77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
civac.
ENDE
Get started
All officer roles
OUT

Outsourcing Officer

Central oversight of all material outsourcing arrangements: risk analysis, exit strategies, provider monitoring, and the outsourcing register. Keeps the institution audit-ready under MaRisk AT 9 and DORA's ICT third-party regime.

Focus areas
Outsourcing registerMaRisk AT 9Exit strategyDORA
Legal basis

§ 25b KWG · MaRisk AT 9 · DORA (EU) 2022/2554

Quick contact

Talk to us about Outsourcing Officer

Three lines and you are in our inbox. We reply within one business day.

By sending you agree to our privacy notice. We use the data only to reply to you.

What is an Outsourcing Officer?

The Outsourcing Officer provides central oversight of a financial institution's outsourcing arrangements. The role exists because supervised institutions remain fully responsible for functions they hand to third parties, so they need a controlled view of every material outsourcing, its risks, its monitoring and its exit path.

The legal anchor is Section 25b of the German Banking Act (Kreditwesengesetz, KWG), which requires institutions to ensure that outsourcing does not impair the proper conduct of business, internal controls or the supervisor's ability to audit. The supervisory detail comes from the Minimum Requirements for Risk Management (MaRisk), in particular module AT 9 on outsourcing, which sets expectations for the risk analysis, the outsourcing agreement, ongoing monitoring, the central outsourcing management function and the outsourcing register. MaRisk introduced the concept of a central outsourcing management function, and the Outsourcing Officer typically leads it.

For information and communication technology, the EU Digital Operational Resilience Act (Regulation (EU) 2022/2554, DORA) adds a directly applicable regime for ICT third-party risk: a register of information on all ICT service arrangements, mandatory contractual content, risk assessment of concentration and substitutability, and stricter rules for services supporting critical or important functions. DORA and MaRisk AT 9 overlap, so the officer manages one coherent outsourcing and ICT third-party framework rather than two parallel ones.

In practice the officer maintains the register, coordinates risk analyses before and during outsourcing, monitors provider performance and sub-outsourcing, ensures exit strategies are documented and tested for material arrangements, and keeps the institution audit-ready for the supervisor.

Core duties of the Outsourcing Officer

  • Maintain the outsourcing register required by MaRisk AT 9 and the DORA register of information.
  • Coordinate the risk analysis that decides whether an arrangement is a material outsourcing.
  • Review outsourcing agreements for the content required by Section 25b KWG, MaRisk AT 9 and DORA.
  • Monitor provider performance, service levels and material sub-outsourcing.
  • Ensure documented and, for material cases, tested exit strategies.
  • Assess concentration risk and substitutability across ICT third-party providers under DORA.
  • Run the central outsourcing management function and report to management.
  • Safeguard the supervisor's and internal audit's audit and information rights.
  • Track contractual obligations, renewals and remediation of provider findings.
  • Coordinate with risk, compliance, information security and the ICT function.

When is appointment required?

The driver is supervised status combined with outsourcing. Institutions subject to Section 25b KWG and the MaRisk must manage their outsourcing under module AT 9, and MaRisk expects a central outsourcing management function for institutions of relevant size and complexity. The Outsourcing Officer is the natural lead of that function. The duty intensifies with the volume and materiality of outsourcing rather than appearing at a single threshold.

The trigger for the underlying obligations is any outsourcing of activities and processes, with the strongest requirements attaching to material outsourcing as identified by the risk analysis. For information and communication technology, DORA applies directly to a broad range of financial entities and requires the register of information and ICT third-party risk management regardless of the KWG and MaRisk overlay, which widens the population that needs structured outsourcing oversight.

The institution should document the function and its authority, ensure the officer has access to all relevant arrangements and the standing to challenge them, and avoid conflicts of interest with the business units that own the relationships. Responsibility for the outsourced functions stays with the institution and its management; the officer provides the central control, the register and the monitoring that make that responsibility demonstrable to the supervisor.

  • Status as an institution subject to Section 25b KWG and MaRisk
  • Any material outsourcing identified by the risk analysis under MaRisk AT 9
  • Use of ICT third-party providers within the scope of DORA
  • Outsourcing supporting critical or important functions under DORA
  • Growth in outsourcing volume or concentration with a single provider
  • Supervisory finding on outsourcing governance or the register

Sectors that need this role

  • Banks and credit institutions under the KWG
  • Financial services and securities firms
  • Payment and e-money institutions
  • Insurance undertakings within DORA scope
  • Asset and fund management companies
  • Leasing and factoring institutions
  • Crypto-asset service providers in scope of financial regulation
  • Group ICT and shared-service entities serving financial firms
  • Central counterparties and market infrastructure
CIVAC

How CIVAC supports the Outsourcing Officer role

CIVAC gives the Outsourcing Officer a single place to run the central outsourcing management function. The outsourcing register and the DORA register of information live in the documentation pillar as structured, versioned records, linked to each provider's risk analysis, contract review and exit strategy. Recurring obligations, provider monitoring, contract renewals, exit-strategy tests and sub-outsourcing checks, become scheduled tasks with owners and due dates, so material arrangements are not reviewed only when something goes wrong. Findings from monitoring or audit become tracked remediation tasks. When the supervisor examines outsourcing governance under Section 25b KWG, MaRisk AT 9 or DORA, the institution can present the register, the analyses and the monitoring trail in one coherent, audit-ready view.

Frequently asked questions

Need this officer role for your organisation?

Appoint our experts as your external officer or license CIVAC for your in-house team. Get in touch and we walk you through the right setup.

Talk to CIVACSee all 77 roles
Other officer roles