Regulatory Overhaul in Financial Services Outsourcing: What Firms Need to Know

Significant regulatory developments are reshaping how financial institutions across the EU manage third-party risk and outsourcing. With the introduction of new regulation in the shape of the Digital Operational Resiliance Act (DORA), both the European Banking Authority (EBA) and the European Securities and Markets Authority (ESMA) have proposed changes to their outsourcing guidance. Legal and compliance teams must act now to ensure future compliance—and resilience.

1. EBA Proposes New Guidelines on Third-Party Risk Management

The EBA has launched a consultation (open until 8 October 2025) on new draft guidelines for the sound management of third-party risk. Once approved, these will replace the 2019 EBA outsourcing guidelines and form a core part of the EU’s post-DORA regulatory landscape for financial entities.

Key Highlights:

• Scope: The proposed guidelines will apply to recurring or ongoing non-ICT third-party service provider arrangements. ICT arrangements are already regulated under DORA. Arrangements with no material impact are out of scope, as are third party arrangements in the context of the Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) framework.
• DORA Compliance: Financial institutions must ensure all existing ICT outsourcing contracts, risk processes, and controls are fully compliant with DORA.
• New Requirements: Once in effect, the guidelines will introduce more detailed obligations on subcontracting, governance, and record keeping for non-ICT outsourcing. Financial institutions will need to review and update internal processes, as well as in scope third party service provider arrangements, to reflect the new requirements. That will be a significant undertaking but the consultation does propose a (welcome) two year transition period for existing arrangements.

This shift signals a move towards a more granular and risk-sensitive approach to outsourcing oversight, extending regulatory attention to third party service providers more broadly and beyond the traditional ICT perimeter.

2. ESMA Aligns Cloud Outsourcing Guidance with DORA

In parallel, ESMA has updated its 2021 cloud outsourcing guidance to reflect the advent of DORA.

What’s Changed:

• The content of the original guidance remains largely intact.
• However, its scope has narrowed—it now excludes financial entities that are subject to DORA and applies only to certain depositaries under the Alternative Investment Fund Managers Regulations (AIFMD) and Undertakings for Collective Investment in Transferable Securities (UCITS) that are not subject to DORA.

Next Steps for Firms:

Firms previously relying on the 2021 ESMA guidance must now evaluate their cloud and other ICT outsourcing arrangements against DORA.

Where relevant, institutions should also consider the remaining ESMA guidance for non-DORA entities. As a reminder, the key requirements remain the same for in-scope entities, namely:

• Risk-Based Approach: financial institutions must identify and manage operational risks associated with cloud outsourcing using a risk-based and proportionate approach, considering the nature, scale, and complexity of their operations.
• Due Diligence: financial entities must conduct thorough due diligence on cloud service providers before outsourcing, assessing their security measures, compliance, and service capabilities.
• Contractual Requirements: cloud outsourcing agreements must include provisions for data access, recovery, and return, ensuring the firm can access and retrieve its data when needed.
• Exit Strategies: firms must develop detailed exit strategies for migrating services and data to another provider or bringing them in-house, including planning and testing for these scenarios.
• Sub-Outsourcing Oversight: oversight of sub-outsourcing needs to be robust, with conditions clearly defined for any sub-outsourcing arrangements.
• Information Security: specific requirements for information security are outlined, including encryption, key management, access controls, network security, and secure integration of APIs.
• Full Responsibility: regulated firms cannot delegate their regulatory responsibilities to a third party and remain fully accountable for discharging them. 

Strategic Implications: Beyond Compliance

These regulatory developments are part of a broader trend: third-party risk management and operational resilience are becoming strategic legal priorities, not just compliance checkboxes.

In this context, legal and risk teams should:

• Ensure familiarity with the new EBA guidelines and consider engaging with the consultation process—the EBA is holding a virtual public hearing on September 5, 2025, from 09:00 to 13:00 CET and the deadline for submitting comments on the guidelines is 8 October 2025;
• Engage proactively with procurement, IT, and operations functions;
• Revisit contracts, policies, and outsourcing frameworks and ensure alignment with the new requirements; and
• Consider long-term enforcement and audit-readiness.

A More Streamlined Framework?

The regulatory streamlining—particularly removing the overlap the division between DORA and the EBA and ESMA guidance—offers a logical, clearer framework. It also puts makes clear that the requirements on financial institutions are legally required, which may make negotiations with suppliers more straightforward in some senses. But it also raises the stakes for firms: with sharper definitions come stricter expectations.

Is your organization ready?

If you’d like to discuss what these changes mean for your business, or how to prepare for the transition, contact us here. We regularly negotiate DORA compliant agreements and have developed a unique AI powered solution to generate gap analysis tables, narrative risk notes and mark-ups of contracts, quickly and at low fixed fees.