Outsourcing Management

Outsourcing management under the EBA outsourcing guidelines is the systematic governance of all outsourced activities and processes at a financial institution. The EBA requires a risk analysis before every outsourcing decision, classification into material and non-material outsourcing, appointment of a central outsourcing officer, and maintenance of a comprehensive outsourcing register. The goal is to retain full control and regulatory accountability despite outsourcing arrangements.

Material outsourcing (also called critical or important outsourcing) occurs when the outsourced activity is of significant importance for banking operations, financial services, or other institution-typical functions. Classification is based on a risk analysis considering factors such as criticality for business operations, substitutability of the service provider, and impact on the risk profile. Material outsourcing arrangements are subject to enhanced requirements for contracts, governance, and regulatory notification.

The central outsourcing officer consolidates the governance and monitoring of all outsourcing risks across the institution. They must be positioned in an organizational unit that reports directly to senior management. Responsibilities include coordinating risk analyses, maintaining the outsourcing register, ongoing monitoring of service providers, and reporting to the management board. MaRisk 6.0 explicitly established this role, and the EBA guidelines reinforce it across all EU financial institutions.

DORA (Digital Operational Resilience Act, Art. 28‑44) introduces dedicated rules for ICT third-party risk management. From 2025, banks must separate ICT third-party providers (governed by DORA with specific contracts, risk assessments, resilience testing, and an EU-wide register of information) from non-ICT service providers (governed by EBA/MaRisk outsourcing rules). The EBA is updating its outsourcing guidelines for non-ICT services, expected April 2026, extending similar principles to all third-party arrangements.

An outsourcing register is a central documentation of all outsourcing arrangements at a financial institution. Mandatory contents include: contract parameters, estimated costs and budgets (updated annually), information, audit and access rights for material outsourcing, classification as material or non-material, risk analysis results, and exit strategy details. The register must be available to regulators on request and is subject to annual review and update.

The EBA outsourcing guidelines provide the general framework for managing outsourcing risks at financial institutions, covering all types of outsourcing. DORA specifically regulates ICT third-party risks with requirements for digital operational resilience, including ICT risk management, resilience testing, and an EU-wide information register. Going forward, ICT arrangements fall under DORA exclusively, while the EBA is extending its guidelines to cover all non-ICT third-party arrangements beyond traditional outsourcing.

ADVISORI supports banks and financial institutions across the entire outsourcing management lifecycle: from developing outsourcing policies and strategies, through conducting risk analyses and due diligence assessments, to implementing the outsourcing register and ongoing vendor governance. We ensure compliance with EBA outsourcing guidelines, DORA, MaRisk AT 9, and BAIT, and prepare you for regulatory examinations. Our health check identifies gaps in existing outsourcing structures.