From (national) outsourcing management to (European) third party (risk) management

Strategies and challenges for the German banking industry

For a long time, the management of third-party service providers in the German banking industry was determined by a national outsourcing management system in accordance with MaRisk AT 9. With DORA and the reorientation of the EBA, a fundamental change is now taking place towards “uniform European” third-party risk management (TPRM). A contract- and organization-dominated perspective is being replaced by function- and risk-oriented management that makes a clear distinction between ICT and non-ICT services and focuses on resilience and dependencies. For German institutions, this means not only a need for regulatory adjustment, but also a strategic paradigm shift in governance and overall bank management.

Initial situation: Third-party service provider management in the area of conflict between MaRisk and DORA

For decades, the management of external service providers in the German banking industry was conceptually and organizationally anchored as outsourcing management. The normative basis for this was formed in particular by Section 25b KWG and AT 9 of MaRisk (BaFin [2024]) as interpreted by BaFin. The regulatory focus was primarily on the question of whether a transfer of activities or functions constitutes outsourcing in the sense of business requiring a license; in addition, so-called other third-party purchases were addressed without, however, developing the same normative depth.

In the course of several amendments, MaRisk AT 9 was systematically further developed, its content sharpened and aligned with the European requirements of the “Guidelines on Outsourcing Arrangements” (EBA [2019]). Key elements include the precise definition of outsourcing, an upstream risk analysis, clearly designated outsourcing officers and requirements for monitoring, contract design, audit rights and contingency planning. This is flanked by requirements for reporting, internal control procedures and the maintenance of an outsourcing and information register. The principle of proportionality allows for a risk-oriented adjustment to the size, business model and complexity of the respective institution.

With the entry into force of the DORA Regulation on January 17, 2025 (Regulation (EU) 2022/2554), the regulatory focus is shifting significantly towards intensive ICT third-party risk management. Credit institutions are now obliged to comprehensively manage the risks arising from the procurement of ICT services, especially if external providers support critical or important functions. Against the backdrop of increasing modularization of banking value chains, digital operational resilience is thus becoming the focus of attention.

In practice, however, there is fragmentation due to overlapping requirements from MaRisk AT 9 and DORA. Banks often find themselves forced to establish parallel organizational and procedural structures for an ICT service (e.g. in relation to the information and outsourcing register). This results in increased complexity, limited controllability and a strong link back to the historically grown outsourcing management, which only meets the new, expanded European requirements to a limited extent.

Paradigm shift: EBA consultation on third-party risk management

With the consultation of the new “Guidelines on third-party risk management with regard to non-ICT related services” (EBA [2025]), the European Banking Authority is pursuing the goal of systematically resolving the existing regulatory overlaps and inefficiencies between outsourcing management and third-party management. The approach, which has so far focused heavily on the concept of outsourcing, is thus being systematically developed into comprehensive third-party management, with the first structuring distinction to be made in future between ICT and non-ICT services.

Third-party risk management for ICT services is fully subject to the scope of the DORA Regulation. DORA establishes a detailed, binding framework with high requirements for governance, risk assessment, contract design, monitoring and ensuring digital operational resilience. Non-ICT services, on the other hand, are to be addressed exclusively by the new EBA guidelines in future. These focus on the risk-oriented management of all non-ICT third-party relationships, regardless of whether they have previously been classified as outsourcing.

The key content of the consultation includes an expanded definition of third parties, a uniform lifecycle approach from the initiation to the termination of the business relationship, consistent requirements for risk analyses and register management as well as a stronger emphasis on concentration risks and critical dependencies. Analogous to the DORA requirements, however, the new guidelines pursue the same overarching goal of increasing the resilience of credit institutions (see Igl [2025]).

The consultation period ended at the beginning of October 2025. The publication of the final guidelines is planned for the second quarter of 2026, followed by an implementation phase of at least twelve months. Depending on the timing of the next MaRisk amendment in summer 2026, the new requirements could be integrated into it; otherwise, further MaRisk adjustments are to be expected at short notice.

Target image: Holistic and in-depth third-party service provider management

The paradigm shift associated with the EBA consultation is having a significant impact on German banks, whose previous outsourcing structures were essentially based on MaRisk AT 9. The materiality concepts established there, which historically focused heavily on transactions requiring approval and time-critical processes, are proving to be only compatible with the new European requirements to a limited extent. In particular, they do not necessarily reflect the holistic view of third-party relationships that will be required in future.

At the heart of the new target image is the identification of critical or important functions – regardless of whether their criticality is operational, strategic or technical. This reassessment deliberately moves away from the previous narrow focus on time criticality and elevates the definition of critical functions to a strategic management task. Similar to the role of the risk inventory in risk management, the derivation of such functions from the business model becomes the central basis of a consistent third-party risk management regime (see Igl [2025]).

As Land and Kleinknecht-Dennart [2025] point out, the EBA’s new guidelines aim to largely harmonize third-party risk management in the European banking sector. While all ICT services will in future be fully addressed within the framework of DORA ICT third-party risk management, the new EBA guidelines create a clear and independent framework for third-party procurement without ICT services. Parallel application of both sets of rules is expressly no longer envisaged. At the same time, the scope of application has been significantly expanded to cover almost all players in the banking sector, with the term “third-party arrangements” also being defined more broadly – in line with international requirements of the FSB and BCBS.

Figure 1 illustrates this transition from the “old world” of outsourcing-centered implementation (with overlapping DORA requirements for ICT third-party services) to an integrated “new world” of third-party risk management. Despite the expansion in content, a deliberate continuity is maintained, for example by adopting the concept of critical or important functions and by merging the registers into a joint information register in the future.

Current challenges and solutions in the context of proportionality

The comparison of the existing national requirements and the new European regulations has far-reaching strategic implications for German banks. It is highly likely that a future amendment to MaRisk – in particular AT 9 – will adopt key content from the new EBA guidelines and integrate it into national supervisory law. This will be accompanied by a significant expansion of the current understanding of outsourcing, which in future will no longer be limited to clearly defined activities requiring a license, but will cover a broader range of third-party relationships.

In future, the initial differentiation between ICT and non-ICT services will be a key factor in risk management. The classification will determine whether the requirements of the DORA Regulation or the new EBA guidelines on third-party risk management are applied. The definitions and demarcation criteria specified by DORA are becoming increasingly relevant in practice, not least due to their ongoing clarification as part of EBA Q&As. Misclassifications at this early stage can have a significant impact on governance, processes and audit compliance.

In terms of content, the focus is shifting away from the individual service provider or contract towards the function it supports. In future, the decisive factor will be whether this function is to be classified as critical or important, whereby the assessment must be carried out in line with the business model. The identification of such functions is thus developing into a genuine management task, which must be the responsibility of the Management Board, consistently documented and regularly reviewed.

At the same time, the previously dominant legal categorization of outsourcing is becoming less important. The distinction between areas subject to licensing and those not subject to licensing is taking a back seat to a function-based, risk-oriented approach. The decisive factor is no longer the formal classification, but the inherent risk to the stability and resilience of the institution resulting from the dependency on the respective third party.

Finally, the new requirements call for a significant professionalization of management and reporting. Excel-based service provider directories and selective reports no longer meet the expectations of continuous third-party risk management. Integrated information registers, ongoing performance and risk monitoring, standardized reporting formats and reliable exit and substitution strategies are required. Particularly in light of the proportionality principle, this presents many institutions with the challenge of establishing appropriate yet sustainable solutions that meet the increased regulatory requirements without disproportionately increasing organizational complexity.

Conclusion

The new EBA guidelines in conjunction with the DORA Regulation mark a fundamental change in the third-party risk management of European financial institutions. They replace the historically evolved, strongly national outsourcing management and force a far-reaching reorganization of existing governance structures. For German institutions, the need for adjustment is not limited to processes, systems and documentation, but also concerns the strategic anchoring of the management of third-party risks as a whole (EBA [2025]).

The core of this new architecture is the clear differentiation between ICT and non-ICT service providers and the consistent alignment of risk assessment with the supported functions instead of contracts or formal outsourcing situations. As a result, MaRisk AT 9 will have to adapt its previous structure and logic in the future. For the institutions, this means a transition from a predominantly reactive organizational implementation to an integrated, risk-oriented and strategically controlled third-party risk management, which must be established as an integral part of overall bank management.