Test
This is a testpage.
Relevant Regulatory Texts
| Scope | Regulatory text / guidance | Issuer | Status | Relevance for third-party risk management | Link |
|---|---|---|---|---|---|
| International | Principles for the Sound Management of Third-Party Risk | Basel Committee on Banking Supervision | Supervisory principles | Global banking benchmark for third-party risk management. Covers lifecycle governance, concentration, subcontracting and resilience. | BIS / BCBS |
| International | Enhancing Third-Party Risk Management and Oversight: A Toolkit for Financial Institutions and Financial Authorities | Financial Stability Board | Toolkit / supervisory reference | Practical toolkit for financial institutions and authorities to improve oversight of third-party dependencies and reduce supervisory fragmentation. | FSB |
| International | Principles on Outsourcing | IOSCO | Supervisory principles | Relevant for securities firms, market intermediaries, trading venues and asset-management contexts. Covers outsourcing governance, due diligence, contracts, confidentiality, continuity, access and audit rights. | IOSCO |
| International | Principles for Financial Market Infrastructures — PFMI | CPMI-IOSCO | International standard | Relevant for payment systems, CCPs, CSDs, securities settlement systems and trade repositories. Includes expectations relevant to outsourced operations and critical service dependencies. | BIS / IOSCO |
| International | Principles for Operational Resilience | Basel Committee on Banking Supervision | Supervisory principles | Not TPRM-specific, but important for mapping critical operations, third-party dependencies, disruption tolerance and recovery capabilities. | BIS / BCBS |
| EU | Regulation (EU) 2022/2554 — Digital Operational Resilience Act, DORA | European Union | Binding regulation | Core EU framework for ICT third-party risk management. Covers ICT contracts, information registers, concentration risk, oversight of critical ICT third-party providers and ICT-related operational resilience. | EUR-Lex |
| EU | DORA Delegated and Implementing Regulations / RTS / ITS | European Supervisory Authorities / European Commission | Binding technical standards once adopted | Detailed implementation layer under DORA, including ICT third-party contractual documentation, information registers, reporting and oversight mechanics. | European Commission DORA |
| EU | EBA Guidelines on Outsourcing Arrangements — EBA/GL/2019/02 | European Banking Authority | Guidelines | Key EU outsourcing framework for banks, payment institutions and e-money institutions. Covers outsourcing, critical or important functions, governance, risk assessment, outsourcing registers, due diligence, contractual controls, monitoring and exit planning. | EBA PDF |
| EU | EBA Guidelines on ICT and Security Risk Management — EBA/GL/2019/04 | European Banking Authority | Guidelines | Relevant to ICT governance, ICT operations, security and continuity. Partly superseded or complemented by DORA for in-scope financial entities. | EBA |
| EU | EIOPA Guidelines on Outsourcing to Cloud Service Providers | EIOPA | Guidelines / legacy relevance | Relevant for insurers’ cloud outsourcing. Post-DORA, applicability should be checked carefully because DORA is now the main EU ICT third-party risk framework for in-scope financial entities. | EIOPA |
| EU | ESMA Guidelines on Outsourcing to Cloud Service Providers | ESMA | Guidelines / legacy relevance | Relevant for investment firms, fund managers, trading venues and other ESMA-supervised sectors. Should be mapped against DORA for ICT/cloud arrangements. | ESMA PDF |
| Germany | MaRisk — Mindestanforderungen an das Risikomanagement, especially AT 9 Auslagerung | BaFin | Administrative guidance / circular | Main German banking risk-management text for outsourcing. Covers outsourcing risk analysis, materiality, governance, contracts, monitoring, termination and exit. | BaFin |
| Germany | BaFin DORA implementation guidance / supervisory statement on ICT risk management and ICT third-party risk management | BaFin | Supervisory guidance | Practical German implementation guidance for DORA Chapters II and V, including ICT risk management and ICT third-party risk management expectations. | BaFin PDF |
| Germany | KWG § 25a — Organisational duties of institutions | German Banking Act / BaFin supervisory basis | Binding statutory basis | Legal basis for adequate business organisation and risk management by German credit institutions; MaRisk is issued on the basis of § 25a KWG. | Gesetze im Internet |
| Germany | BAIT — Bankaufsichtliche Anforderungen an die IT | BaFin | Legacy / transitional relevance | Historically important for banking IT outsourcing and ICT risk controls. For DORA-scope entities, BAIT has been superseded or phased out to avoid overlap with DORA. | BaFin |
| Germany | VAIT / KAIT / ZAIT | BaFin | Legacy / sector-specific IT guidance | Former BaFin IT guidance for insurance undertakings, asset management companies and payment/e-money institutions. Relevant mainly for transition mapping to DORA and sector-specific residual obligations. | BaFin IT requirements overview |