Why Software Escrow Is More Relevant Than Ever Under ESMA’s New Third-Party Risk Principles

On 12 June 2025, the European Securities and Markets Authority (ESMA) published a landmark set of 14 supervisory principles focused on managing third-party risk. These principles aim to create a more consistent and robust approach across the EU to supervising outsourcing, delegation, and all forms of third-party services used by regulated financial firms.

This move is not just another layer of guidance, it represents a clear signal to financial services firms: outsourcing risk must be operationally mitigated, not just contractually addressed. And in that context, software escrow can be a critical part of the compliance and resilience toolkit.

What’s Driving This? Rising Third-Party Dependency

In recent years, financial firms have increasingly relied on cloud platforms, SaaS tools, and embedded software provided by third parties. While this offers innovation and efficiency, it also creates risk – particularly if one of those third-party providers goes out of business, experiences a cyber incident, or fails to maintain their service.

ESMA’s new principles respond directly to these concerns, stating that:

“The supervised firm should ensure that appropriate exit strategies, contingency plans and transition arrangements are in place in the event of the termination or failure of the third-party service.”

This is one of several principles that support a stronger approach to continuity planning, including those that emphasise:

Robust due diligence when onboarding third party suppliers
Active contingency planning
Ensuring continuity for critical or important functions
Ongoing monitoring of third-party performance and resilience

Together, these create a heightened regulatory expectation: you must be able to continue operating even if a key third-party provider cannot and ensure you have assessed and protected against these risks

Software Escrow: A Practical, Aligned Solution

This is where software escrow comes in – offering a tangible, widely used method to reduce risks of critical software vendor failure and impacted services.

A software escrow arrangement involves a neutral third party (like The Escrow Company) holding the source code, documentation, build instructions, and other vital materials for critical applications. SaaS escrow can incorporate the source materials under a traditional software escrow agreement, and where relevant, also the production cloud account credentials, data, secondary environments or the ability for the software escrow agent to redeploy and run the service. If the vendor goes bust, discontinues support, or breaches key contractual obligations, the software escrow materials are released and utilised, ensuring business continuity.

This directly supports compliance with ESMA’s new framework, by:

Providing clear exit strategies
Enabling contingency execution in the event of supplier failure
Supporting due diligence processes during procurement
Demonstrating alignment with supervisory expectations

How The Escrow Company Helps Regulated Firms and Software Vendors

At The Escrow Company (formerly Escrow London), we specialise in software escrow services tailored for financial services, fintech, and regulatory compliance.

Here’s how we’re positioned to support your organisation in light of the new ESMA principles:

Robust Software Escrow Agreements for Regulated Entities

Our software escrow and SaaS escrow agreements are built and can be tailored to support organisation’s compliance with MiFID II, AIFMD, UCITS, and sectoral expectations – including the new ESMA third-party risk principles. We offer:

Single and multi-beneficiary software and SaaS escrow agreements
Customised release conditions to suit risk frameworks and supervisory expectations
Cloud and SaaS escrow, addressing risks where software is cloud hosted
Clear documentation and audit trails for regulatory review

Technical Verification Services

The supervisory expectation is that contingency plans must be “effective and operationally tested.”

That’s why we offer comprehensive verification services, including:

Build and deploy verification (validating the code can be compiled and deployed)
Cloud/SaaS replication testing
Ongoing automated deposit updates to keep deposit materials current
Proof of testing reports – useful for audit and compliance evidence

Supporting the regulatory testing requirements and ensuring that in practise, whatever is expected to happen in the event of supplier failure would work as expected if the software escrow service is ever triggered.

Support for Software Vendors Selling to Regulated Markets

We also work closely with software providers who service banks, insurers and investment firms. By partnering with us, vendors can:

Offer pre-built software escrow and SaaS escrow frameworks to reduce procurement friction
Reassure enterprise clients and regulators during due diligence
Comply with customer-imposed risk requirements
Retain control while demonstrating commitment to continuity

We are a neutral party, where both the depositor and beneficiary parties benefit from transparent terms, secure processes and our extensive experience in handling sensitive situations.

Our Track Record

The Escrow Company supports clients across Europe, the UK, the US, Australia and APAC – including some of the world’s largest banks, financial institutions, fintech scale-ups and global software providers.

We’re trusted by both sides of the outsourcing equation: the regulated firms who need to protect their operations, and the tech vendors who need to prove they are a resilient and responsible supplier.

Our services are ISO 27001 certified, GDPR-compliant, and aligned with the latest regulatory guidance across multiple jurisdictions.

Next Steps for Regulated Firms and Vendors

If your organisation is:

A financial firm subject to ESMA supervision
A SaaS, cloud or fintech vendor selling into EU markets
Or a legal/compliance professional advising on outsourcing risk…

Then now is the time to assess the robustness of your business continuity plans. ESMA has made it clear that proactive measures are expected not just reactive responses.

The Escrow Company is ready to help. Get in touch to:

Discuss your third-party software risk profile
Understand which of your systems require software escrow
Build or modernise your software escrow agreements
Provide confidence to regulators, customers, and investors.

Why Software Escrow Is More Relevant Than Ever Under ESMA’s New Third-Party Risk Principles

What’s Driving This? Rising Third-Party Dependency

Software Escrow: A Practical, Aligned Solution

How The Escrow Company Helps Regulated Firms and Software Vendors

Our Track Record

Next Steps for Regulated Firms and Vendors

When Tech Collapses: What Builder.ai’s Downfall Teaches Us About Resilience For AI Tools

The Escrow Company Moves to Harbour City Labs, Barangaroo: Deepening Commitment to Australia’s Tech Ecosystem

Software Escrow Verification: Why Legal Teams Should Look Beyond Just Having an Agreement

How to Broker the Conversation: Introducing Software Escrow to Your Supplier

Why Software Escrow Deserves a Place in Your Disaster Recovery Policy

Services

Resources

Company

Contact Us

(C) 2025 The Escrow Company

Privacy Policy

Terms of Use

Site Map

Unlock Exclusive Insider Tips to Secure the Best Deal on Your Next Software Escrow Agreement

Why Software Escrow Is More Relevant Than Ever Under ESMA’s New Third-Party Risk Principles

What’s Driving This? Rising Third-Party Dependency

Software Escrow: A Practical, Aligned Solution

How The Escrow Company Helps Regulated Firms and Software Vendors

Our Track Record

Next Steps for Regulated Firms and Vendors

Share This Story, Choose Your Platform!

About the Author: Carl Gunaratnam

Related Posts

Services

Resources

Company

Contact Us

(C) 2025 The Escrow Company

DOWNLOAD YOUR FREE E-BOOK

Unlock Exclusive Insider Tips to Secure the Best Deal on Your Next Software Escrow Agreement

DOWNLOAD YOUR
FREE E-BOOK