UK and EU financial regulators have taken a further step towards closer cross-border supervision by signing a new Memorandum of Understanding (MoU) aimed at strengthening the oversight of critical third parties that support the financial system.
The agreement has been signed by the Financial Conduct Authority (FCA), the Bank of England and the Prudential Regulation Authority (PRA) alongside the European Supervisory Authorities. It is designed to enhance cooperation between the UK’s Critical Third Party (CTP) regime and the EU’s framework for Critical Third Party Providers (CTPPs) under the Digital Operational Resilience Act (DORA).
Under the MoU, regulators have established a structured framework for sharing information and coordinating oversight activities relating to critical service providers. This includes collaboration during major incidents such as cyber-attacks, power outages or other operational disruptions that could pose risks to financial stability or undermine market confidence. By aligning supervisory approaches, the regulators aim to improve visibility over systemic risks arising from third-party dependencies across borders.
A central objective of the agreement is to manage potential threats to financial stability while supporting consistent and effective supervision of firms that operate across both jurisdictions. The MoU also seeks to reduce unnecessary duplication in regulatory requirements, helping to ease the compliance burden on CTPs and CTPPs that may otherwise face overlapping or fragmented supervisory expectations.
The UK regulators noted that the CTP regime has been designed to complement international standards and to remain broadly compatible with DORA. The agreement reflects a shared commitment to international cooperation at a time when financial institutions are increasingly reliant on a small number of third-party providers for critical services such as cloud computing, data processing and payments infrastructure.
The MoU builds on regulatory reforms introduced in 2024, when UK authorities brought forward new rules to strengthen the operational resilience of critical third parties serving the financial sector. These rules came into force on 1 January 2025 and apply once a third-party provider is formally designated as a CTP by HM Treasury.
HM Treasury is responsible for determining which service providers fall within the scope of the regime. Once designated, CTPs are required to provide regular assurance to regulators, undertake resilience testing and report major operational incidents. The designation process is already underway, with regulators continuing to work closely with HM Treasury as assessments progress.
Importantly, the regime does not replace or diminish the responsibilities of financial firms and Financial Market Infrastructures (FMIs). Firms remain accountable for managing their own operational resilience and third-party risks in line with existing outsourcing and risk management rules. Instead, the framework is intended to provide an additional layer of systemic oversight, reflecting the growing concentration of risk among key third-party providers.
Keep up with all the latest RegTech news here
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
