UK and EU Regulators Unite to Mitigate Critical Third-Party Risk in Financial Sector

The Financial Conduct Authority (FCA), Bank of England, and Prudential Regulation Authority have signed a strategic Memorandum of Understanding (MoU) with European Supervisory Authorities to enhance cross-border cooperation and oversight regarding critical third-party risk.

The agreement establishes a formal framework for coordinating information sharing on Critical Third Parties (CTPs) under the UK regime and Critical Third Party Providers (CTPPs) under the EU’s Digital Operational Resilience Act (DORA). This collaboration is specifically aimed at managing risks to financial stability and market confidence, ensuring regulators can jointly respond to major incidents such as widespread power outages or cyber-attacks. By aligning oversight efforts, the MoU also seeks to reduce regulatory duplication and lower the compliance burden on service providers operating across both jurisdictions.

The UK’s CTP regime, designed to be compatible with DORA and complementary to international standards, underscores a commitment to strengthening operational resilience while supporting market growth. This follows the introduction of new rules by UK regulators in 2024 to bolster the resilience of key service providers, which officially came into effect on January 1, 2025. Under these rules, the Treasury is responsible for designating which providers fall under the regime; once designated, these entities must perform resilience testing, report major incidents, and provide regular assurance. However, regulators emphasized that this new oversight layer does not remove the responsibility from financial firms and Financial Market Infrastructures to manage their own outsourcing and third-party risks.