EU and UK authorities have published consultations and drafts of their proposed approach to overseeing critical third parties (CTPs) to the financial services (FS) sector. Some details of the CTP oversight regimes are yet to emerge, but it is clear that that the designation criteria will capture some common CTPs in both jurisdictions, who will face overlapping regulatory implementation timelines.
This underscores the importance of seeking synergies in the implementation process and fully understanding the nuances in different regimes. In this article, we compare and contrast various aspects of the EU’s and UK’s emerging CTP regimes, including timelines, scope of firms captured, overall regulatory approach, and key regulatory focus areas.
** This article refers to both the EU’s ICT critical third-party providers and the UK’s critical third parties to the FS sector as ‘CTPs’. Although, as we explore, the two regimes are not fully aligned, they share the same objective of ensuring the systemic stability of the FS sector. **
The UK FS regulators are set to finalise the detailed requirements for CTPs by the end of 2024.1 Meanwhile the EU’s regime for ICT critical third-party providers is introduced via the Digital Operational Resilience Act (DORA).2 The EU regime will become fully applicable in January 2025. In the interim, the ESAs, who have published a draft, will fine tune the important technical details.
Against this backdrop, it is already certain that CTPs designated as critical in both EU and UK will face concurrent implementation timelines. Both the EU and UK will start formally designating third parties and apply their new oversight regimes in early 2025 (Figure 1).
Figure 1 – key EU and UK regulatory milestones
Ultimately, we expect significant overlap in the cohort of CTPs caught by both EU and UK regimes. For example, the major Cloud service providers are likely to be in-scope of both the EU and UK from the outset. Market data providers may be designated as CTPs too. Meanwhile in time, other technology providers supporting the uptake of Artificial Intelligence (AI) – e.g. model or data providers – may also be classified as a CTP.
Yet two distinctive elements of the EU’s and UK’s designation approaches will inevitably lead to some unique designations in both jurisdictions.
In line with its operational resilience regime for FS firms, the UK opted for a technology-neutral CTP regime. In practice, this means that the regime will look at all critical third parties to FS and could, in principle, also capture non-ICT providers. In contrast, the EU’s CTP regime will focus solely on ICT third-party providers. This may lead to some unique CTPs that are only caught by just one jurisdiction. For example, cash distribution service providers could be classed as a CTP in the UK, but not in the EU.
Another key element of scope concerns “other regulated sectors”. The UK regime, by the regulators’ own admission, is unlikely to capture third parties in other sufficiently regulated sectors (e.g., public telecommunications and energy providers). The UK regulators are likely to focus on providers which are critical to FS who are not yet subject to a level of regulation and oversight equivalent to the CTP regime. However, the EU regime covers all ICT CTPs, including (in principle) those in regulated sectors like public telecommunications providers.
The EU and UK are also taking distinct approaches to the criteria for designation as a CTP. In the UK, the Government will designate a third-party as critical, on the recommendation of the FS regulators (who will look holistically across a selection of qualitative criteria as set out in Figure 2). This approach implies that third parties cannot avoid being designated as a Critical Third Party (CTP) in the UK by merely avoiding quantitative thresholds. In contrast, the EU’s designation criteria include a mix of qualitative and quantitative thresholds (Figure 3). Designation as a CTP in the EU can only occur when all criteria are met.
Figure 2 – UK designation criteria
Figure 3 – EU designation criteria
At the heart of the UK regime is a set of outcomes-focussed rules for CTPs to meet.
It comprises two main elements. The first is a set of six overarching fundamental rules that apply to all services provided to FS clients. These high-level rules set out general requirements to manage financial stability risks posed by CTPs. The second element is a set of granular operational resilience-focussed rules that will apply to a CTP’s material services.
The UK consulted on a draft version of its detailed regime at the end of 2023, providing clarity on the direction of travel for CTPs to begin implementation planning.
In contrast, unlike other areas in the DORA, detailed requirements in relation to expectations of CTPs have not been set out in technical standards to supplement the high-level expectations in the primary DORA legal text. The EU regime is expected to be driven by the regulators’ new wide-reaching powers to launch investigations to ensure that a given CTP is resilient.
While the ESAs may – in time – set out best practices and guidelines for CTPs, it is not currently clear if and when this will happen. The technical standards focus mainly on the mechanics of oversight arrangements, as opposed to detailed requirements for CTPs to meet.
Yet despite the absence of a detailed framework in the EU, it is already clear that both the EU and UK will probe similar areas of CTP businesses.
The EU’s DORA legal text sets out the high-level areas that EU regulators will scrutinise as part of their investigations. In many areas, these overlap significantly with the focus areas in the UK’s proposed framework (Table 1).
Table 1 – confirmed regulatory focus areas for EU and UK CTP regimes3
In any case, EU and UK regulators may still probe the unticked areas in Table 1. Mapping is a case in point. Although the EU regime does not explicitly require CTPs to conduct a mapping exercise, it may still be a crucial practical prerequisite for implementation work and building resilience (e.g., to understand whether CTP services support critical services in FS), as seen in the case of FS firms.4
The overall alignment on focus areas means that CTPs could potentially use the more detailed UK rules as a starting point for implementation work for the EU regime. This will provide a baseline threshold for compliance that CTPs can adjust to once designated in the EU, and as detailed EU expectations become clearer in 2025.
Third parties that expect to be designated as critical in both the UK and the EU can start evaluating an optimal and coordinated approach to implementation.
The EU’s and UK’s complementary approaches to location requirements provide another opportunity for CTPs with a presence in both jurisdictions to leverage synergies in implementation activity.
CTPs have the option of serving both EU and UK clients from a single EU legal entity. The proposed UK regime imposes no requirement for CTPs to either establish a legal presence in or provide services from the UK. Meanwhile the EU regime requires CTPs to establish a specific subsidiary in the EU, although it allows some flexibility to provide services from outside the EU.
Therefore, a CTP’s EU subsidiary could potentially also service the UK. This option would enable CTPs to:
2025 is shaping up to be a busy year for CTPs. The first set of CTP designations will trigger the start of formal implementation activity and put pressure on CTPs to comply with the new regimes within a tight schedule.
Providers that consider themselves a likely candidate for designation as a CTP should consider carrying out “no regret” actions now. These include assessing the impact of the EU and UK regimes on legal entity, infrastructure, and governance options. Potential CTPs can also use the time to understand the systems, processes, people and third parties underpinning delivery of services to FS clients. Collaborating with FS clients to understand how their services are deployed in practice is also crucial.
Overall, by streamlining implementation and regulatory engagement programmes, CTPs can position themselves to respond as effectively as possible.
______________________________________________________________________
1 Click here to read our analysis of the draft UK regime
2 Click here and here to read our analysis of the EU regime
4 Mapping is not explicitly set out as a requirement for CTPs in the DORA legal text but may need to be done to understand whether CTP services support critical services in financial services. Regulatory expectations around this will be clearer once further details are published.