Critical ICT third-party provider designation: what UK firms need to know

Critical ICT third-party provider designation: what UK firms need to know

The Digital Operational Resilience Act introduces a new category of regulated entity in the EU financial services landscape: the Critical ICT Third-Party Provider. Designated CTPPs are subject to direct supervisory oversight by the European Supervisory Authorities — a material change from the existing framework, under which ICT providers to financial services firms were regulated only through the contractual and due diligence obligations imposed on their financial services clients. In the UK, a parallel regime for Critical Third Parties has been established under the Financial Services and Markets Act 2023. Understanding both regimes — and the relationship between them — is essential for UK firms operating across jurisdictions and for any UK regulated entity that relies materially on large-scale technology providers.

The DORA CTPP regime

Under DORA, which has applied since January 17 2025, the European Supervisory Authorities — EBA, ESMA and EIOPA jointly — may designate ICT third-party service providers as critical where they meet specified criteria. The designation criteria focus on systemic importance: the number and type of financial entities relying on the provider, the substitutability of the provider (whether clients could readily switch to an alternative), the cross-border and cross-sector reach of the provider, and the degree of interconnection between the provider’s services and critical financial infrastructure.

In practice, the first cohort of designated CTPPs consists primarily of the major cloud infrastructure providers — Amazon Web Services, Microsoft Azure, Google Cloud Platform — and significant financial data and software vendors. These providers are relied upon by a large proportion of EU-regulated financial institutions and would, if they experienced a significant outage, create systemic disruption across multiple sectors simultaneously.

Once designated, a CTPP is subject to direct oversight by the relevant Lead Overseer — the ESA with the broadest sector mandate for the provider’s client base. The Lead Overseer can require the CTPP to provide information, conduct on-site inspections, issue recommendations on operational resilience improvements, and in extreme cases suspend or terminate the provider’s services to supervised entities. The CTPP must designate a management representative to liaise with the Lead Overseer and must maintain a register of all EU financial entities to which it provides services.

What this means for UK firms using EU entities

DORA applies to EU-regulated financial entities — it does not directly apply to UK-regulated firms operating solely in the UK. However, UK financial groups with EU subsidiaries or branches that are regulated in the EU must ensure that those EU entities comply with DORA, including the enhanced obligations relating to ICT third parties.

For a UK group with a regulated subsidiary in, for example, Ireland or Luxembourg, that subsidiary must: include CTPP oversight provisions in its contracts with designated CTPPs; conduct enhanced due diligence on CTPPs as part of its ICT risk management framework; maintain exit strategies that contemplate the scenario of a CTPP failing oversight requirements or having its services suspended; and participate in the information-gathering exercises that CTPPs must conduct for the ESAs. The UK parent group’s operational resilience programme must be capable of supporting the EU entity’s compliance with these obligations.

The UK FCA and PRA Critical Third Party regime

In the UK, the FSMA 2023 established powers for HM Treasury to designate Critical Third Parties, on the recommendation of the FCA, PRA or Bank of England. The UK CTP regime is a domestic parallel to the DORA CTPP framework and is designed to address the same systemic risk — the concentration of dependency among UK-regulated financial institutions on a small number of critical technology providers.

Once designated, a UK Critical Third Party is subject to oversight by the FCA and/or PRA, which may issue recommendations, require resilience testing, set minimum resilience standards, and — in an extreme scenario — issue service interruption directions. The regime focuses on the systemic risk of the provider’s services to the UK financial sector rather than the provider’s services to any individual client firm.

The first designations under the UK CTP regime are expected to focus on major cloud infrastructure providers and material third-party data and software providers — the same population that DORA’s CTPP designation covers. Firms should assume that the major cloud providers they currently use will be designated under the UK CTP regime and should ensure their contracts with those providers include the minimum provisions the FCA is expected to require of designated CTPs.

Practical implications for firms

For UK firms with EU entities, the most immediate practical obligation is contractual. DORA requires that contracts with ICT third-party service providers include specified provisions — relating to service levels, security standards, audit rights, incident notification, and exit arrangements. Contracts with providers that have been or may be designated as CTPPs require enhanced provisions. Firms should have reviewed their major ICT provider contracts against DORA’s requirements and should have an action plan for updating any contracts that are non-compliant.

For UK-only firms, the FCA’s CTP regime creates analogous obligations once providers are designated. Firms that have reviewed their contracts for DORA compliance will find the UK regime largely parallel — the minimum provisions required under both frameworks are designed to be consistent. A firm that is compliant with both regimes for its major technology providers will be better positioned than one that has addressed only the domestic UK requirements.

Exit strategies are an area where many firms have underdeveloped frameworks. The scenario of a major cloud provider being designated a CTPP or CTP and subsequently being found by the regulator to have inadequate resilience — potentially leading to a service suspension order — is a low-probability but high-impact scenario that firms are now required to plan for. Credible exit strategies for CTPP relationships are not merely contractual — they require the firm to have assessed whether it could actually migrate its workloads to an alternative provider within a meaningful timeframe, and to have maintained the operational capability to do so.

FD Capital places operational resilience professionals and senior compliance officers in FCA-regulated firms navigating both the UK and EU operational resilience frameworks. The specific expertise required to manage CTPP and CTP relationships — combining regulatory knowledge with technology risk and third-party management capability — is increasingly in demand as both regimes mature.

Related Guides

• DORA vs FCA Operational Resilience: Comparing the Regimes
• DORA: What UK Firms Need to Know
• ICT Incident Reporting Under DORA
• Operational Resilience Guide