Backup Servicer Regulatory Requirements in Europe
The regulatory picture around backup servicing has more layers than most originators expect. Three frameworks matter: the EU Securitisation Regulation, DORA, and MaRisk. They do not all apply to every structure, and they overlap in ways that are not always obvious. This page works through each one, then answers the question most people are actually asking: what applies to a private warehouse facility with a non-bank originator?
The EU Securitisation Regulation (Regulation (EU) 2017/2402)
The Regulation entered into force in January 2019. It applies to originators, sponsors, and SSPEs involved in securitisations held by EU institutional investors. Full text on EUR-Lex: Regulation (EU) 2017/2402.
Article 7: Transparency
Originators, sponsors, and SSPEs must make loan-level data on the underlying exposures, structural information, and regular investor reports available on an ongoing basis. This applies to all securitisations, not just those seeking STS designation. Reporting goes through a registered securitisation repository. ESMA oversees repository registration and publishes the technical standards: ESMA Securitisation.
Article 21(7) and 21(8): STS servicer provisions
For transactions seeking STS (Simple, Transparent and Standardised) designation, Article 21 sets out additional standardisation requirements. Two subsections deal with the servicing function. Article 21(7)(b) requires that transaction documentation specifies the processes and responsibilities ensuring that a default or insolvency of the servicer does not result in a termination of servicing, typically through a contractual provision enabling servicer replacement. Article 21(8) adds a separate requirement: the servicer must have demonstrable expertise in servicing exposures of a similar nature, with well-documented policies, procedures, and risk-management controls. Together, these mean an STS non-ABCP transaction needs a credible servicer replacement mechanism in place before closing, either a named backup servicer or a defined appointment process. The EBA's guidelines on STS criteria for non-ABCP securitisations (EBA/GL/2018/09) provide the authoritative interpretive guidance: EBA Guidelines on STS Criteria.
The risk retention requirement and its interaction with servicing
Article 6 of the Regulation requires that originators retain a material net economic interest of at least 5% in the securitisation on an ongoing basis. This retention requirement interacts with the servicing function: in a wind-down, the entity retaining the economic interest has the strongest incentive to ensure the portfolio continues to be managed correctly. A backup servicer that can maintain portfolio performance during a transition protects the retained interest as much as it protects the senior investors.
What the Regulation leaves open
It does not say who the backup servicer must be, what form the appointment takes, or what operational readiness standard applies. That is left to documentation and, in practice, to what lenders actually require. The contractual standard has filled the gap.
DORA: Digital Operational Resilience Act (Regulation (EU) 2022/2554)
DORA entered into force on 17 January 2025. It applies to a broad range of financial entities operating in the EU, including credit institutions, payment institutions, electronic money institutions, investment firms, and their critical ICT third-party service providers. The full regulatory text is available at: Regulation (EU) 2022/2554 on EUR-Lex.
Article 11: ICT business continuity
Financial entities must put in place, maintain, and periodically test ICT business continuity plans for critical functions, including those outsourced to third parties. The policy has to be approved by the management body and reviewed at least annually. For originators whose servicing runs on third-party platforms, continuity of those platforms is a direct DORA obligation. See: DORA Article 11 overview.
Article 12: Recovery plans
Financial entities need documented response and recovery plans with defined recovery time objectives, tested annually through scenario-based exercises. For entities with active debt facilities, this should cover the scenario where the servicing function becomes unavailable.
Articles 28–31: Third-party ICT oversight
Financial entities must maintain a register of ICT third-party arrangements, assess critical providers, and ensure contracts include continuity provisions and exit strategies. Where a single provider handles both primary servicing and calculation agent functions, that concentration has to be identified and mitigated. A backup servicer that is operationally independent from the primary technology provider is the direct answer.
Who DORA applies to in practice
Most non-bank originators in Europe hold at least one regulated licence: ZAG for payment services, KWG for factoring or lending, or an equivalent elsewhere in the EU. If you hold one, DORA applies to you directly. If you do not, your lender likely does, and their DORA obligations flow into the contractual terms they put on you. Either way, the outcome is the same.
MaRisk: BaFin's Minimum Requirements for Risk Management
MaRisk (Mindestanforderungen an das Risikomanagement) is BaFin's framework for risk management in German credit institutions and financial services institutions. It is issued as a circular and does not have the force of EU regulation, but BaFin treats it as binding in practice. The current version is the 7th amendment (November 2023). BaFin published a consultation on a 9th amendment in April 2026, which integrates DORA requirements more explicitly: Gleiss Lutz overview.
AT 9: Outsourcing
Under section 25b KWG, KWG-regulated institutions must take appropriate precautionary measures when outsourcing material activities. AT 9(6) requires that, for material outsourced activities, institutions ensure continuity and quality of the outsourced function if the arrangement terminates, whether planned or not. That means: a pre-identified substitute provider, documented transition procedures, and a tested handover. For originators who treat primary loan servicing as a material outsourced function, a pre-appointed, operationally ready backup servicer satisfies AT 9(6) directly. See: Myra Security: MaRisk AT 9.
AT 7.3: Business continuity
MaRisk AT 7.3 requires a business continuity management system including business impact analysis, continuity plans for critical processes, and regular testing. Servicing, whether performed internally or outsourced, is a critical process for any originator with active facilities. Since the 7th amendment, AT 7.3 is interpreted through the lens of DORA for entities in scope of both.
MaRisk and non-bank originators
MaRisk formally applies to KWG-regulated institutions. Originators without a KWG licence are not directly subject to it. But their lenders often are, and lenders apply MaRisk-equivalent standards to facility documentation regardless of the originator's own regulatory status. The result is the same.
ZAG, PSD2 and the cash manager question
One regulatory dimension that is less frequently discussed but increasingly relevant for European non-bank lenders is the interaction between payment services regulation and the operational role of a backup servicer.
Many structured lending vehicles, particularly Luxembourg SPVs or German GmbH & Co. KG structures used in warehouse and ABS transactions, include a cash manager function: the entity responsible for managing cash flows through the SPV's accounts, directing payments according to the waterfall, and maintaining the payment mechanics of the facility. In Germany, certain cash management activities that involve instructing payments on behalf of third parties may require a licence under ZAG (Zahlungsdiensteaufsichtsgesetz, the German Payment Services Supervision Act, which implements PSD2 into German law).
This creates a regulatory question for backup servicers: if the backup servicer is expected to assume cash management functions upon activation, does that require a ZAG licence, and if so, does the proposed provider hold one? The question is more acute in German-law structures than in Luxembourg or Irish SPV structures, where the relevant payment services regulation applies differently. BaFin's position on the scope of ZAG licensing for structured finance cash management has not been formally codified, and legal opinions from German counsel (typically Linklaters, Freshfields, or similar) are the standard way to resolve the question for a specific structure.
For originators: if your facility documentation assigns cash management responsibilities to the backup servicer upon activation, raise the ZAG question with your counsel before finalising the appointment. A backup servicer who cannot legally perform the cash management function is not a complete solution.
What actually applies to a private warehouse facility?
This is the question most originators are asking. The answer depends on three variables: the structure of the facility, the licence status of the originator, and the lender's own regulatory position.
If the facility is structured as a securitisation under the EU Securitisation Regulation
Meaning the credit risk associated with a pool of exposures is tranched and held by institutional investors: Article 7 transparency obligations and, if STS designation is sought, the Article 21(7)(b) servicer replacement requirement apply directly. This covers most rated ABS transactions and many private revolving structures that are deliberately structured as securitisations for regulatory capital or risk-transfer purposes.
If the facility is a private bilateral or club warehouse, not structured as a securitisation
Which covers the majority of European warehouse facilities for non-bank originators at the EUR 10–100 million scale: the EU Securitisation Regulation does not apply directly. But lenders apply the same logic contractually. The Clifford Chance note on warehouse financing explains this clearly: Securitised Origination Warehouse Financing. Institutional lenders treat backup servicer requirements as market standard regardless of the regulatory label on the structure.
If the originator holds a regulated licence
KWG, ZAG, PSD2, or equivalent in another EU member state: DORA applies from January 2025, and MaRisk applies for KWG-regulated entities in Germany. Both create explicit operational continuity obligations that a pre-appointed backup servicer directly satisfies.
If the originator is unregulated
Operating under contractual or commercial arrangements without a financial services licence: neither DORA nor MaRisk applies directly. The regulatory dimension is then defined entirely by the lender's own obligations and the contractual terms of the facility. In practice, institutional lenders import their own compliance requirements into the facility documentation, which produces the same outcome.
The short version: whatever your regulatory status, if you have an institutional lender providing debt against a pool of receivables, you will be asked to appoint a backup servicer. The regulatory frameworks above explain why the requirement exists and what standard it must meet. The contractual requirement in the term sheet is where it actually becomes binding.
Questions about what applies to your structure?
Credibur works across regulated and unregulated originators, private and structured facilities, in Germany and across Europe. If you need to work through the regulatory picture for your specific structure before your next lender conversation, the fastest path is a short call.
Book a 30-minute call