UK and EU regulators sign Memorandum of Understanding to strengthen oversight of critical third parties
Executive Summary
The FCA, Bank of England (BoE), and Prudential Regulation Authority (PRA) have signed a Memorandum of Understanding (MoU) with the European Supervisory Authorities (ESAs) to coordinate oversight of critical third parties (CTPs) under the UK's CTP regime and critical third party providers (CTPPs) under the EU's Digital Operational Resilience Act (DORA). This matters because it enhances cross-border information sharing and cooperation during incidents like cyber-attacks, reducing regulatory duplication while bolstering financial stability and operational resilience for firms reliant on these providers. #
What Changed
- - Establishes a framework for timely information sharing, coordination of oversight activities, and joint responses to incidents affecting CTPs/CTPPs, including power outages or cyber-attacks.
- Defines principles for cooperation on mutually designated CTPs/CTPPs, including notifications of investigations and best endeavors to share material information where legally and operationally feasible.
- Complements the UK's CTP regime (effective 1 January 2025), which requires designated CTPs to provide regular assurance, conduct resilience testing, and report major incidents, without altering firms' existing outsourcing responsibilities.
- Supported by a tripartite MoU among UK regulators for coordinated oversight via a joint CTP Consultation and Coordination Forum (CCF).
Suggested Considerations
- For CTPs/CTPPs: Once designated, implement regular assurance reporting to regulators, conduct resilience testing (e.g., scenario testing), and report major incidents promptly; prepare for cross-border information requests under the MoU.
- For financial firms/FMIs: Continue managing operational resilience and third-party risks per existing outsourcing rules (e.g., identify dependencies on potential CTPs); monitor HMT designations and enhance incident response coordination with regulators.
- Regulators' internal actions: Use CCF for coordination; notify counterparts of investigations or material developments per MoU Article 3 and 12.
- Firms should review contracts with third parties for compliance alignment and conduct gap analyses against CTP requirements.
Key Dates
Compliance Impact
Urgency: High โ The MoU operationalizes the live UK CTP regime (effective January 2025), with designations underway, amplifying risks of non-compliance for firms using critical ICT providers amid rising cyber and resilience threats. It matters for cross-border firms as it enables regulator-to-regulator data sharing, potentially exposing gaps in outsourcing arrangements and increasing enforcement s
Who is Affected
References
AI-generated analysis. May contain errors or omissions โ verify with the original FCA source before acting. Full disclaimer.
Summary
The FCA, Bank of England and Prudential Regulation Authority have together signed a Memorandum of Understanding (MoU) with the European Supervisory Authorities to enhance cooperation and oversight of critical third parties (CTPs) that fall under the UKโs CTP regime.The MoU establishes a framework for coordinating and sharing information on the oversight of CTPs under the UK regime and critical third party providers (CTPPs) under the EUโs Digital Operational Resilience Act (DORA), including du...