Regulatory Update: EBA’s 2025 Third-Party Risk Guidelines — What Firms Need to Know

A Convergence of DORA and Outsourcing Obligations

The European Banking Authority’s (EBA) 2025 Draft Guidelines on the Sound Management of Third-Party Risk mark a significant evolution in regulatory expectations. The shift is clear: firms must move beyond traditional outsourcing oversight to manage all forms of third-party reliance — including cloud providers, SaaS tools, and professional service partners.

At Nexus Assurance, we believe this shift is not unexpected. It represents a natural and necessary convergence of DORA obligations and outsourcing governance.

From Narrow to Holistic: What’s Changing?

The 2019 Outsourcing Guidelines focused on arrangements deemed critical or important. The 2025 Draft Guidelines:

• Expand the scope to include all third-party arrangements
• Introduce a tiered risk classification system
• Mandate a unified register for ICT and non-ICT dependencies
• Strengthen board accountability, exit planning, and resilience testing
• Emphasise the importance of systemic risk and subcontractor transparency

The goal for firms is now clear: build a centrally managed third-party register that supports both DORA and EBA third-party risk expectations.

How Nexus Assurance Helps

Our Outsourcing Hub was purpose-built with this convergence in mind. It empowers firms to:

• Maintain a single, comprehensive register of third-party arrangements
• Classify providers by risk tier — aligned with both DORA and the 2025 Draft Guidelines
• Capture ICT service provider obligations under DORA
• Include non-outsourced vendors and professional service relationships
• Store contracts, exit strategies, risk assessments, and audit rights in one place
• Generate board and regulatory reporting with ease
  

Why It Matters

Firms that address this convergence now will gain:

• Stronger regulatory alignment
• Greater operational resilience
• Reduced duplication across compliance teams
• Enhanced transparency for internal and external stakeholders

Want to Learn More?

We’re working with clients across multiple sectors to modernise their third-party oversight and compliance models.

Contact us to request:

• A full comparison briefing (2019 vs 2025)
• A platform demo of the Nexus Outsourcing Hub
• Guidance on preparing your register for convergence