Equivalent doesn’t mean identical when it comes to the European Banking Authority’s proposal to mandate financial firms doing business on the Continent to adopt an overlapping risk management framework to the newly effective DORA for a greater number of third-party service providers.
Compliance, legal, risk management and IT directors fear that following two sets of quasi-similar rules will be time-consuming and cost prohibitive. Add the numerous existing regulations governing third-party risk management to the list of compliance requirements and the potential for errors leading to regulatory penalties can only grow. However, financial firms must start preparing for the worst-case scenario regardless of their sentiment, cautioned legal experts. “It is likely the European Banking Authority (EBA) will adopt its recommendations largely in current form,” predicted Nathaniel Lalone, a partner in charge of the European financial regulations practice at the law firm of Katten Muchin Rosenman in London. “If the experience with DORA is anything to go by, then the proposed transition period won’t provide enough time to comply based on the complexities of contracts and the number of third-party service providers affected.” DORA became effective in January 2025 and the EBA’s new guidelines would apply immediately for new contracts and in two years for existing agreements. Although the EBA’s proposal did not indicate an effective implementation date, it will reportedly be April 2026 at the latest.
Short for Digital Operational Resiliency Act, DORA sets up the required tasks financial firms operating in Europe must do to ensure their third-party service providers are mitigating the potential for cybersecurity breaches and other glitches which would interrupt business operations. So does the EBA’s proposed guidelines. However, DORA requires oversight of only information communication technology companies (ICTs). European regulators cited 19 firms as critical ICT suppliers to the financial services sector, also subject to direct regulatory supervision. Hence, they face a double dose of oversight. The list featured consultancies (Accenture, Capgemini, and Tata Consultancy), cloud providers (Amazon Web Services, Google, Microsoft, Oracle) and software firms (IBM, Kyndryl and SAP). It also cited Bloomberg, British Telecom, Fidelity and LSEG. By contrast, the EBA’s proposed guidelines announced on July 8, 2025, in “Consultation Paper on Draft Guidelines on the Sound Management of Third-Party Risk” would affect just about every other third-party service provider (non-ICTs) even if it is a financial firm following other risk management regulations. (Comments were due by October 8, 2025 and can be found here). All the third party would have to do is provide a “function” to a financial entity. The notable exemptions to the EBA’s guidelines for non-ICT firms are correspondent banks, global network provider SWIFT, and firms offering administrative services such as secretarial and cleaning. Even attorneys and accountants would fall under the EBA’s purview.
Market data providers, such as Bloomberg, Fitch Ratings, (FTR), Moody’s Corporation (MCO) and S&P Global (SPGI), are not explicitly named by the EBA in its guidelines, but they could end up in scope if they are characterized as providing a “function” to a financial entity. The open question then becomes what constitutes a function. Obtaining market information could be considered a “function” if a financial firm needs the data to make informed trading decisions. Legal experts who spoke with FinOps Report hope the EBA eventually provides some clarification. “It’s not a slam dunk argument either way,” said one partner at global law firm.
The new EBA framework would apply to a broad set of institutions. In addition to banks, and investment firms, they will cover electronic money and payment institutions, issuers of asset-referenced tokens covered under the Markets in Crypto-Assets Regulation (MiCAR), and non-bank mortgage lenders. Unlike the case with DORA, regulators in European Union member states will not be legally compelled to adopt the EBA’s guidelines as national law. However, they must make “every effort” to comply and notify the EBA if they won’t. As a result, they will be under pressure to find a way to incorporate the new requirements into their legislation. Banks, investment firms and others who don’t follow the EBA’s guidelines might not face financial penalties, but they could be subject to higher capital requirements, enhanced reporting guidelines, and even restrictions on some third-party relationships.
As financial firms have become more dependent on third-party service providers, regulators worry about creating systemic risk. Although there has been much talk of a “global” regulatory environment, financial firms operating in the United Kingdom and U.S. face different rules from either DORA or the EBA’s proposal for managing their third-party relationships. The U.K has decided not to rely on DORA and instead adopt a single high-level principles-based framework across all ICT and non-ICT services only for strictly defined “outsourced” services. Financial firms in the U.S. market must contend with a hodgepodge of guidance from multiple agencies rather than a single cross-sector regime with the emphasis on critical providers and more discretion on internal risk-based decisions. The Securities and Exchange Commission (SEC) mandates third-party risk management policies for broker-dealers and fund managers while the Office of the Comptroller of the Currency (OCC), the Federal Reserve and Federal Deposit Insurance Corporation (FDIC) address banks. U.S. securities and banking regulators do expect financial firms to maintain their own inventory of critical third-party relationships but leave the details up to each institution rather than issuing prescriptive data sets. In addition, unlike the EBA U.S. supervisory agencies do not mandate contractual terms and allow for more discretion in making risk-based decisions.
The EBA is hoping that by using DORA-like requirements financial firms will be even more protected against third-party data breaches and outages than under its February 2019 guidelines. The scope of the proposed guidelines also covers more types of financial firms than its predecessor and all third-party arrangements, not just outsourced ones. However, industry consensus in feedback the EBA received from over fifty market players during the comment period is that the regulatory agency is misguided. The EBA’s premise that all financial firms must do is rely on DORA’s rules for a wider range of third parties is fallacious. The EBA’s requirements deviate from DORA’s in several important respects and sometimes don’t make sense.
Given that a large financial firm would likely have dozens if not hundreds of third-party providers, the compliance, legal, and procurement departments would need to review all of those contracts to ensure they meet the EBA’s standards. A significant change from EBA’s 2019 provisions is that contracts with all third-party providers, not just those which support critical functions, must include some mandatory provisions. Those terms include a description of the service with its start and end dates, financial conditions, provisions for data availability, performance standards, regulatory cooperation, and rights of termination. For third parties supporting critical functions, there are additional more prescriptive terms required involving unrestricted audit rights, business continuity testing, liability insurance, ongoing reporting, and subcontracting. “The EBA’s guidelines could end up causing an internal rift between the procurement and IT departments on one side and the legal and compliance departments on the other,” predicted Katten’s Lalone. The reason– procurement and IT managers who have historically led negotiations with external service providers could find themselves at odds with the legal and compliance managers tasked with following the EBA’s guidelines.
EBA’s Overreach
In their comment letters to the EBA, European financial services firms argued that the regulatory agency responsible for supervising the European banking industry doesn’t even have the authority to regulate investment management firms. It also never underwent the legitimate process of consulting with the European Securities and Markets Authority (ESMA), the pan-European securities watchdog, before devising its rules. In addition, traditional investment management firms and alternative investment funds already have their own set of third-party risk management rules under the Undertakings for Collective Investment in Transferable Securities (UCITS) and the Alternative Investment Fund Managers Directive (AIFMD) respectively which could be contradictory to the EBA’s. In their feedback to the EBA, numerous market players urged the regulatory agency to at least eliminate financial firms, such as custodian banks, subcustodians, and depositaries from the affected list of third-party service providers and to clearly delineate which types of firms are and are not impacted. The EBA was urged to always apply the principle of proportionality, rather than to take a one-size fits all approach to its rules. Industry consensus was that the EBA should not impose the same oversight for all non-ICT service providers regardless of how important they are to a financial firm’s operations. Instead, stricter provisions should apply only to “critical” third-party service providers.
One potential shortcoming with the EBA’s proposed guidelines that worries global custodians is the requirement to terminate third-party service providers if those entities don’t fulfill their new legal obligations. Parting company won’t always be possible when it comes to subcustodians, or banks selected by global custodians to service markets in which global custodians can’t offer their institutional clients safekeeping and other services. “Alternative subcustodian providers may not be available in the local market and or an alternative provider does not meet the applicable standards for selection of third parties holding custody assets or prescribed under existing regulatory regime,” wrote Northern Trust (NTRS) in its comment letter to the EBA in citing the Markets in Financial Instruments Directive II, (the second version of MiFID) AIFMD, UCITS V (the fourth version of UCITS) and Ireland’s Client Asset Requirements as applicable regulations. The Chicago-headquartered global custodian also noted that it might not be possible to discontinue safekeeping of assets in a particular market where sanctions or market restrictions prevent the disposition or transfer of assets. “Global custodians have seen this exact scenario arise with respect to the custody or Russian assets since Russia’s invasion of Ukraine in 2022,” wrote Northern Trust. The EBA has also misunderstood the relationship of depositaries to fund managers, said others. “Under AIFMD and UCITS, the depositary’s role is one of independent oversight over the management company,” wrote the European Fund and Asset Management Association (EFAMA) in its letter to the EBA. “However, if depositaries are not explicitly excluded from the scope of the guidelines the relationship could be effectively reversed with the asset manager now expected to conduct oversight over the depositary as the third-party service provider.” EFAMA represents the EUR28.5 trillion (USD$33.6 trillion) European investment management industry.
Eliminating financial firms from the EBA’s grasp won’t be enough to satisfy market players. The greatest challenge to complying with the EBA’s guidelines will be in which classification to assign a third-party service provider. The demarcation between ICT providers and non-ICT providers to determine whether DORA or the EBA’s guidelines should be followed is simply not well-defined. What happens when a service provider is “hybrid” or combination of the two is anyone’s guess. The EBA suggested that financial firms make the call, but that won’t be easy. “Modern [third-party] services are usually digitally integrated and cannot be clearly assigned,” wrote Josefine Spengler, an attorney specializing in information technology at the law firm of Annerton in Berlin in a recently published article. Describing the separation of non-ICT providers from ICT providers as an unmanageable task, she argued that even the EBA cannot provide an explicit demarcation. “Annex I of the new guidelines is intended to specify non-ICT services more clearly but lists (not exclusively) hybrid services that cannot be easily assigned to either regime,” wrote Spengler.
Annoying Discrepancies
Separating non-ICT from ICT providers is just the first step toward complying with the EBA’s future requirements. Financial firms must then further separate non-ICT critical functions from critical ones, and the EBA’s definition of critical isn’t as explicit as DORA’s. Therefore, financial firms could end up having to incorporate more rigorous provisions in their contractual agreements with third-party service providers than necessary. “Collectively, the supplementary provisions within Paragraphs 33-37 give rise to the impression that a CIF could incorporate not only core services, but any regulated service or activity of the bank leading defacto to the assessment that almost all functions should be considered critical or important,” wrote the Association for Financial Markets in Europe (AFME) to the EBA in urging the deletion of the five paragraphs from the EBA’s text. Making the designation of “critical” even more cumbersome for financial firms to determine is the need to predict criticality. “Assessment of criticality should be performed taking into consideration the information available at the time and the present criticality or importance of the function during the assessment,” wrote Euroclear in its letter to the EBA. The Brussels-headquartered parent of the national securities depositories of Belgium, Finland, France, the Netherlands, Sweden and the U.K, offered a detailed analysis of the EBA’s flawed reasoning when applied to third-party agreements.
Yet another discrepancy between DORA and the EBA’s requirements will create what Mike Pieridis and Charlotte Cavendish, attorneys at Morgan Lewis in London, called material burdens. “For example, the EBA’s Consultation proposes (similar to DORA) that the service provider must flow down certain contract terms to its subcontractors of critical and important services. but the Consultation does not include the important principle under DORA of focusing on those subcontractors that effectively underpin the relevant services,” they wrote in a recent article. The EBA didn’t even explain how far down the line of subcontractors financial firms must go. Say a financial firm has 100 third-party service providers impacted by the EBA’s requirements and each provider has contracted work to other providers, the ultimate list of contracts the financial firm must address could grow exponentially to several hundred. The task could end up being unmanageable for the procurement, legal, and compliance departments to handle.
Respondents to the EBA’s request for comment also noticed two other differences between DORA and the EBA’s requirements. One involves the details about non-ICT providers to be held in a separate registry. In its letter to the EBA, the AFME pointed out that unlike the DORA information register, the registry for non-ICT third parties must report data about those providers for up to five years after their termination, include information on the outcome and date of the last assessment performed of the third party’s suitability, other relevant contract details, and the name of the ultimate parent company. If the EBA hopes to eventually create a single registry for both ICT and non-ICT service providers, it will be sadly disappointed because the data points won’t be compatible, said the AFME. Meanwhile, Euroclear pointed out that the mandatory inclusion of audit and access rights in third-party contracts is not the same in DORA and the EBA’s proposed requirements. “While DORA limits this requirement to critical ICT third-party service providers, the EBA’s guidelines appear to extend it to all third-party arrangements, including those not supporting critical or important functions,” wrote Euroclear in its letter to the EBA. “This broader scope introduces uncertainty and implementation challenges, particularly when negotiating audit rights with providers of non-critical services.”
The expansive reach of the EBA’s proposal also extends to the pre-contractual analysis of third-party service provider. Not only must financial firms evaluate operational risk, but also reputational, legal, concentration, and ESG (environmental, social, and governance). “While to these risks are referenced under DORA with which we support alignment, we stress that the guidelines have not adopted a corresponding level of proportionality in that these are expectations which apply to all arrangements rather than only those supporting CIFs [critical or important functions],” wrote the AFME in its comment letter to the EBA. In addition, while DORA requires that financial firms ensure their ICT providers act ethically and socially responsibly, it frames those parameters as part of assessing operational risk rather than a separate line item. The AFME argued that by explicitly referencing “ESG” as part of the required evaluation of a third-party service provider before it is hired, the EBA erroneously presumes each of the categories — environmental, social and governance– are equally developed in terms of metrics. The London and Brussels-based trade group representing some of the world’s largest banks urged the EBA to change the language of its proposal to allow financial firms to focus first on climate change risk followed by other areas of environmental risk before addressing social and governance risks.
For financial firms dealing with third-party relationships meeting the EBA’s proposed requirements could be impractical from a business perspective. Some non-ICT providers may not be willing to accept the new terms forcing financial firms to make some tough choices. It would be much easier if European regulators were to eliminate the separation between ICT and non-ICT service provides and come up with a single risk management framework, noted Spengler in her article. Until that happens, if at all, there Is a small silver lining to the EBA’s proposal. Preparing early for its eventual adoption can mitigate regulatory risk and strengthen relationships with third parties, she asserted.
KentourisC@gmail.com
917.510.3226
#AIFMD #Annerton #AFME #AssociationForFinancialMarketsinEurope #Bloomberg #Compliance #CustodianBanks #Depositary #Depository #DORA #DigitalOperationalResiliencyAct #EBA #EFAMA #ESG #EuropeanFundandAssetManagementAssociation #Euroclear #EuropeanBankingAuthority #EU #EuropeanUnion #FDIC #FederalDepositInsuranceCorporation #FinOps #FinOpsReport #Fitch #FitchRatings #FundOperations #KattenMuchinRosenman #MIFIDII #Moody’s #MorganLewis #NorthernTrust #OCC #OfficeoftheComptrolleroftheCurrency #RegulatoryReporting #SEC #SecuritiesandExchangeCommission #SWIFT #UCITS
Leave a Comment
You must be logged in to post a comment.