ESMA principles on third-party risk supervision

• On 12 June 2025, ESMA published its principles on third-party risk supervision which are designed to assist supervisory authorities to identify, assess and supervise the third-party risks of EU entities operating across the financial services industry.
  
  
• The 14 Principles across four themes have been developed to address the growing risks observed over recent years in the use of outsourcing, delegation or reliance on other types of third-party services by supervised firms.
  
  
• While the Principles are non-binding they are designed to be implemented into supervisory approaches and supervisory authorities are directed to apply the Principles in a proportionate manner.

On 12 June 2025, the European Securities and Markets Authority (ESMA) published its principles on third-party risk supervision (Principles) which are designed to assist supervisory authorities including national competent authorities (NCAs) to identify, assess and supervise the third-party risks of EU entities operating across the financial services industry.

Purpose and scope

ESMA's framework details 14 Principles on third-party risks across four areas, which are designed to provide a common supervisory basis for ESMA and NCAs to promote a consistent and streamlined approach to regulation, and to ensure a level playing field across the EU. The Principles were developed to address the growing risks observed over recent years in the use of outsourcing, delegation or reliance on other types of third-party services by supervised firms. 

ESMA notes the Principles have taken into account and are consistent with established international standards of the International Organization of Securities Commissions, the Financial Stability Board and the Basel Committee on Banking Supervision. In addition, the Principles have considered and are aligned with the third-party risk management requirements of the Digital Operational Resilience Act (DORA). Accordingly, the management of information and communication technology (ICT) risk and the use of third-party service providers to provide ICT services under DORA are outside the scope of the Principles.

The Principles apply to all types of third-party arrangements, whether the third-party belongs to the same group or not, is located in the EU or in a third-country, and independently from the underlying technology that might be used to provide the service.

The main focus of the Principles is on critical activities and the use of third-party services for such critical activities; however, ESMA highlights that using third-party services for noncritical activities may also create substantial risks.

Principle on the supervisory overview

The single principle under this heading is focused on ensuring that supervisory authorities effectively supervise entities’ exposure to third-party risks throughout the supervisory cycle promoting appropriate governance and risk frameworks, to ensure the use of third-party service providers do not impair the depth or effectiveness of supervision by supervisory authorities. Supervisory authorities are recommended to assess the third-party risks when an entity requests an authorisation or registration to operate and as part of their on-going supervision methodologies, including in their desk-based and on-site supervisory activities.

Principles on the supervised entity

The principles on the supervised entity focus on the role of the supervised entity itself regarding good governance within the entity with oversight by management of third-party risks, ensuring sufficient corporate substance remains with the supervised entity (that it does not become an 'empty shell'), ensuring that third-party risks are embedded within the overall risk management framework, as well as the conduct of risk assessments preceding the decision to enter into the third-party arrangements.

Principles on the elation with the third-party

The principles on the relation with the third-party focus on the relationship between a supervised entity and a third-party and focus on the role of conducting due diligence before entering a third-party arrangement, ensuring agreements with third parties are made by way of written agreements and clearly-defined entity level service level agreements (SLAs). ESMA expects that such third-party arrangements are effectively monitored by the supervised entity, with regular reviews of written agreements and SLAs.

Principles on the specific risks and issues

The final set of principles highlight specific risks and issues which supervisory authorities should ensure are being considered as part of the risk assessment, due diligence, decision-making and monitoring processes by the supervised entity. 

These specific risks and issues address include: 

1. where a third-party is located in a third country, 
   
   
2. the use of intragroup arrangements, 
   
   
3. supply chain issues where there is the use of sub-contracting, 
   
   
4. ensuring a maintaining effective control where a supervised entity outsources any part of its internal control functions, and 
   
   
5. ensuring effective audit and access rights over a third-party for the supervised entity, its supervisors and auditors. 

The supervisory objective of the 14 Principles as well as the main risks which each Principle seeks to address include:

Next steps

The Principles, which are non-binding, are designed to fit into supervisory authorities' risk-based, data driven and outcome-focused supervisory approaches. The supervisory authorities are directed to apply the Principles in a proportionate manner, having regard for the size and overall risk profile of the entities, having consideration to the nature, scale and complexity of their services, activities, products and operations and potential effects on investor protection, financial stability, and orderly markets. 

Following DORA implementation across the EU, ESMA's latest guidance will see a continuing supervisory focus on broader third-party risks across the financial services industry. ESMA intends to support the progressive implementation of the Principles through supervisory discussions and case studies among NCAs.

If you have any queries on the content of this advisory and/or the impact that it may have on you and your business, please speak to your usual contact in Walkers or connect with our team below.