DE
The regulatory landscape for Third-Party Risk Management (TPRM) is undergoing a fundamental transformation. With the new EBA Guideline, the DORA Regulation, and the anticipated revision of MaRisk, financial institutions are required to strategically realign their outsourcing and risk governance practices. The Deggendorf Note 2025/06 delivers a thorough analysis of this shift and leaves no doubt: Excel spreadsheets and siloed solutions are no longer sufficient.
The foundation of the Deggendorf Note 2025/06 by Prof. Dr. Andreas Igl is the Consultation Paper published by the European Banking Authority (EBA) in July 2025. This document is the first to clearly outline the comprehensive regulatory requirements for managing risks arising from non-ICT third-party arrangements, and it directly complements the DORA Regulation (EU 2022/2554), which came into force in January 2025. In combination with the existing MaRisk AT 9 framework in Germany, this creates substantial implications for third-party and outsourcing governance in the financial sector.
A three-pillar regulatory model: EBA guideline, DORA and MaRisk
With the publication of the new EBA Guideline on the management of third-party risks (non-ICT) and the now fully applicable DORA Regulation, for the first time there is a clearly structured European framework for TPRM.
-
DORA targets ICT third-party providers and their resilience.
-
The EBA Guideline focuses on non-ICT third-party providers, particularly when delivering critical or important functions.
-
The German MaRisk AT 9, long used as a national standard, will likely be revised in alignment with these European developments.
Key insight from the Deggendorf Note: Managing outsourcing only from an operational or administrative perspective is no longer sufficient. Going forward, functional criticality will take centre stage — regardless of ICT involvement or contractual formalities.
The first strategic decision: ICT or non-ICT?
According to the Deggendorf Note, the distinction between ICT and non-ICT services will now be the initial decision point in any third-party risk assessment. This classification determines:
-
which regulatory framework applies (DORA vs. EBA Guideline),
-
how third parties must be assessed and documented,
-
and which monitoring, governance, and reporting obligations arise.
This distinction requires robust governance structures that enable risk-based classification across the entire organisation. The responsibility increasingly lies at the executive level, as identifying critical functions has now become a strategic task.
From outsourcing to function-based risk: TPRM becomes strategic
A paradigm shift is taking place: The legal concept of outsourcing is no longer at the core — instead, the focus is now on the function being supported by the third party. This change has a significant impact on how risk is assessed and managed:
-
Evaluation is function-based, not contract-based.
-
Criticality is defined by the importance to the business model, not by time sensitivity or volume alone.
-
The principle of proportionality allows tailored implementation, based on institution type and risk exposure.
Conclusion from the Deggendorf Note:
The traditional operational view must give way to a strategic and risk-oriented governance model for third-party risk.
Excel no longer enough: Stronger oversight and reporting required
The Deggendorf Note openly criticises the fact that many institutions continue to manage third-party relationships using Excel spreadsheets and fragmented documentation. This approach is no longer sufficient to meet the new regulatory expectations, which include:
Under DORA:
-
A central ICT third-party register (Art. 28),
-
Resilience testing and audits of ICT providers,
-
Mandatory incident reporting to supervisors (Art. 19).
Under the EBA Guideline (non-ICT):
-
Comprehensive contract requirements, including KPIs and audit rights,
-
Emphasis on function-based risk assessment,
-
Governance expectations that cover the entire third-party supply chain.
The message is clear: Institutions are strongly encouraged to professionalise and digitise their third-party risk management processes.
From regulation to implementation: Technology as enabler
Although the Deggendorf Note maintains a technology-neutral tone, its analysis implies a clear course of action:
Third-party risk governance must transition to structured, tool-supported systems. Only with such systems can institutions ensure transparency, auditability, traceability, and scalability.
Swiss GRC offers a modular TPRM solution that:
-
Provides an integrated, centralised Third-Party Information Register,
-
Supports risk-based classification and governance workflows,
-
Enables consistent documentation and automated reporting.
Learn more about Swiss GRC’s TPRM Solution: Manage third-party risk securely and with confidence
A governance priority: TPRM as a core discipline
The Deggendorf Note 2025/06 clearly shows that managing third-party relationships is becoming a core governance competency in the financial industry.
The regulatory expectations from DORA, the new EBA Guideline, and upcoming revisions to MaRisk require organisations to completely rethink their outsourcing strategies — strategically, systematically, and risk-based.
Those who act now will not only strengthen their regulatory resilience, but also ensure their long-term digital and organisational viability.
