial institutions, promotes convergence of supervisory practices, monitors, and advises on the impact of financial innovation and the transition to sustainable finance.

    Start here
      • Single Rulebook
      • Implementing Basel III in Europe
      • Supervisory convergence
        • Supervisory convergence
        • Supervisory disclosure
        • Peer Reviews
        • Mediation
        • Breach of Union Law
        • Colleges
        • Training
      • Direct supervision and oversight
        • Markets in Crypto-assets
        • Digital operational resilience Act
      • Information for consumers
        • National competent authorities for consumer protection
        • How to complain
        • Personal finance at the EU level
        • Warnings
        • Financial education
        • National registers and national authorities responsible for handling complaints related to credit servicers
        • Frauds and scams
      • Research Workshops
      • Ad hoc activities
        • Our response to Covid-19
        • Brexit
    Close menu panel
  • Risk and data analysis
    Back

    Risk and data analysis

    To ensure the orderly functioning and stability of the financial system in the European Union, we monitor and analyse risks and vulnerabilities relevant for the regulation of banks and investment firms. We also facilitate information sharing among authorities and institutions through supervisory reporting and data disclosure.

    Learn more
      • Risk analysis
        • 2024 EU wide transparency exercise
        • EU-wide stress testing
        • Risk monitoring
        • Thematic analysis
      • Remuneration and diversity analysis
      • Pillar 3 data hub
      • Reporting frameworks
        • Reporting Time Traveller
        • DPM data dictionary
      • Data
        • Registers and other list of institutions
        • Guides on data
        • Aggregate statistical data
        • Secondary reporting: data from Competent Authorities to the EBA
        • Data analytics tools
    Close menu panel
  • Publications and media
    Back

    Publications and media

    Communicating to all our audiences in the most effective way and using the most appropriate channels is crucial for us. Through our publications, announcements, and participation in external events, we are committed to reaching out to all our stakeholders to report about our policies, activities, and initiatives.

    Learn more
      • Publications
        • Guidelines
        • Regulatory Technical Standards
        • Implementing Technical Standards
        • Reports
        • Consultation papers
        • Opinions
        • Decisions
        • Staff papers
        • Annual reports
      • Press releases
      • Speeches
      • Interviews
      • Events
      • Media centre
        • Media gallery
        • Media resources
    Close menu panel

Breadcrumb

  1. Home
  2. Single Rulebook Q&A
  3. 2024_6979 Clarification on How the Guidelines Impact Vendors Whose Products are Not Deemed as Outsourcing Arrangements
Question ID
2024_6979
Legal act
Directive 2013/36/EU (CRD)
Topic
Internal Governance
Article
EBA Guidelines on Outsourcing Arrangements
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
EBA/GL/2019/02 - Guidelines on outsourcing arrangements
Article/Paragraph
Para 24 and 25 page 11, in light of the responses provided in pages 88 and 89
Type of submitter
Individual
Subject matter
Clarification on How the Guidelines Impact Vendors Whose Products are Not Deemed as Outsourcing Arrangements
Question

In light of the EBA's clarification(pages 88 and 89) we understand that the purchase of standardized/licensed software or services, such as those supporting IT platforms (e.g., web hosting, DDoS systems, data backup processes), does not fall within the scope of outsourcing (as per the EBA's response to related queries).

Paragraphs 24 and 25 on page 11, however, require financial institutions to assess risks from third-party arrangements, even if not classified as outsourcing.

As a vendor providing non-outsourcing arrangements, we seek clarification on whether the EBA requires financial institutions to mandate compliance with the EBA outsourcing guidelines in our case, considering our offerings are explicitly excluded from the outsourcing definition. Can financial institutions require compliance with these guidelines, citing them as a compulsory regulatory requirement, even when our offerings do not qualify as outsourcing arrangements? 

Background on the question

As the corporate counsel for a company that provides standardized hardware and software (WAF, load balancing hardware and software, hosting, and distributed denial-of-service (DDoS) systems.  I am reaching out regarding a recurrent concern in my negotiations of agreements with financial institutions. 

Our customers consistently require from us to comply with the comprehensive EBA Guidelines for Outsourcing arrangements. We find this approach to be a bit disproportional to the engagement particularly considering the EBA's explicit clarification that our offerings, which include standardized hardware and software, fall outside the classification of outsourcing arrangements. 

We are looking for clarity from the EBA to establish that (i) Arrangements that are not classified as outsourcing do not need to be mandated to comply with outsourcing guidelines; (ii) risk-proportionate arrangements with vendors need to be made through fair commercial negotiations rather than being unilaterally imposed on vendors in the guise of regulatory requirements. 

We recognize and respect these obligations and seek clarity on how they apply specifically to arrangements that fall outside the scope of outsourcing as defined by the EBA. 

Submission date
19/01/2024
Rejected publishing date
04/03/2024
Rationale for rejection

This question has been rejected because the issue it deals with is already explained or addressed in the EBA/GL/2019/02 - Guidelines on outsourcing arrangements.

For further information on the purpose of this tool and on how to submit questions, please see 'Additional background and guidance for asking questions'.

Status
Rejected question

Footer

EUROPEAN BANKING AUTHORITY

Our mission is to contribute to the stability and effectiveness of the European financial system through simple, consistent, transparent, fair regulation and supervision that benefits all EU citizens.


UE logoAn agency of the EU

EU Agencies Network logoEU Agencies Network

EMAS logoSustainable EBA

Contact us

  • Contacts
  • Ask a general question
  • Send a press query
  • Ask a regulatory question
  • File a complaint
  • Whistleblower reports

Stay up to date with our work

  • Subscribe to our email alerts
  • News & press RSS feed

Follow us on Social media

  • Bluesky
  • LinkedIn
  • X
  • YouTube

Find out about us

  • The EBA at a glance
  • Vacancies
  • Privacy policy
  • Legal notice
  • Cookies policy
  • Frauds and scams

Explore related sites

  • EIOPA
  • ESMA
  • ESRB
  • CEBS archive