January 13, 2022

EBA Guidelines on Outsourcing Arrangements: Everything You Need to Know

Security & Compliance

Learn how to easily navigate around the latest compliance requirements by the EBA for outsourcing arrangements.

The EBA guidelines on outsourcing arrangements came into effect on 31st December 2021. The guidelines are made to regulate the way businesses purchase and handle outsourced software (i.e Salesforce or the CRM you use).

These guidelines mean that companies like yours need to make sure outsourcing arrangements are properly managed and implement risk management and compliance processes to handle the cloud software you use, as well as a variety of other outsourced services.

Although all outsourced software require compliance checks, there are certain types of software that will require deeper diligence, specifically the ones that meet the definition of “critical or important” under MiFID II.

Let’s have a look and be sure to check out our eBook on the topic for a deeper dive!

When Was the European Banking Authority (EBA) Deadline?

The EBA deadline was issued in February 2019 and entered into force in September 2019. The hard deadline for compliance occurred on 31 December 2021.

Any contracts with cloud software providers that entered, reviewed, or were amended after 30 September 2019 must comply with the guidelines, and all existing cloud software vendors needed to be reviewed by 31 December 2021.

Who Needs to Comply?

If you’re reading this, it’s probably because compliance is on your mind. If not, we admire your passion for compliance!

Either way, here’s a rundown of all financial institutions that must fully comply with the new regulation:

  • Banks
  • Payment institutions, including Authorised Payment Institutions (API) and Payment Initiation Service Providers (PISP)
  • Electronic money institutions
  • Investment firms, subject to Directive (EU) 2013/36 IV (Capital Requirements Directive)

The most common licenses used by fintech startups are e-money Licenses, PISPs or APIs, either directly through licenses they hold, or indirectly through Agent relationships with directly licensed partners and therefore fall within the scope of the regulatory guidelines.

EBA Guidelines for UK-Based Companies

Even though every regulated entity in the UK will need to comply with these guidelines, we recommend checking with your local regulator. Here are the regulations according to FCA and PRA:

  • For those regulated by the Financial Conduct Authority (FCA). The FCA publicly re-affirmed that regulated entities in the UK must meet the EBA’s hard deadline at the end of 2021, despite Brexit and the pandemic. As a law firm covering the matter noted, the FCA confirmed that they had “notified the EBA that we will comply with the guidelines”, including “the review of existing ‘critical or important’ outsourcing arrangements entered into before 30 September 2019.”
  • For those regulated by the Prudential Regulation Authority (PRA). The PRA publicly pushed the deadline to comply with the Guidelines from December 2021 to March 2022 stating “the disruption and reprioritization caused by the COVID-19 pandemic and changes to the UK, EU, and global regulatory landscape in this area.”

How to Classify Your Existing Software Stack 

The European Banking Authority's (EBA) outsourcing requirements have significantly enhanced third-party control regarding cloud providers.

An outsourced service is considered critical or important when the failure of the technology in question results in a disruption to your business, a failure to provide your services or the inability to support your customers.

Your first task should be to classify all your cloud software stack into two groups:

1) Critical or important

2) Non-critical or important

This will tell you which software requires greater diligence checks. But how do you find out what software is “critical or important” to my business?

First of all, to classify all your cloud software stack, you need 100% visibility over what software you have, so important tools are not excluded from your classification

In other words, if the failure of the technology in question results in a disruption to your business, and in a failure to provide your services or the inability to support your customers, it may be considered as “critical or important”.

Let’s look at an example. If you are a neobank, these are some of the tools that you might want to consider as “critical or important” such as:

  • Your CRM (i.e. Salesforce, Pipedrive)
  • Your customer support software (i.e. Zendesk)
  • Your single session and user authentication service or SSO (i.e. Okta) 
  • Your PEPs and sanctions screening tool (i.e. ComplyAdvantage)

On the other hand, it’s likely that your analytics (i.e. Google Analytics) or your internal communications (Slack) software would not be regarded as critical or important.

Software application considered “critical or important” varies on your business. The EBA guidelines apply to all of your cloud software and you will need to run a compliance process for all of your SaaS, and remember that certain types of SaaS will require deeper diligence. 

EBA Guidelines for Outsource Arrangements eBook

Download our eBook to find out more about EBA guidelines for outsourcing arrangements and learn how to organically embed compliance in your company’s processes.



The software management solution for finance teams.

Learn more

Subscribe to our newsletter

Receive the latest insights in your inbox

Share this post

Subscribe to our newsletter and stay informed on the latest SaaS insights

Explore more

Explore more

9 Shadow IT Risks (And How to Avoid Them)

There’s no point triple locking your door if you leave a window wide open. Here’s 9 eye-watering shadow IT risks to beware of—and how to mitigate them.
Read more

IT Governance Framework: A Guide for Enterprise Companies

IT governance is a formal way to integrate an IT strategy into an organization's business strategy. In this post, we’ll cover everything you need to know about it.
Read more

How To Protect Your Business From Toll Fraud

Business fraud can take many forms. Learn what toll fraud is and how you can protect your business with Cledara.
Read more

Process Documentation for Startups: How To Get Started + Best Tools

Documenting processes can help you optimize your workflow and reduce the growing pains of scaling your startup. Here's how to get started.
Read more

Password Management Tips for SOC 2 Compliance

The right tools will help your company pass through a SOC 2 audit with ease.
Read more

Why SaaS Management Will Help You Achieve the ISO 27001 Certification

How a proactive approach to understanding and controlling your software subscriptions can ease your road to ISO 27001 compliance
Read more

UK Companies to Comply with EBA Guidelines for Outsourcing Arrangements amid Brexit and COVID pandemic

We dug into the latest public statements by PRA and FCA on the EBA Guidelines and give you actionable advice on how to tackle their latest updates.
Read more

2020 GDPR Fines on the Rise

How one chat bot cost Ticketmaster more than a million pounds and what you can do to avoid the same fate.
Read more

SaaSOps: Your IT Team's Latest Security Challenge

COVID has accelerated migration to the cloud. And has also exposed the security of your IT structure like never before. We give you seven tips for IT professionals to tackle these new challenges.
Read more

New EBA Outsourcing Guidelines: What SaaS is Considered Critical or Important?

We dig into the jargon behind the regulation to help you understand what needs to be done with your SaaS
Read more

The Way Fintech Startups Buy SaaS is About to Change Forever

New Outsourcing Guidelines from UK and European financial regulators set new requirements for the way regulated fintech startups and other financial services companies buy and manage their SaaS.
Read more

GDPR Fines and Lessons for Startups

GDPR fines are getting larger and more frequent. An average fine is now more than $500,000, making a GDPR fine equivalent to a whole seed round!
Read more