FIA has responded to the European Banking Authority’s consultation on third party risk management for non-ICT services.
In the response, FIA highlights issues for consideration by the EBA for the guidelines to more proportionately enhance third party oversight in the EU financial sector landscape.
Recognising the regulatory objective of EU authorities for the harmonisation of third-party risk management across the EU, the frameworks established by the Digital Operational Resilience Act (DORA) and the EBA create a distinction between ICT and non-ICT third-party arrangements. This distinction lacks practical value from a risk management standpoint – especially considering the shared oversight expectations.
In practice, this split is likely to generate uncertainty for organisations, compelling them to make subjective judgments about what qualifies as “predominantly” ICT. FIA therefore recommends that regulators permit some degree of overlap or flexibility in classification, allowing firms to adopt a consistent, risk-based oversight approach without having to retroactively reclassify arrangements under DORA or justify their classifications to supervisory bodies.
To ensure the guidelines achieve their stated objective, national competent authorities must be encouraged to implement and supervise them consistently. This will be particularly important as firms operationalise requirements for the broader population of arrangements now in scope. This includes actively avoiding national gold-plating or additional supervisory expectations that go beyond the common framework established by the EBA – a challenge seen in the application of the 2019 Outsourcing Guidelines.
FIA members agree that expanding the scope from outsourcing to all non-ICT third-party arrangements aligns with broader third party risk management regulatory trends. Members would welcome the regulators’ guidance that financial entities and competent authorities should, when complying or supervising compliance with these guidelines, have regard to the principle of proportionality.
Lastly, FIA strongly supports alignment of the EBA guidelines with DORA to ensure a level playing field and consistent third party risk management standards across ICT and non-ICT arrangements in the EU. However, the 2025 guidelines’ hybrid model – retaining elements of the 2019 Outsourcing Guidelines alongside DORA provisions – risks diluting these objectives. By introducing requirements that exceed DORA, applying divergent methodologies, and adding unnecessary complexity, the layered framework could undermine the EBA’s objective of simplification, harmonisation and supervisory convergence.
For critical and important functions in particular, this approach threatens to complicate assessments and disrupt firms’ ability to maintain consistency with DORA. In view of this, FIA recommends alignments in various areas throughout the response to this consultation.
Read the response here.
