All services Fund and Asset Managers Private and Institutional Asset Owners Debt, Capital Markets and Corporate
Close
Close
Close

Third-party risks: ESMA steps in

05 Aug 2025

By George Wood,  Compliance Director

On 12 June 2025, the European Securities and Markets Authority (ESMA), the EU’s financial markets regulator and supervisor, published new principles on third-party risk supervision to support a common and effective EU-wide supervisory culture related to service provider and vendor outsourcing.

Overview of the new principles

The third-party risk supervision principles apply to EU regulated entities that utilise external service providers and vendors for various functions including fund accounting, AML/KYC, IT and data management, software as a service (SaaS) and other operational functions.

In many ways, the regulatory landscape has experienced a complete swing of the pendulum. 25 years ago, we “insourced” staff expertise, built our own applications and managed our own castles and fortresses to protect data. Today, firms are more agile, engaging third-party service providers and experts to manage a variety of functions. While the benefits of outsourcing and utilising SaaS solutions are well established, this approach creates risks ranging from vendor expertise and financial health to regulatory compliance and data protection.

ESMA’s 14 principles aim to create a “financial service” framework for EU regulated firms operating in securities markets to address these third-party risks systematically.

The four categories of principles

ESMA has grouped the 14 principles into four categories:

  1. Supervisory overview: The first principle creates the requirement for each local EU regulator to adopt appropriate governance and risk frameworks that identify and manage third-party risks
  2. Supervised entity: Principles 2 through 6 establish governance and oversight requirements to ensure independent decision-making remains with the regulated entity, that there is board and executive oversight of vendor risk and that a risk assessment be conducted in relation to an outsourcing arrangement
  3. Relation with third parties: Principles 7 to 9 detail due diligence requirements related to onboarding new service providers and vendors, requiring that contractual relationships and service level agreements (SLAs) be established, and that the ongoing monitoring of vendor and service provider relationships be conducted on a regular basis
  4. Specific risks and issues: Principles 10 to 14 identify and address specific risks related to the third-party location of the service provider or vendor, intra-group arrangements, a vendor or service provider’s reliance on sub-contracting, reliance on third parties for internal audit controls, and third-party access and data right controls

What firms should be doing now

The publication of the principles, following DORA and GDPR implementation, demonstrates that third-party risk supervision remains a key regulatory priority.  As organisations become increasingly dependent on external service providers and vendors, the regulatory expectation is clear: firms must have robust frameworks in place.

A comprehensive vendor due diligence and ongoing monitoring programme has become essential for regulatory compliance. Such programmes also provide early warning systems for operational, financial and business continuity risks that could impact service delivery.

How we can help

As the GDPR data controller, all data hosted, stored or accessed by a service provider or vendor is the ultimate responsibility of the regulated firm.  A firm’s senior management and compliance officer should establish controls that demonstrate to stakeholders, including regulators, the measures taken to ensure vendors had adequate procedures and controls in place.

We offer service provider and vendor due diligence reviews, providing compliance officers with written reports that integrate into their compliance monitoring and satisfy regulatory requirements in the UK, EU, U.S. and Asia. Find out more about our vendor due diligence report production and delivery here.

For questions about ESMA’s principles for third-party risk supervision and how they may impact your business, or if you’d like to learn more about the support available from our expert Regulatory and Compliance team, contact us today.

Working with IQ-EQ has been seamless – you and your team understand our business, advise us appropriately, and handle your side of our collective partnership so that we can focus on making good investment decisions. Evan Gibson SVP, Merchants Capital

Get in touch with us today

We’re ready to listen.

Make an enquiry

Interested in joining our team?

We are always on the lookout for passionate people that possess IQ and EQ to join our growing team.

View job vacancies