Financial services firms across the EU are still bedding in the Digital Operational Resilience Act (DORA), which went live in January 2025. Now, the European Banking Authority (EBA) is addressing the other side of the equation: non-ICT third-party risk. Its draft Guidelines on the sound management of third-party risk, published for consultation last year, signal a major expansion of the regulatory framework governing arrangements for in-scope financial services firms with their third-party service providers. In essence, the EBA is preparing to usher in a "DORA 2" for non-ICT contracts. Although the Guidelines remain in draft form following the consultation that closed on 8 October 2025, the direction of travel is clear, and the parallels with DORA are striking. 

A Broader Scope of Application 

The Guidelines broaden the scope of application from “just” outsourcing to all third-party risk management. The EBA's 2019 Guidelines on outsourcing arrangements (which will be replaced) captured only situations where a provider “outsourced” an activity, i.e. performed a function that the relevant financial services entity would otherwise carry out itself. The new draft Guidelines introduce the much wider concept of a "third-party arrangement", covering any provision by a third party of one or more functions to a financial services entity, including intra-group arrangements and functions that would have never been performed internally. Outsourcing is now merely a subset of this broader category. 

Where DORA focuses exclusively on “ICT services”, the draft Guidelines apply to non-ICT services only. The EBA's stated intention is to avoid double regulation and to create a framework closely aligned with DORA, enabling firms to apply consistent risk management processes across both regimes. In practice, however, the boundary between ICT and non-ICT is not always clear-cut. Many modern services are digitally integrated and cannot be easily assigned to one regime. Where a non-ICT service also involves ICT elements, the financial entity must determine whether the ICT component is sufficiently "material" to trigger DORA instead, an area where stakeholders have called for further guidance. 

Expanded Range of In-scope Entities

The draft Guidelines also significantly expand the range of in-scope entities to now include (in addition to those caught under the EBA's 2019 Guidelines) a wider range of investment firms as well as issuers of asset-referenced tokens subject to the MiCAR Regulation, as well as financial creditors under the Mortgage Credit Directive. 

Governance: Registers, Due Diligence and Monitoring

The governance expectations closely parallel DORA's emphasis on management body accountability. Financial entities must:

• Retain ultimate responsibility for all third-party arrangements at management body level, ensuring they do not become "empty shells".
• Approve and annually review a written third-party risk management policy covering the full lifecycle of arrangements.
• Designate a senior management role responsible for overseeing third-party risk.
• Maintain and periodically test business continuity plans for critical or important functions provided by third parties. 

Echoing DORA's register of information requirements, the draft Guidelines require financial entities to maintain a comprehensive register of all third-party arrangements, distinguishing between those involving critical or important functions and others. The EBA has designed this register to use the same fields and structure as the DORA register, enabling firms to maintain a single, merged register for both ICT and non-ICT services. Pre-contractual due diligence must be carried out proportionate to the criticality of the function, and ongoing, risk-based monitoring is required throughout the life of each arrangement. 

Contractual Requirements: Mirroring DORA

On the contractual side, the draft Guidelines introduce minimum terms for all in-scope arrangements, with additional requirements for those arrangements involving critical or important functions (aligned to the approach taken for ICT services under DORA). The EBA has effectively "lifted" the DORA Article 30 contractual obligations and repurposed them for non-ICT services, covering areas such as service descriptions, subcontracting conditions, data protection, audit rights, and termination provisions. For arrangements involving critical or important functions, additional requirements apply, including quantitative and qualitative performance targets, unrestricted audit and inspection rights, mandatory exit strategies, and detailed subcontracting rules that broadly replicate the principles of the DORA Subcontracting RTS. 

The UK Position

The UK has taken a different approach. Rather than separate ICT and non-ICT frameworks, the FCA and PRA rely on overarching principles supplemented by operational resilience rules. This includes the latest Policy Statements issued by the Bank of England, FCA and PRA in March 2026 (coming into effect from 18 March 2027) which set out the rules and guidance for reporting material third party arrangements and “operational incidents”. The UK requirements are less prescriptive than DORA and the EBA's draft Guidelines, but have equally broad a reach. 

Preparing Now

Although the Guidelines are not yet final, the core requirements are unlikely to change significantly. For firms that have recently been through the process of preparing for DORA, much in the new draft Guidelines will feel familiar. Financial entities within the expanded scope should consider the following steps:

• Map your third-party landscape: Catalogue all non-ICT third-party arrangements, including those not previously classified as outsourcing.
• Assess criticality: Determine which functions qualify as critical or important under the draft guidelines' criteria, which are now aligned with DORA's definition.
• Benchmark your contracts: Compare existing documentation against the new minimum requirements and identify gaps. Firms that have already implemented DORA contractual addendums should be able to leverage much of that work.
• Strengthen governance and registers: Ensure clear responsibilities and reporting lines are in place, and begin building or updating a register that can sit alongside, or be integrated with, DORA registers for ICT services. 

For further information on the EBA's draft third-party risk guidelines and what they may mean for your organisation, please contact one of our specialists.