By George Wood, Compliance Director
On 12 June 2025, the European Securities and Markets Authority (ESMA), the EU’s financial markets regulator and supervisor, published new principles on third-party risk supervision to support a common and effective EU-wide supervisory culture related to service provider and vendor outsourcing.
Overview of the new principles
The third-party risk supervision principles apply to EU regulated entities that utilise external service providers and vendors for various functions including fund accounting, AML/KYC, IT and data management, software as a service (SaaS) and other operational functions.
In many ways, the regulatory landscape has experienced a complete swing of the pendulum. 25 years ago, we “insourced” staff expertise, built our own applications and managed our own castles and fortresses to protect data. Today, firms are more agile, engaging third-party service providers and experts to manage a variety of functions. While the benefits of outsourcing and utilising SaaS solutions are well established, this approach creates risks ranging from vendor expertise and financial health to regulatory compliance and data protection.
ESMA’s 14 principles aim to create a “financial service” framework for EU regulated firms operating in securities markets to address these third-party risks systematically.
The four categories of principles
ESMA has grouped the 14 principles into four categories:
- Supervisory overview: The first principle creates the requirement for each local EU regulator to adopt appropriate governance and risk frameworks that identify and manage third-party risks
- Supervised entity: Principles 2 through 6 establish governance and oversight requirements to ensure independent decision-making remains with the regulated entity, that there is board and executive oversight of vendor risk and that a risk assessment be conducted in relation to an outsourcing arrangement
- Relation with third parties: Principles 7 to 9 detail due diligence requirements related to onboarding new service providers and vendors, requiring that contractual relationships and service level agreements (SLAs) be established, and that the ongoing monitoring of vendor and service provider relationships be conducted on a regular basis
- Specific risks and issues: Principles 10 to 14 identify and address specific risks related to the third-party location of the service provider or vendor, intra-group arrangements, a vendor or service provider’s reliance on sub-contracting, reliance on third parties for internal audit controls, and third-party access and data right controls
What firms should be doing now
The publication of the principles, following DORA and GDPR implementation, demonstrates that third-party risk supervision remains a key regulatory priority. As organisations become increasingly dependent on external service providers and vendors, the regulatory expectation is clear: firms must have robust frameworks in place.
A comprehensive vendor due diligence and ongoing monitoring programme has become essential for regulatory compliance. Such programmes also provide early warning systems for operational, financial and business continuity risks that could impact service delivery.
How we can help
As the GDPR data controller, all data hosted, stored or accessed by a service provider or vendor is the ultimate responsibility of the regulated firm. A firm’s senior management and compliance officer should establish controls that demonstrate to stakeholders, including regulators, the measures taken to ensure vendors had adequate procedures and controls in place.
We offer service provider and vendor due diligence reviews, providing compliance officers with written reports that integrate into their compliance monitoring and satisfy regulatory requirements in the UK, EU, U.S. and Asia. Find out more about our vendor due diligence report production and delivery here.
For questions about ESMA’s principles for third-party risk supervision and how they may impact your business, or if you’d like to learn more about the support available from our expert Regulatory and Compliance team, contact us today.