{"id":1632,"date":"2025-08-05T08:40:14","date_gmt":"2025-08-05T08:40:14","guid":{"rendered":"https:\/\/iqeq.com\/gb\/insights\/third-party-risks-esma-steps-in\/"},"modified":"2025-08-08T13:42:26","modified_gmt":"2025-08-08T13:42:26","slug":"third-party-risks-esma-steps-in","status":"publish","type":"post","link":"https:\/\/iqeq.com\/gb\/insights\/third-party-risks-esma-steps-in\/","title":{"rendered":"Third-party risks: ESMA steps in"},"content":{"rendered":"<section class=\"text-block standard-spacing  \">    <div class=\"container fade-in\">\n        <p><em>By George Wood,\u00a0 Compliance Director<\/em><\/p>\n<p><strong>On 12 June 2025, the European Securities and Markets Authority (ESMA), the EU\u2019s financial markets regulator and supervisor, published new principles on third-party risk supervision to support a common and effective EU-wide supervisory culture related to service provider and vendor outsourcing.<\/strong><\/p>\n<h2>Overview of the new principles<\/h2>\n<p>The third-party risk supervision principles apply to EU regulated entities that utilise external service providers and vendors for various functions including fund accounting, AML\/KYC, IT and data management, software as a service (SaaS) and other operational functions.<\/p>\n<p>In many ways, the regulatory landscape has experienced a complete swing of the pendulum. 25 years ago, we \u201cinsourced\u201d staff expertise, built our own applications and managed our own castles and fortresses to protect data. Today, firms are more agile, engaging third-party service providers and experts to manage a variety of functions. While the benefits of outsourcing and utilising SaaS solutions are well established, this approach creates risks ranging from vendor expertise and financial health to regulatory compliance and data protection.<\/p>\n<p>ESMA&#8217;s 14 principles aim to create a &#8220;financial service&#8221; framework for EU regulated firms operating in securities markets to address these third-party risks systematically.<\/p>\n<h2>The four categories of principles<\/h2>\n<p>ESMA has grouped the 14 principles into four categories:<\/p>\n<ol>\n<li><strong>Supervisory overview<\/strong>: The first principle creates the requirement for each local EU regulator to adopt appropriate governance and risk frameworks that identify and manage third-party risks<\/li>\n<li><strong>Supervised entity<\/strong>: Principles 2 through 6 establish governance and oversight requirements to ensure independent decision-making remains with the regulated entity, that there is board and executive oversight of vendor risk and that a risk assessment be conducted in relation to an outsourcing arrangement<\/li>\n<li><strong>Relation with third parties<\/strong>: Principles 7 to 9 detail due diligence requirements related to onboarding new service providers and vendors, requiring that contractual relationships and service level agreements (SLAs) be established, and that the ongoing monitoring of vendor and service provider relationships be conducted on a regular basis<\/li>\n<li><strong>Specific risks and issues<\/strong>: Principles 10 to 14 identify and address specific risks related to the third-party location of the service provider or vendor, intra-group arrangements, a vendor or service provider\u2019s reliance on sub-contracting, reliance on third parties for internal audit controls, and third-party access and data right controls<\/li>\n<\/ol>\n<h2>What firms should be doing now<\/h2>\n<p>The publication of the principles, following DORA and GDPR implementation, demonstrates that third-party risk supervision remains a key regulatory priority.\u00a0 As organisations become increasingly dependent on external service providers and vendors, the regulatory expectation is clear: firms must have robust frameworks in place.<\/p>\n<p>A comprehensive vendor due diligence and ongoing monitoring programme has become essential for regulatory compliance. Such programmes also provide early warning systems for operational, financial and business continuity risks that could impact service delivery.<\/p>\n<h2>How we can help<\/h2>\n<p>As the GDPR data controller, all data hosted, stored or accessed by a service provider or vendor is the ultimate responsibility of the regulated firm.\u00a0 A firm\u2019s senior management and compliance officer should establish controls that demonstrate to stakeholders, including regulators, the measures taken to ensure vendors had adequate procedures and controls in place.<\/p>\n<p>We offer service provider and vendor due diligence reviews, providing compliance officers with written reports that integrate into their compliance monitoring and satisfy regulatory requirements in the UK, EU, U.S. and Asia. Find out more about our vendor due diligence report production and delivery <a href=\"https:\/\/iqeq.com\/wp-content\/uploads\/2025\/04\/9612_VendorDueDiligenceReviews_Factsheet.pdf\">here<\/a>.<\/p>\n<p>For questions about ESMA\u2019s principles for third-party risk supervision and how they may impact your business, or if you\u2019d like to learn more about the support available from our expert Regulatory and Compliance team, <a href=\"https:\/\/iqeq.com\/gb\/locations\/united-kingdom\/#contact-us\">contact us today<\/a>.<\/p>\n            <\/div>\n<\/section>","protected":false},"excerpt":{"rendered":"","protected":false},"author":51,"featured_media":1633,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"content-type":"","footnotes":""},"categories":[1],"tags":[],"expertise":[16],"service_category":[],"class_list":["post-1632","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Third-party risks: ESMA steps in | IQ-EQ UK<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/iqeq.com\/gb\/insights\/third-party-risks-esma-steps-in\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Third-party risks: ESMA steps in | IQ-EQ UK\" \/>\n<meta property=\"og:url\" content=\"https:\/\/iqeq.com\/gb\/insights\/third-party-risks-esma-steps-in\/\" \/>\n<meta property=\"og:site_name\" content=\"IQ-EQ UK\" \/>\n<meta property=\"article:published_time\" content=\"2025-08-05T08:40:14+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-08-08T13:42:26+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/iqeq.com\/gb\/wp-content\/uploads\/sites\/6\/2025\/08\/AdobeStock_30599339-scaled.jpeg\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"1920\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"aaroncheema\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"aaroncheema\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/iqeq.com\/gb\/insights\/third-party-risks-esma-steps-in\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/iqeq.com\/gb\/insights\/third-party-risks-esma-steps-in\/\"},\"author\":{\"name\":\"aaroncheema\",\"@id\":\"https:\/\/iqeq.com\/gb\/#\/schema\/person\/a729d86170b28c969b1ebcb1643f3e69\"},\"headline\":\"Third-party risks: ESMA steps in\",\"datePublished\":\"2025-08-05T08:40:14+00:00\",\"dateModified\":\"2025-08-08T13:42:26+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/iqeq.com\/gb\/insights\/third-party-risks-esma-steps-in\/\"},\"wordCount\":5,\"image\":{\"@id\":\"https:\/\/iqeq.com\/gb\/insights\/third-party-risks-esma-steps-in\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/iqeq.com\/gb\/wp-content\/uploads\/sites\/6\/2025\/08\/AdobeStock_30599339-scaled.jpeg\",\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/iqeq.com\/gb\/insights\/third-party-risks-esma-steps-in\/\",\"url\":\"https:\/\/iqeq.com\/gb\/insights\/third-party-risks-esma-steps-in\/\",\"name\":\"Third-party risks: ESMA steps in | IQ-EQ UK\",\"isPartOf\":{\"@id\":\"https:\/\/iqeq.com\/gb\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/iqeq.com\/gb\/insights\/third-party-risks-esma-steps-in\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/iqeq.com\/gb\/insights\/third-party-risks-esma-steps-in\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/iqeq.com\/gb\/wp-content\/uploads\/sites\/6\/2025\/08\/AdobeStock_30599339-scaled.jpeg\",\"datePublished\":\"2025-08-05T08:40:14+00:00\",\"dateModified\":\"2025-08-08T13:42:26+00:00\",\"author\":{\"@id\":\"https:\/\/iqeq.com\/gb\/#\/schema\/person\/a729d86170b28c969b1ebcb1643f3e69\"},\"breadcrumb\":{\"@id\":\"https:\/\/iqeq.com\/gb\/insights\/third-party-risks-esma-steps-in\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/iqeq.com\/gb\/insights\/third-party-risks-esma-steps-in\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/iqeq.com\/gb\/insights\/third-party-risks-esma-steps-in\/#primaryimage\",\"url\":\"https:\/\/iqeq.com\/gb\/wp-content\/uploads\/sites\/6\/2025\/08\/AdobeStock_30599339-scaled.jpeg\",\"contentUrl\":\"https:\/\/iqeq.com\/gb\/wp-content\/uploads\/sites\/6\/2025\/08\/AdobeStock_30599339-scaled.jpeg\",\"width\":2560,\"height\":1920,\"caption\":\"OLYMPUS DIGITAL CAMERA\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/iqeq.com\/gb\/insights\/third-party-risks-esma-steps-in\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/iqeq.com\/gb\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Third-party risks: ESMA steps in\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/iqeq.com\/gb\/#website\",\"url\":\"https:\/\/iqeq.com\/gb\/\",\"name\":\"IQ-EQ UK\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/iqeq.com\/gb\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/iqeq.com\/gb\/#\/schema\/person\/a729d86170b28c969b1ebcb1643f3e69\",\"name\":\"aaroncheema\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/iqeq.com\/gb\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/600c8da5910de9b4e53aa9bec1868d3af017b0b3d9a2740554140833233fb863?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/600c8da5910de9b4e53aa9bec1868d3af017b0b3d9a2740554140833233fb863?s=96&d=mm&r=g\",\"caption\":\"aaroncheema\"},\"url\":\"https:\/\/iqeq.com\/gb\/insights\/author\/aaroncheema\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Third-party risks: ESMA steps in | IQ-EQ UK","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/iqeq.com\/gb\/insights\/third-party-risks-esma-steps-in\/","og_locale":"en_US","og_type":"article","og_title":"Third-party risks: ESMA steps in | IQ-EQ UK","og_url":"https:\/\/iqeq.com\/gb\/insights\/third-party-risks-esma-steps-in\/","og_site_name":"IQ-EQ UK","article_published_time":"2025-08-05T08:40:14+00:00","article_modified_time":"2025-08-08T13:42:26+00:00","og_image":[{"width":2560,"height":1920,"url":"https:\/\/iqeq.com\/gb\/wp-content\/uploads\/sites\/6\/2025\/08\/AdobeStock_30599339-scaled.jpeg","type":"image\/jpeg"}],"author":"aaroncheema","twitter_card":"summary_large_image","twitter_misc":{"Written by":"aaroncheema","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/iqeq.com\/gb\/insights\/third-party-risks-esma-steps-in\/#article","isPartOf":{"@id":"https:\/\/iqeq.com\/gb\/insights\/third-party-risks-esma-steps-in\/"},"author":{"name":"aaroncheema","@id":"https:\/\/iqeq.com\/gb\/#\/schema\/person\/a729d86170b28c969b1ebcb1643f3e69"},"headline":"Third-party risks: ESMA steps in","datePublished":"2025-08-05T08:40:14+00:00","dateModified":"2025-08-08T13:42:26+00:00","mainEntityOfPage":{"@id":"https:\/\/iqeq.com\/gb\/insights\/third-party-risks-esma-steps-in\/"},"wordCount":5,"image":{"@id":"https:\/\/iqeq.com\/gb\/insights\/third-party-risks-esma-steps-in\/#primaryimage"},"thumbnailUrl":"https:\/\/iqeq.com\/gb\/wp-content\/uploads\/sites\/6\/2025\/08\/AdobeStock_30599339-scaled.jpeg","inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/iqeq.com\/gb\/insights\/third-party-risks-esma-steps-in\/","url":"https:\/\/iqeq.com\/gb\/insights\/third-party-risks-esma-steps-in\/","name":"Third-party risks: ESMA steps in | IQ-EQ UK","isPartOf":{"@id":"https:\/\/iqeq.com\/gb\/#website"},"primaryImageOfPage":{"@id":"https:\/\/iqeq.com\/gb\/insights\/third-party-risks-esma-steps-in\/#primaryimage"},"image":{"@id":"https:\/\/iqeq.com\/gb\/insights\/third-party-risks-esma-steps-in\/#primaryimage"},"thumbnailUrl":"https:\/\/iqeq.com\/gb\/wp-content\/uploads\/sites\/6\/2025\/08\/AdobeStock_30599339-scaled.jpeg","datePublished":"2025-08-05T08:40:14+00:00","dateModified":"2025-08-08T13:42:26+00:00","author":{"@id":"https:\/\/iqeq.com\/gb\/#\/schema\/person\/a729d86170b28c969b1ebcb1643f3e69"},"breadcrumb":{"@id":"https:\/\/iqeq.com\/gb\/insights\/third-party-risks-esma-steps-in\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/iqeq.com\/gb\/insights\/third-party-risks-esma-steps-in\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/iqeq.com\/gb\/insights\/third-party-risks-esma-steps-in\/#primaryimage","url":"https:\/\/iqeq.com\/gb\/wp-content\/uploads\/sites\/6\/2025\/08\/AdobeStock_30599339-scaled.jpeg","contentUrl":"https:\/\/iqeq.com\/gb\/wp-content\/uploads\/sites\/6\/2025\/08\/AdobeStock_30599339-scaled.jpeg","width":2560,"height":1920,"caption":"OLYMPUS DIGITAL CAMERA"},{"@type":"BreadcrumbList","@id":"https:\/\/iqeq.com\/gb\/insights\/third-party-risks-esma-steps-in\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/iqeq.com\/gb\/"},{"@type":"ListItem","position":2,"name":"Third-party risks: ESMA steps in"}]},{"@type":"WebSite","@id":"https:\/\/iqeq.com\/gb\/#website","url":"https:\/\/iqeq.com\/gb\/","name":"IQ-EQ UK","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/iqeq.com\/gb\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/iqeq.com\/gb\/#\/schema\/person\/a729d86170b28c969b1ebcb1643f3e69","name":"aaroncheema","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/iqeq.com\/gb\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/600c8da5910de9b4e53aa9bec1868d3af017b0b3d9a2740554140833233fb863?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/600c8da5910de9b4e53aa9bec1868d3af017b0b3d9a2740554140833233fb863?s=96&d=mm&r=g","caption":"aaroncheema"},"url":"https:\/\/iqeq.com\/gb\/insights\/author\/aaroncheema\/"}]}},"_links":{"self":[{"href":"https:\/\/iqeq.com\/gb\/wp-json\/wp\/v2\/posts\/1632","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/iqeq.com\/gb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/iqeq.com\/gb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/iqeq.com\/gb\/wp-json\/wp\/v2\/users\/51"}],"replies":[{"embeddable":true,"href":"https:\/\/iqeq.com\/gb\/wp-json\/wp\/v2\/comments?post=1632"}],"version-history":[{"count":1,"href":"https:\/\/iqeq.com\/gb\/wp-json\/wp\/v2\/posts\/1632\/revisions"}],"predecessor-version":[{"id":1638,"href":"https:\/\/iqeq.com\/gb\/wp-json\/wp\/v2\/posts\/1632\/revisions\/1638"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/iqeq.com\/gb\/wp-json\/wp\/v2\/media\/1633"}],"wp:attachment":[{"href":"https:\/\/iqeq.com\/gb\/wp-json\/wp\/v2\/media?parent=1632"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/iqeq.com\/gb\/wp-json\/wp\/v2\/categories?post=1632"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/iqeq.com\/gb\/wp-json\/wp\/v2\/tags?post=1632"},{"taxonomy":"expertise","embeddable":true,"href":"https:\/\/iqeq.com\/gb\/wp-json\/wp\/v2\/expertise?post=1632"},{"taxonomy":"service_category","embeddable":true,"href":"https:\/\/iqeq.com\/gb\/wp-json\/wp\/v2\/service_category?post=1632"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}