Member Collaboration Hub

Join the ALFICommunity

Navigation

ALFI responds to EBA consultation on the draft guidelines for sound management of third-party risk

8 October 2025 | Statements and Position Papers  

ALFI responds to EBA consultation on the draft guidelines for sound management of third-party risk.

On 8 October 2025, ALFI responded to the European Banking Authority (EBA) consultation on the draft Guidelines on the sound management of third-party risk. ALFI, responding from the perspective of investment fund managers and fund management companies, provided comments, proposed alignments between regulatory requirements and clarifications, and raised certain concerns to be considered as the views of the Luxembourg investment fund industry, particularly in the segment focused on cross-border distribution within the European Union and globally.

The main advocacy points in ALFI’s response to the consultation are as follows:

  • Scope of the Guidelines – Investment fund managers (IFMs):
    Uncertainty remains regarding the inclusion of IFMs in the Guidelines, both at individual entity level and at consolidated level. Clarification is needed on the criteria that define the scope of these Guidelines, in order to avoid diverging interpretations of the position of IFMs and the risk of regulatory arbitrage across the Union. Furthermore, we support joint advocacy with other industry associations in the EU and EFAMA, in favour of a full exclusion of Class 2 investment firms from the scope, as these entities are neither systemically relevant nor part of the banking sector. In our view, IFMs are already subject to robust regulatory frameworks, including the UCITS and AIFMD directives, as well as sector-specific rules that clearly set out requirements for managing outsourcing-related risks. These existing measures already provide a comprehensive approach to operational resilience without the need for additional layers of regulation.

 

  • Scope of the Guidelines – Third-party service providers (TPSPs):
    Concerns are raised regarding the expansion of the definition of TPSPs to cover all non-ICT third-party service providers, including subcontracting and delegation arrangements. In view of the potential overlap with existing regulatory requirements (e.g. AIFMD II and UCITS V) and their governance and oversight obligations, particular care is necessary to avoid diverging oversight requirements. In the same vein, we suggest that TPSPs which are themselves regulated financial entities subject to prudential supervision, as well as financial data providers, should be excluded from the scope. As part of upcoming simplifications to DORA and other regulatory requirements, we advise that TPSPs not supporting critical and important functions (CIFs) should be removed from the Register of Information provided to the National Competent Authorities (NCAs) and the European Supervisory Authorities (ESAs) (both under DORA and the present Guidelines), while remaining in the version of the register maintained at financial entity level.

 

  • Alignment with DORA:
    ALFI supports the initiative of the ESAs to streamline the risk management requirements under DORA and these Guidelines, as applied to ICT and non-ICT third-party service providers. To this end, we suggest further aligning the final Guidelines with DORA, in particular regarding:
  • the definition and criteria of critical and important functions (CIFs), based on the definition provided in DORA Regulation (EU) 2022/2554, Recital (70);
  • the Register of Information (ROI) format, fields, and submission timeline, to allow firms to maintain a single register of TPSPs across regulatory requirements;
  • pre-contractual requirements and onboarding processes with prospective TPSPs, which should be aligned with those in DORA, and the removal of any additional requirements beyond DORA;
  • the provision to maintain all terminated contracts for five years after termination, which should be removed as it is not included in the relevant DORA RTS;
  • the consistent integration of any upcoming simplifications in the relevant DORA Level 1 and 2 requirements into these Guidelines.
  • We also recommend establishing a formal process for regular reviews to ensure ongoing alignment with DORA amendments and simplifications, in order to maintain regulatory consistency over time.

View the ALFI response.

BACK