ABBL calls for a DORA-aligned and proportionate framework for third-party risk management

Supporting harmonisation while avoiding complexity

While welcoming the EBA’s objective of harmonising third-party risk management (TPRM) across the EU, the ABBL warns that the current draft risks creating new layers of complexity. By blending the recently implemented Digital Operational Resilience Act (DORA) with elements of the 2019 Outsourcing Guidelines, the proposed “hybrid” approach could result in overlapping obligations, inconsistent supervision and additional compliance burdens for financial institutions.

The ABBL therefore calls for full alignment with DORA and the removal of legacy provisions that extend beyond its requirements. The Guidelines should remain risk-based and proportionate, focusing on material risks and critical or important functions (CIFs).

Key proposals from the ABBL

In its response, the ABBL makes several concrete recommendations to ensure a pragmatic and effective framework:

• Allow remediation of existing contracts at their next renewal rather than within a fixed two-year period.
• Simplify and harmonise terminology around “function”, “service” and “arrangement” to align with DORA definitions.
• Ensure flexibility and consistency in third-party registers, avoiding duplication with DORA reporting requirements.
• Limit enhanced due diligence and subcontracting oversight to material providers supporting CIFs.