BDO Risk Excellence Compass: Chasing Empty Shells – Targeted Focus on Third Party Risk Management 

Outsourcing and the use of third-party providers have become structural pillars of today’s financial sector. ICT and cloud services in particular now underpin many critical operations. While this has enabled efficiency and innovation, it has also created heightened dependencies and systemic risks – prompting supervisors to sharpen their expectations.

In July 2025, the EBA took the first step by publishing its Consultation Paper EBA/CP/2025/12 (7 July 2025). Unlike DORA, which establishes a harmonised framework for ICT and digital operational resilience, the EBA paper extends the scope to all third-party arrangements – including non-ICT services. Just over a week later, on 16 July 2025, the ECB published its Guide on Outsourcing Cloud Services, setting out detailed supervisory expectations for cloud outsourcing, with a particular focus on governance, risk assessment, exit strategies, and audit rights.
Together, these initiatives form a complementary framework: DORA establishes binding rules for ICT resilience, the ECB guide translates these into concrete supervisory expectations for cloud outsourcing, and the EBA consultation broadens the perspective to all third-party risks, including non-ICT services.
 
The EBA’s consultation introduces key enhancements, including stronger governance and management accountability, broader risk assessments (covering ESG, AML/CFT, and concentration risks), more robust contractual and subcontracting requirements, expanded register requirements, and more robust exit and continuity planning.
 
The following assessment summarizes the regulatory expectations and presents our practical implications from recent ECB and EBA initiatives.