These proposed guidelines update the 2019 EBA Guidelines on Outsourcing to align with the Digital Operational Resilience Act (DORA). Key aspects include:
◾ 𝗥𝗶𝘀𝗸 𝗠𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁 𝗙𝗿𝗮𝗺𝗲𝘄𝗼𝗿𝗸: Financial entities must assess, monitor and mitigate risks throughout the third-party arrangement lifecycle, including due diligence, contractual phases and exit strategies.
◾ 𝗣𝗿𝗼𝗽𝗼𝗿𝘁𝗶𝗼𝗻𝗮𝗹𝗶𝘁𝘆 𝗣𝗿𝗶𝗻𝗰𝗶𝗽𝗹𝗲: The guidelines provide specific criteria for applying proportionality, limiting documentation burdens on financial entities and authorities.
◾ 𝗖𝗼𝗻𝘀𝗶𝘀𝘁𝗲𝗻𝗰𝘆 𝘄𝗶𝘁𝗵 𝗗𝗢𝗥𝗔: A single register can be used for both ICT and non-ICT services, streamlining information storage and reducing administrative burdens.
◾ 𝗧𝗿𝗮𝗻𝘀𝗶𝘁𝗶𝗼𝗻 𝗣𝗲𝗿𝗶𝗼𝗱: Financial entities have two years to review and amend existing arrangements and update their registers.
The consultation runs until October 8, 2025, allowing stakeholders to provide feedback on the draft guidelines.
The AMRAE study describes 2024 as a positive year for the cyber insurance market, with rising but manageable claim numbers. There's a notable increase in cyber insurance uptake, especially among intermediate and medium-sized businesses, suggesting broader market penetration.
For the first time in five years, premium volume slightly dropped, with an average 18% reduction in annual premium rates for large companies and declining deductibles, indicating increased market flexibility.
However, the report identifies emerging concerns. Claims and payouts for large companies are increasing significantly. Also, a slight capacity increase is not commensurate with rate decreases, suggesting large companies may have reduced budgets more than they've expanded capacity. The study emphasizes the continued importance of accurate cyber risk exposure measurement given geopolitical tensions and new attack vectors.
Financial institutions are increasingly dependent on third-party service providers (TPSPs), raising concerns about systemic risks due to limited transparency. While the EU and U.K. have introduced formal oversight regimes, the U.S. relies on industry cooperation and micro-prudential supervision. A recent case study highlights financial stability risks from a payments disruption linked to a TPSP. As rapid technological change reshapes the financial sector, vulnerabilities from TPSP concentration and interconnectedness may grow. Greater understanding is needed to assess these risks and inform potential oversight responses.