Skip to main content

Critical third parties (CTPs) - navigating the EU’s and UK’s new regulatory frameworks

At a glance
 

  • Through the DORA in the EU, and the UK’s dedicated proposals, critical third parties (CTPs) to financial services are likely to come under some form of regulatory oversight. Finer details are yet to emerge, but it is already clear that the first tranche of CTPs designated in both jurisdictions will face overlapping regulatory implementation timelines, starting in 2025. This underscores the importance of seeking synergies in implementation work.
  • We expect some providers to fall within the scope of both EU and UK regimes, e.g. major Cloud service providers. However, two distinctive elements of their designation approaches – scope and criteria – will inevitably lead to some unique designations in both jurisdictions. 
  • Proposals are at different stages in the EU and UK. The UK regulators consulted on a draft version of their regime at end-2023. In contrast, the EU’s regime does not specify the detailed requirements that CTPs will need to meet. Instead, the regime is driven by the regulators’ wide-reaching powers to launch investigations to ensure that a CTP is resilient. While the European Supervisory Authorities (ESAs) may – in time – set out best practices and guidelines for CTPs, it is not currently clear if and when this will happen.
  • Nevertheless, CTPs can expect significant alignment on the broad areas that EU and UK regulators will assess. The EU’s DORA legal text sets out the high-level areas that EU regulators will scrutinise as part of their investigations. In many areas, these overlap significantly with the focus areas in the UK’s proposed framework.
  • Complementary approaches to legal entity requirements enable CTPs that expect to be designated in both jurisdictions to maximise synergies, including by centralising implementation programmes, coordinating EU and UK regulatory engagement, and coordinating incident communications with financial services clients and regulators.


Introduction
 

EU and UK authorities have published consultations and drafts of their proposed approach to overseeing critical third parties (CTPs) to the financial services (FS) sector. Some details of the CTP oversight regimes are yet to emerge, but it is clear that that the designation criteria will capture some common CTPs in both jurisdictions, who will face overlapping regulatory implementation timelines. 

This underscores the importance of seeking synergies in the implementation process and fully understanding the nuances in different regimes. In this article, we compare and contrast various aspects of the EU’s and UK’s emerging CTP regimes, including timelines, scope of firms captured, overall regulatory approach, and key regulatory focus areas. 

** This article refers to both the EU’s ICT critical third-party providers and the UK’s critical third parties to the FS sector as ‘CTPs’. Although, as we explore, the two regimes are not fully aligned, they share the same objective of ensuring the systemic stability of the FS sector. **


Timelines: CTP designation decisions will start in 2025, kicking off formal implementation windows
 

The UK FS regulators are set to finalise the detailed requirements for CTPs by the end of 2024.1 Meanwhile the EU’s regime for ICT critical third-party providers is introduced via the Digital Operational Resilience Act (DORA).2 The EU regime will become fully applicable in January 2025. In the interim, the ESAs, who have published a draft, will fine tune the important technical details.

Against this backdrop, it is already certain that CTPs designated as critical in both EU and UK will face concurrent implementation timelines. Both the EU and UK will start formally designating third parties and apply their new oversight regimes in early 2025 (Figure 1).

Figure 1 – key EU and UK regulatory milestones

In-scope providers: While we expect some firms to be caught by both jurisdictions, there will be some unique CTPs that are only caught by just one jurisdiction
 

Ultimately, we expect significant overlap in the cohort of CTPs caught by both EU and UK regimes. For example, the major Cloud service providers are likely to be in-scope of both the EU and UK from the outset. Market data providers may be designated as CTPs too. Meanwhile in time, other technology providers supporting the uptake of Artificial Intelligence (AI) – e.g. model or data providers – may also be classified as a CTP.

Yet two distinctive elements of the EU’s and UK’s designation approaches will inevitably lead to some unique designations in both jurisdictions.

1. Scope
 

In line with its operational resilience regime for FS firms, the UK opted for a technology-neutral CTP regime. In practice, this means that the regime will look at all critical third parties to FS and could, in principle, also capture non-ICT providers. In contrast, the EU’s CTP regime will focus solely on ICT third-party providers. This may lead to some unique CTPs that are only caught by just one jurisdiction. For example, cash distribution service providers could be classed as a CTP in the UK, but not in the EU. 

Another key element of scope concerns “other regulated sectors”. The UK regime, by the regulators’ own admission, is unlikely to capture third parties in other sufficiently regulated sectors (e.g., public telecommunications and energy providers). The UK regulators are likely to focus on providers which are critical to FS who are not yet subject to a level of regulation and oversight equivalent to the CTP regime. However, the EU regime covers all ICT CTPs, including (in principle) those in regulated sectors like public telecommunications providers.

2. Criteria
 

The EU and UK are also taking distinct approaches to the criteria for designation as a CTP. In the UK, the Government will designate a third-party as critical, on the recommendation of the FS regulators (who will look holistically across a selection of qualitative criteria as set out in Figure 2). This approach implies that third parties cannot avoid being designated as a Critical Third Party (CTP) in the UK by merely avoiding quantitative thresholds. In contrast, the EU’s designation criteria include a mix of qualitative and quantitative thresholds (Figure 3). Designation as a CTP in the EU can only occur when all criteria are met.

Figure 2 – UK designation criteria

Figure 3 – EU designation criteria

Overall regulatory approach: Distinct approaches mean that there is more clarity on the details of the UK regime (for now)…
 

At the heart of the UK regime is a set of outcomes-focussed rules for CTPs to meet. 

It comprises two main elements. The first is a set of six overarching fundamental rules that apply to all services provided to FS clients. These high-level rules set out general requirements to manage financial stability risks posed by CTPs. The second element is a set of granular operational resilience-focussed rules that will apply to a CTP’s material services.

The UK consulted on a draft version of its detailed regime at the end of 2023, providing clarity on the direction of travel for CTPs to begin implementation planning. 

In contrast, unlike other areas in the DORA, detailed requirements in relation to expectations of CTPs have not been set out in technical standards to supplement the high-level expectations in the primary DORA legal text. The EU regime is expected to be driven by the regulators’ new wide-reaching powers to launch investigations to ensure that a given CTP is resilient. 

While the ESAs may – in time – set out best practices and guidelines for CTPs, it is not currently clear if and when this will happen. The technical standards focus mainly on the mechanics of oversight arrangements, as opposed to detailed requirements for CTPs to meet.


Regulatory focus areas: CTPs can expect significant alignment on the broad areas EU and UK regulators will assess
 

Yet despite the absence of a detailed framework in the EU, it is already clear that both the EU and UK will probe similar areas of CTP businesses. 

The EU’s DORA legal text sets out the high-level areas that EU regulators will scrutinise as part of their investigations. In many areas, these overlap significantly with the focus areas in the UK’s proposed framework (Table 1).

Table 1 – confirmed regulatory focus areas for EU and UK CTP regimes3

In any case, EU and UK regulators may still probe the unticked areas in Table 1. Mapping is a case in point. Although the EU regime does not explicitly require CTPs to conduct a mapping exercise, it may still be a crucial practical prerequisite for implementation work and building resilience (e.g., to understand whether CTP services support critical services in FS), as seen in the case of FS firms.4

The overall alignment on focus areas means that CTPs could potentially use the more detailed UK rules as a starting point for implementation work for the EU regime. This will provide a baseline threshold for compliance that CTPs can adjust to once designated in the EU, and as detailed EU expectations become clearer in 2025.


Legal entity requirements: complementary approaches enable CTPs to maximise synergies
 

Third parties that expect to be designated as critical in both the UK and the EU can start evaluating an optimal and coordinated approach to implementation. 

The EU’s and UK’s complementary approaches to location requirements provide another opportunity for CTPs with a presence in both jurisdictions to leverage synergies in implementation activity.

CTPs have the option of serving both EU and UK clients from a single EU legal entity. The proposed UK regime imposes no requirement for CTPs to either establish a legal presence in or provide services from the UK. Meanwhile the EU regime requires CTPs to establish a specific subsidiary in the EU, although it allows some flexibility to provide services from outside the EU. 

Therefore, a CTP’s EU subsidiary could potentially also service the UK. This option would enable CTPs to:

  • Centralise implementation programmes – In this scenario, implementation of both the EU and UK regimes would be driven by a central team. This would bring together relevant parts of the CTP’s business. E.g., including business continuity, ICT disaster recovery, cybersecurity, third-party risk management. This may help to streamline processes by reducing duplication of efforts and bring together a pool of experts in regulatory implementation.
  • Coordinate regulatory engagement, potentially via a central regulatory office or similar mechanism (central function) – This would ensure consistent messaging on implementation work to both EU and UK regulators and serve as coordination point to cascade and implement regulatory feedback across the business. The central function could also coordinate other important functions, such as oversee on-site inspections, and manage remediation exercises that may emerge. However, any national level regulatory engagement should include people with expertise and knowledge of local regulatory priorities and focus areas, particularly in light of any national-level resilience incidents. CTPs could also leverage the central function to coordinate engagement with FS clients operating in both jurisdictions, e.g., to gain visibility over how CTP services are employed, renegotiate contracts to ensure compliance, and share information. 
  • Coordinate incident communications with EU and UK FS clients and regulators – This would help ensure compliance with requirements for CTPs to report on incidents affecting the delivery of services to their FS clients and regulators. CTPs will also play a key role in FS firms’ own incident reporting duties, as they possess necessary information. This is already clear in the EU, which explicitly mandates FS firms to renegotiate outsourcing contracts to include provisions on information sharing with their third-party providers. The UK regulators are expected to consult on their framework for FS firms’ incident reporting in the second half of 2024.


Preparing for implementation
 

2025 is shaping up to be a busy year for CTPs. The first set of CTP designations will trigger the start of formal implementation activity and put pressure on CTPs to comply with the new regimes within a tight schedule. 

Providers that consider themselves a likely candidate for designation as a CTP should consider carrying out “no regret” actions now. These include assessing the impact of the EU and UK regimes on legal entity, infrastructure, and governance options. Potential CTPs can also use the time to understand the systems, processes, people and third parties underpinning delivery of services to FS clients. Collaborating with FS clients to understand how their services are deployed in practice is also crucial.

Overall, by streamlining implementation and regulatory engagement programmes, CTPs can position themselves to respond as effectively as possible.

______________________________________________________________________

References:
 

1 Click here to read our analysis of the draft UK regime

2 Click here and here to read our analysis of the EU regime

3 The Digital Operational Resilience Act - Publications Office (europa.eu) CP26/23 - Operational resilience: Critical third parties to the UK financial sector | Bank of England HM_Treasury_Approach_to_Designating_Critical_Third_Parties_2024.pdf (publishing.service.gov.uk)

4 Mapping is not explicitly set out as a requirement for CTPs in the DORA legal text but may need to be done to understand whether CTP services support critical services in financial services. Regulatory expectations around this will be clearer once further details are published.

Our thinking