The FIA European Principal Traders Association has responded to the European Banking Authority's consultation on draft guidelines on the sound management of third-party risk with regard to non-ICT related services (EBA/CP/2025/12).
FIA EPTA members support robust risk management across the financial sector and appreciate the EBA’s efforts to support operational resilience. However, we have significant concerns regarding the proposed guidelines with respect to the legal basis, proportionality and misalignment with the EU simplification and growth agenda. We also raise concerns about the appropriateness of the EBA’s cost-benefit analysis regarding implementation of the draft’s prescriptive and onerous requirements, such as the contractual requirements and register of information.
In the response, FIA EPTA members also note that this draft would extend the EBA’s 2019 guidelines on outsourcing risks to all Class 1 minus and Class 2 investment firms, which were previously outside the scope. It would also cover all third-party agreements, beyond outsourcing agreements, with some parts of the Digital Operational Resilience Act (DORA) and related Regulatory Technical Standards (RTS) reproduced.
Regarding the legal basis, members note that none of the legislative provisions cited by the EBA (such as the CRD, IFD, and MiFID II) empower the imposition of a comprehensive DORA-style regime covering all non-ICT related services provided by third parties to financial entities in the EU. Such provisions are high-level and broad in nature, and they cannot reasonably amount to a valid mandate for a regime that seeks to mirror the extensive and granular requirements established under DORA.
Download the full consultation response here.