EPIF submitted its response to the EBA’s public consultation on its Draft Guidelines on third-party risk management with regard to non-ICT related services.

While EPIF welcomes the EBA’s objective to enhance supervisory transparency and convergence for non‑ICT third‑party arrangements, we recommend four refinements to improve proportionality and efficiency for both supervisors and in-scope entities:

• Registry vs. notification obligations
Maintain the Section 10 documentation principle and rely on periodic registry submissions (plus targeted supervisory engagement) and suggesting the avoidance of systematic ad‑hoc notifications for relevant arrangements.

• Section 4 clarity
Make the criteria for “material impairment” more explicit and provide illustrative consequences, together with examples of critical functions to promote harmonized classification.

• Scope delineation
Include an illustrative list of out‑of‑scope services and lead a supervisor‑led consultation to publish a non‑binding taxonomy of typically non‑critical, non‑ICT categories.

• Additional guidance on subcontracting and ICT dependencies
We recommend the EBA clarify what in-scope entities can reasonably require from third-party providers regarding subcontractor oversight. Also, guidance is needed in relation to the management of cases where a non-ICT vendor relies on an ICT subcontractor. Considering the possible convergence between the non-ICT framework and DORA, there is a need to seek proportionate solutions.