Key points for your legal teams on the new proposed draft EBA Guidelines

• Applies to credit institutions, investment firms, payment and e-money institutions, and MiCAR authorised issuers
• Covers non-ICT third-party arrangements; ICT services are governed by The Digital Operational Resilience Act (DORA)

• Clear allocation of responsibilities
• Audit and access rights for the financial entity and competent authorities
• Termination rights, including for breach or regulatory concerns
• Subcontracting clauses:
  • Prior notification or approval
  • Flow-down of key obligations
• Exit strategy provisions to ensure continuity

• Firms retain full responsibility for outsourced functions
• Contracts must not dilute accountability or create “empty shell” institutions.
• Third-country providers require enforceability of audit and access rights and data protection compliance.

• Maintain a comprehensive register of all third-party arrangements:
• Legal entity details
• Contractual terms
• Subcontracting chains
• Criticality assessments

• Legal must help define and document critical functions based on:
  • Financial impact
  • Regulatory compliance
  • Service continuity

• Support compliance and risk teams in supervisory reviews.
• Demonstrate contractual enforceability and governance mechanisms.

• Consultation ends: 8 October 2025
• Final guidelines: Expected late 2025 or early 2026
• Transitional period: 2 years

Contractual Clarity:

• Scope of services is clearly defined.
• Roles and responsibilities are unambiguous.
• SLAs/KPIs are enforceable.
• Governing law and jurisdiction are specified.

Confidentiality & Data Protection:

• Confidentiality clauses cover sensitive data.
• Data processing terms comply with General Data Protection Regulation (GDPR).
• Cross-border data transfer mechanisms are in place.
• Breach notification procedures are defined.

Intellectual Property:

• IP ownership is clearly allocated.
• Licensing terms are defined.
• Post-termination IP handling is addressed.

Termination & Exit Strategy:

• Termination rights include breach and regulatory triggers.
• Exit strategy is documented and supported.
• Transition assistance and data return are included.

Subcontracting:

• Subcontracting requires prior consent.
• Flow-down of obligations is mandated.
• Subcontractor compliance is monitored.

Audit & Access Rights:

• Audit rights over provider and subcontractors.
• Regulator access rights are included.
• Audit scope and frequency are defined.

Third-Country Risk:

• Enforceability of terms in third countries is assessed.
• Local laws align with EU requirements.
• Data protection and access rights are preserved.

Regulatory Compliance:

• Contract aligns with EBA, DORA, GDPR.
• Provider obligations support compliance.
• Arrangement avoids “letter-box” status.

Documentation & Record-Keeping:

• Contracts and amendments are archived.
• Third-party register is updated.
• Legal risk assessments are documented.