🇬🇧 FCA Policy high

UK and EU regulators sign Memorandum of Understanding to strengthen oversight of critical third parties

Published 14 January 2026 | UK

AI Analysis

Executive Summary

The FCA, Bank of England (BoE), and Prudential Regulation Authority (PRA) have signed a Memorandum of Understanding (MoU) with the European Supervisory Authorities (ESAs) to coordinate oversight of critical third parties (CTPs) under the UK's CTP regime and critical third party providers (CTPPs) under the EU's Digital Operational Resilience Act (DORA). This matters because it enhances cross-border information sharing and cooperation during incidents like cyber-attacks, reducing regulatory duplication while bolstering financial stability and operational resilience for firms reliant on these providers. #

What Changed

- Establishes a framework for timely information sharing, coordination of oversight activities, and joint responses to incidents affecting CTPs/CTPPs, including power outages or cyber-attacks. - Defines principles for cooperation on mutually designated CTPs/CTPPs, including notifications of investigations and best endeavors to share material information where legally and operationally feasible. - Complements the UK's CTP regime (effective 1 January 2025), which requires designated CTPs to provide regular assurance, conduct resilience testing, and report major incidents, without altering firms' existing outsourcing responsibilities. - Supported by a tripartite MoU among UK regulators for coordinated oversight via a joint CTP Consultation and Coordination Forum (CCF). #

What You Need To Do

For CTPs/CTPPs
For financial firms/FMIs
Regulators' internal actions
Firms should review contracts with third parties for compliance alignment and conduct gap analyses against CTP requirements

Key Dates

1 January 2025 UK CTP rules came into effect, applying to CTPs designated by HMT.

Ongoing (process begun pre-2025) HMT designation process for CTPs, with regulators recommending based on concentration and materiality criteria; no fixed end date specified.

DORA effective date (prior context) EU CTPPs oversight under DORA aligns with UK regime; MoU signed to ensure compatibility (exact DORA timeline not in publication but supports post-2024 implementation).

Compliance Impact

Urgency: High – The MoU operationalizes the live UK CTP regime (effective January 2025), with designations underway, amplifying risks of non-compliance for firms using critical ICT providers amid rising cyber and resilience threats. It matters for cross-border firms as it enables regulator-to-regulator data sharing, potentially exposing gaps in outsourcing arrangements and increasing enforcement s

Who is Affected

Designated CTPs/CTPPsUK financial firms and Financial Market Infrastructures (FMIs)party risks under existing rules.RegulatorsCross-border operators face reduced duplication but increased scrutiny through shared oversight.

References

Summary

The FCA, Bank of England and Prudential Regulation Authority have together signed a Memorandum of Understanding (MoU) with the European Supervisory Authorities to enhance cooperation and oversight of critical third parties (CTPs) that fall under the UK’s CTP regime.The MoU establishes a framework for coordinating and sharing information on the oversight of CTPs under the UK regime and critical third party providers (CTPPs) under the EU’s Digital Operational Resilience Act (DORA), including du...

Sectors

Banking & Credit Capital Markets & Trading Payments & E-Money

Topics

Operational Resilience / Outsourcing Technology & Cyber

Relevant Firm Types

BankPayment ProviderAll Firms

View Original on FCA Back to Feed