UK regulators have been progressively tightening expectations around operational resilience and third-party risk management for several years. This reflects a structural dependency on a small number of providers whose services underpin critical financial activities, and a wider pattern of disruption becoming a normal operational challenge.
The Financial Services and Markets Act 2023 (FSMA) created a significant shift by granting the Bank of England, PRA and FCA powers to oversee a limited number of external service providers directly. Importantly, this does not mean most cloud, software, or technology firms will fall under direct supervision. Financial institutions remain responsible for managing their own outsourcing and third-party risks.
However, for the first time, certain external providers may be formally designated as Critical Third Parties (CTPs) because their failure could have systemic consequences. This designation brings those providers within the scope of regulatory oversight.
The timing is particularly relevant now because the EU’s Digital Operational Resilience Act (DORA) has just published its first list of designated Critical ICT Third-Party Providers (CTPPs). While the UK list has not been released, the DORA list provides a meaningful indication of the types of suppliers that may be considered. With UK designation decisions expected later this year, preparation is becoming increasingly important.
This regime affects organisations operating within and supporting the financial services sector in particular, given the concentration risks associated with shared technology and infrastructure.
The aim of the regime is to allow UK regulators to supervise a very small number of third-party providers whose disruption could threaten financial stability or cause significant consumer harm.
Designation is expected to focus on providers where there is:
Once designated, CTPs will face expectations relating to:
These requirements complement, rather than replace, firms’ own obligations under existing outsourcing, risk management and operational resilience frameworks. The objective is to strengthen resilience where multiple financial institutions rely on the same service providers.
The UK has not yet published its CTP list, and no specific organisations have been identified. Current signals suggest an announcement is possible toward the end of the year, although this may change.
The newly released DORA CTPP list provides useful directional insight. It includes major cloud service providers, core banking software firms, payment processors, cybersecurity providers and operators of essential financial infrastructure. These categories reflect a systemic reliance and therefore provide an indication of what the UK may consider, although the criteria and outcomes will not necessarily be identical.
Likely characteristics of providers meeting designation criteria include:
Smaller or niche providers are less likely to meet these thresholds. However, that does not mean they should disregard the regime. Aligning to resilience expectations can support their risk profile, strengthen their commercial appeal, and demonstrate proactive support for clients’ compliance needs.
The UK CTP framework represents the next step in the broader regulatory trajectory aimed at improving third-party resilience. It reinforces existing requirements rather than replacing them.
Financial firms should expect to:
More granular mapping of direct and indirect dependencies, including subcontractors, will be required to support operational resilience assessments and scenario testing.
Regulators expect documented, evidence-based assurance, not only questionnaires, covering resilience, continuity, incident response and oversight arrangements.
Firms will need to ensure contracts include provisions for regulatory access, audit rights, cooperation in incident management, and data availability.
Under PRA regulations and operational resilience rules, firms must maintain workable plans for migrating away from critical suppliers.
This is where software escrow and independent verification become increasingly relevant, providing a credible mechanism for maintaining access to essential code if a supplier fails or cannot meet obligations.
Impact tolerances, scenario testing and continuity planning must reflect the elevated risk profile associated with potential CTPs.
If designated as CTPs, providers should expect:
Designation will require investment, but it may also strengthen market confidence and position providers more competitively with regulated clients.
While both the UK regime and DORA aim to improve operational resilience, their approaches differ:
Cross-border firms will need to support compliance with both frameworks. Although there are differences in scope and supervisory mechanisms, the themes, governance, testing, reporting and continuity, are consistent enough to enable alignment.
A proportionate, structured preparation approach will support both compliance and operational resilience. Key actions include:
These steps reinforce resilience and reduce the risk of rushed compliance once CTP designations are published.
Where critical software underpins important business services, regulators expect firms to maintain credible continuity arrangements that support operational resilience and stressed exit planning. Software escrow verification provide structured, independently managed access to essential code if a supplier is unable to continue supporting a system.
Our team supports firms in implementing escrow and verification solutions aligned to PRA outsourcing expectations, operational resilience requirements and stressed exit planning obligations.
A regulatory framework allowing the Bank of England, PRA and FCA to directly supervise a small number of third-party service providers whose disruption could threaten financial stability or cause material consumer harm.
Implementation will continue over the next few years. CTP designations are expected once regulators have completed their assessments of potential candidates.
By enhancing dependency mapping, improving assurance processes, updating contracts, embedding CTP considerations into operational resilience, and using software escrow to support stressed exit planning.
Large, systemically central cloud platforms, infrastructure operators, core software vendors and payment processors, similar to those on the DORA CTPP list. Final decisions will depend on the UK regulators’ assessment against the designation criteria.
They are less likely to be designated, but aligning to resilience expectations may strengthen their competitiveness and appeal to regulated firms.
The CTP regime reflects a long-term shift in how regulators address systemic third-party dependencies. With designation decisions expected and operational resilience expectations tightening, firms benefit from putting the right structures in place now.
Clear dependency mapping, effective supplier oversight and credible stressed exit plans are becoming essential components of good practice. Where critical software supports essential business services, software escrow and independent verification offer a practical approach to enhancing continuity and meeting regulatory requirements.
If you are reviewing your approach to supplier resilience or updating your exit plans, our team can help you build safeguards that support compliance and reinforce operational stability.
