What Irish firms should do now
For Irish financial services firms, third-party risk is moving into a new phase. The Central Bank of Ireland’s (CBI) 2021 outsourcing guidance remains the current domestic benchmark, but the European Banking Authority’s (EBA) 2025 consultation draft points to a broader model that reaches beyond traditional outsourcing and aligns more closely with the governance, lifecycle and documentation discipline established under DORA. For senior leaders, this is a prompt to strengthen oversight, clarify accountability and prepare for a more integrated approach to third-party risk.
Third-party risk is widening in scope
For many firms, third-party risk frameworks were built around a familiar question: does this arrangement meet the definition of outsourcing? That distinction is becoming less useful.
The more important question now is whether a third-party relationship could disrupt critical operations, weaken governance or create a resilience gap that boards and senior management cannot afford to ignore. That’s the direction signalled by the EBA’s consultation draft on the sound management of third-party risk. While the CBI’s Cross-Industry Guidance on Outsourcing remains the live Irish reference point, the draft EBA approach suggests a broader supervisory model for non-ICT arrangements, designed to sit alongside DORA rather than duplicate it.
For Irish firms, this matters for two reasons. First, it changes the perimeter of what may need to be governed. Second, it raises the standard of how those relationships are documented, assessed and overseen. In practice, that means firms should look beyond existing outsourcing registers and ask whether their wider third-party population is being managed with sufficient consistency, visibility and senior attention.
This is a governance challenge first
It’s tempting to treat the emerging change as a technical exercise in policy refresh, contractual remediation and register expansion. Those steps will matter, but the bigger issue is governance.
Under the current Irish framework, firms are already expected to manage outsourcing risk with clear board and senior management accountability. The EBA’s consultation draft points toward a more formal and integrated model for third-party risk oversight, including clearer named responsibility at senior level and stronger lifecycle controls across due diligence, contracting, monitoring, exit planning and internal assurance.
For senior audiences, that’s the real signal. The task isn’t simply to absorb another set of regulatory changes. It’s to decide whether your current governance model is built for a narrower outsourcing world or for a broader ecosystem of third-party dependencies.
That distinction matters because risk rarely arrives labelled. Operational disruption, control failure, poor service continuity, concentration exposure and weak contractual leverage can emerge from arrangements that may not historically have been treated as outsourcing. If firms continue to manage third-party exposure through fragmented ownership across legal, procurement, operations, risk and resilience teams, they may struggle to produce a coherent enterprise view when regulators ask how critical dependencies are identified, challenged and governed.
Criticality will need sharper judgement
One of the more useful features of the consultation draft is its attempt to bring greater consistency to the assessment of critical or important functions. That may reduce some of the ambiguity firms have experienced under earlier approaches, where criticality assessments could become overly subjective or unevenly applied across business areas.
But firms should not mistake greater consistency for lighter demands. If anything, the opposite may be true. A broader third-party perimeter means more relationships may need to be identified, classified and governed through a documented methodology that can stand up to challenge.
Senior leaders should therefore ask three practical questions:
- Do we have a methodology that’s understood and applied consistently across the business?
- Can we explain why certain arrangements are treated as critical or important and others are not?
- Can we trace those decisions through to our governance, monitoring, contractual standards and exit planning?
If the answer to any of those questions is unclear, the issue is not only methodology. It’s management information, accountability and decision-making discipline.
The implementation effort will be significant
The most immediate impact for many firms is likely to be operational. Existing outsourcing registers will no longer be enough. The consultation draft points toward a broader register of non-ICT third-party arrangements, with closer alignment to DORA-style documentation and greater detail in areas such as contractual structure, cost data and recovery-related information. The EBA has also signalled a two-year transition period for existing non-ICT arrangements once the updated framework is finalised.
Anyone who has worked through DORA implementation or outsourcing register remediation will recognise what that means in practice. This requires firms to identify the full population of relevant arrangements, resolve inconsistent data, engage with first-line owners, assess criticality, assess risks, review contracts, establish and test exit plans, and create governance that is sustainable after the initial uplift is complete. Such mobilisation exercises can be demanding, particularly where firms need a clearer view of end-to-end dependencies and supporting providers.
That’s why the firms that respond best are unlikely to be those that treat this as a late-stage compliance rush. They will be the ones that mobilise early, define ownership clearly and sequence the work in a way that balances regulatory readiness with operational realism.
Contracts and assurance will come into focus
Another implication of the draft direction is that firms may need to revisit contractual standards across a wider set of third-party relationships. If finalised broadly as proposed, the expectation would move beyond high-level written agreements for non-critical arrangements, toward greater specificity on service provision, data handling, monitoring, termination and other core control points. Internal audit follow-up is also given more explicit attention.
This matters because weak contracts and weak assurance usually surface at the wrong time: during service disruption, control failure or supervisory review. Senior leaders should not assume that long-standing arrangements are adequately documented simply because they are stable or commercially important. Many are not built for current resilience and oversight expectations.
The practical question is whether firms can evidence that contractual rights, monitoring mechanisms and remediation processes are strong enough to support active governance. Where they are not, repapering and control uplift can become a substantial multi-year task.
There’s an opportunity in the disruption
While this is a story about additional regulatory demands, it’s also an opportunity to simplify.
Many organisations still manage third-party risk through a patchwork of frameworks, committees, taxonomies and hand-offs that have grown over time. One team owns supplier onboarding. Another manages contracts. Another maintains registers. Another leads operational resilience. Another responds when an issue emerges. That fragmentation is costly, slow and often opaque.
The emerging direction of travel offers firms a reason to bring those moving parts together. A more integrated model can create better visibility over dependencies, reduce duplication between non-ICT and ICT oversight, and strengthen resilience by linking third-party governance more directly to critical business services, operational risk and internal assurance. That’s consistent with the broader direction already visible in Irish and EU resilience regulation, including DORA.
For senior leaders, then, the most useful response is not to ask how little needs to change. It’s to ask what a joined-up, future-ready third-party risk framework should look like — and whether the current model can get there.
Key actions businesses can take today
1. Set the tone from the top
Treat third-party risk as a governance issue, not just a compliance workstream. Clarify senior ownership now, confirm who is accountable for oversight across the full third-party lifecycle, and test whether current committees and reporting provide a clear enterprise view.
2. Map the wider third-party population
Don’t rely solely on existing outsourcing registers. Start identifying the broader universe of relevant non-ICT third-party arrangements, the business services they support, and where data, ownership or classification gaps are likely to slow mobilisation later.
3. Revisit your criticality methodology
Review how critical or important functions are defined and applied across the business. The goal is a methodology that’s consistent, practical and defensible — and that links directly to governance, monitoring, contractual standards and exit planning.
4. Plan the uplift as a programme
Assume this will require more than a policy refresh. Build a phased roadmap covering policy, registers, governance and the entire third-party risk management lifecycle. Firms that mobilise early will be better placed to manage the effort in a controlled way.
We’re here to help you
Third-party risk is becoming broader, more connected, and more operationally demanding. We work with financial services firms to strengthen governance, assess frameworks, design practical implementation roadmaps, and align third-party risk management with wider resilience and regulatory expectations. If you would like to discuss how these developments could affect your organisation, contact us today.
Risk & Regulation
Create a panoramic view of your unique risk landscape.
Contact us
Menu