KPMG Financial Risk & Regulation

New ESMA Principles on Managing Risks Related to Non-ICT Third-Party Service Providers

In June 2025, the European Securities and Markets Authority (ESMA) published a new set of 14 principles on the supervision of risks related to third parties[1]. This step is driven by the fact that in recent years, the risks financial institutions face due to outsourcing and external service providers have increased markedly. ESMA’s goal is to support a common and effective supervisory culture at the EU level that helps supervised financial entities understand and properly manage the risks arising from third-party engagements. These risks complement the expectations of the recently applicable DORA regulation, primarily concerning non-ICT service providers.

Below is a brief overview of the objectives of the new ESMA principles, how they complement DORA, and finally, why strengthening the supervision of third-party provider risks is important from a supervisory perspective, along with the practical steps financial institutions should consider.

Before turning to the ESMA material, let’s recall the main elements of the DORA (Digital Operational Resilience Act) regulation.
The regulation has created a unified framework to strengthen the digital operational resilience of the financial system and practically covers nearly all actors in the financial sector and their information and communication technology (ICT) providers. It establishes strict requirements for managing ICT risks and defending against cyberattacks, requiring institutions to assess, monitor, and mitigate risks across their entire supply chains – including external third-party providers. It also sets rules on reporting ICT security incidents, testing, and the supervision of ICT service providers deemed critical to financial institutions.

Objectives of the new ESMA principles

In June 2025, ESMA published its new supervisory principles for the management of third-party risks. The package of 14 principles aims to address the growing risks associated with outsourcing, activity transfers, and the use of external service providers in the financial sector. As soft law instruments, these principles are not legally binding and primarily support the consistent legal interpretation and development of good practices among national authorities supervising the investment services sector through a unified framework, taking into account existing international standards. According to ESMA, dialogue and case studies between national supervisors will help gradually integrate these principles into supervisory practice.

It is important to emphasize that the principles do not constitute direct legal obligations for financial institutions but rather serve as guidance for supervisory authorities – although it is still advisable for supervised institutions to familiarize themselves with them, as they help clarify supervisory expectations concerning third-party risk management. It should be kept in mind that ESMA guidelines and principles often appear as recommendations from the Hungarian National Bank (MNB) and are later enforced in local inspections.

How do the ESMA principles complement DORA?

The DORA regulation primarily focuses on managing risks related to digital (ICT) service providers. Critical ICT providers – such as cloud services or other technology partners – fall under DORA, and their supervision is regulated by the DORA framework.[2] The new ESMA principles complement this framework by covering all other types of third-party service relationships – for now, within the investment sector.The principles are explicitly applicable to any kind of outsourcing or third-party agreement, regardless of whether the external provider is part of the same corporate group, located within the EU or in a third country, or what kind of technology is used in service delivery.Although formally all third parties both ICT and non-ICT providers – fall within the scope of these principles, wherever specific EU regulations already exist for a particular third-party risk (e.g., DORA for ICT), those legal provisions take precedence over the ESMA principles. This means that in practice, the principles mainly apply to non-ICT providers – for example, outsourced accounting, administrative services, or subcontractors involved in business processes. Regarding ICT providers, the principles apply only to the extent that DORA does not regulate a specific issue.

In summary, the ESMA principles, taking into account and complementing the requirements of DORA, provide a broader supervisory perspective so that financial institutions implement proper risk management practices with all external partners – not only in the ICT domain.

From a supervisory perspective, the introduction of uniform principles is a key step.
Effective supervision and management of third-party risks contribute to the stability of the entire financial system and investor protection. If supervision is conducted based on similar principles across all Member States, it ensures consistency and minimizes the risk of certain institutions or countries lagging behind in adopting good practices.

Consider the following: if a financial institution outsources several critical tasks, then a failure or disruption at a third-party provider may not only disrupt that institution’s operations but also cause problems for multiple market actors, possibly across borders and countries. To prevent such systemic risks, supervisory authorities must understand where financial institutions are exposed to third-party risks and verify that these are being managed appropriately.

Summary of the principles

The 14 principles published by ESMA cover the full lifecycle of third-party risk management and mirror the requirements already familiar from outsourcing regulations and DORA. These include, among others, expectations that financial institutions: clearly define responsibilities, conduct preliminary risk assessments, conclude appropriate contracts (including audit and exit rights), and continuously monitor provider performance.

The principles extend to intra-group and third-country partners and aim to allow supervisors to transparently and proactively assess risks arising from external relationships.

The principles briefly cover the following key areas:

Responsibilities: management cannot outsource its legal accountability

Risk assessment: due diligence is mandatory before selecting a third party

Contractual safeguards: SLAs, audit rights, and exit options must be included

Ongoing monitoring: performance tracking and risk reassessment

Intra-group and outsourcing chains: no exemption from control requirements

Third countries: require specific risk management considerations

Supervisory access: access and audit rights must be guaranteed

These aim to ensure that supervisory authorities can consistently evaluate third-party risks even in non-IT service areas

Practical steps for financial institutions

With the release of the new principles, financial institutions should review their third-party risk management practices. In addition to complying with DORA, it is advisable to strengthen this area as well. The following practical steps are recommended for development or enhancement:

Reviewing the third-party risk management framework

Identifying external partners and classifying them by risk

Conducting due diligence and risk assessments before all new and existing partnerships

Establishing appropriate contractual terms

Ensuring continuous monitoring

These steps are largely embedded in business processes and control environments already due to sectoral outsourcing regulations and the MNB Recommendation 7/2020 on outsourcing[3]. For most institutions (especially banking groups), compliance is primarily a matter of fine-tuning and should not pose significant difficulty. Still, reviewing internal processes, regulations, and control environments based on the ESMA principles can provide sufficient assurance of readiness for compliance.

[1] ESMA publishes Principles for third-party risk supervision | MNB.hu
[2] ESMA42-1710566791-6103 Principles on third-party risks supervision
[3] 7-2020-kulso-szolgaltato-igenybevetele.pdf