Goodbye “Outsourcing”? – The New EBA Consultation in Focus

The European Banking Authority (EBA) has launched a consultation aimed at establishing a framework for managing non-ICT services.
The goal is to close the existing regulatory gap compared to DORA and to create a consistent foundation for financial institutions across Europe. This new framework will replace the current EBA Outsourcing Guidelines, while significantly broadening the scope of outsourcing management in financial institutions.

This approach is generally logical: the growing reliance on external service providers demonstrates that non-ICT services must also be embedded into a stringent risk management framework.

Under the previous legal framework, only outsourcing fell within the scope of the EBA Guidelines. Outsourcing is defined as activities or services that a provider performs on a continuous basis on behalf of the institution and which would otherwise be carried out by the institution itself. Services that were neither outsourcing nor ICT services under DORA were classified as “other third-party services” – and were not further addressed within institutions’ outsourcing management.

Outsourcing vs. Third-Party Arrangements: What is changing?

Going forward, Third-Party Arrangement (TPA) will become the umbrella term for any contractual relationship with third parties – including intragroup arrangements.
Outsourcing remains a subcategory of TPAs. However, there will no longer be a distinction between non-ICT services and outsourcing in terms of regulatory requirements.

For non-ICT services, requirements comparable to those previously applied to outsourcing will apply: identification, classification as critical/non-critical, risk assessments, due diligence, exit strategies, and ongoing vendor management.

Key changes at a glance:

• Registers: The current outsourcing register will likely be discontinued. Non-ICT services will be integrated into the existing DORA information register – resulting in a single register covering both ICT and non-ICT services.
• Increased workload: The number of TPAs will inevitably be higher than the number of previous outsourcing arrangements, as the criterion “would otherwise have been performed by the institution itself” is removed. This significantly increases documentation and oversight requirements.
• Framework adaptation: Institutions must expand their current “outsourcing management” into a comprehensive Third-Party Risk Management (TPRM) framework – including tools, policies, and processes.
• Reporting obligations: The scope of reporting to supervisory authorities will expand. Non-ICT services must also be recorded, maintained, and reported.
• Contracts: Specific contractual requirements will also apply to non-ICT services, meaning existing contracts may need to be renegotiated.
• Assessment of materiality/criticality: Classification will be based on the functions supported by the service, in line with the DORA approach.

Timeline and implementation

• Consultation period runs until 08 October 2025.
• Final guidelines are expected by April 2026.
• Financial institutions will then have a two-year implementation period.

This may sound generous – but in practice the timeline is tight. One of the biggest challenges will be adapting contracts with service providers that were previously considered “out of scope” of regulatory requirements.

Recommendation: Act now

Institutions that wait for the final version risk coming under significant time pressure.
Recommended steps:

• Begin analyzing the new requirements now.
• Start a gap analysis in early 2026 to clearly identify the areas requiring adjustment.
• Adapt processes, roles, and contractual frameworks early – especially for third parties previously outside the outsourcing regulations.

Conclusion

The new EBA consultation is an important step towards strengthening financial institutions’ risk management in a holistic way. At the same time, it raises numerous detailed questions that must be clarified swiftly.

What is already clear: extending the framework to cover all Third-Party Arrangements will profoundly change the daily work of compliance, sourcing, and risk management functions.

The takeaway: start early – don’t wait.

‍