Teaming up with... AVIVA

Welcome to the UKGI weekly regulation update service for Aviva ABC brokers

We hope you find the Updates useful. If you are
interested in subscribing to our affordable
ABC compliance support package, please
email us at ABC@ukgigroup.com or
call UKGI on our dedicated ABC
contact line 01925 767893.

FCA: UK and EU regulators sign Memorandum of Understanding to strengthen oversight of critical third parties

Jan 23, 2026 | FCA

Link(s):UK and EU regulators sign Memorandum of Understanding to strengthen oversight of critical third parties | FCA;

Context

The FCA, Bank of England and Prudential Regulation Authority have together signed a Memorandum of Understanding (MoU) with the European Supervisory Authorities to enhance co-operation and oversight of critical third-parties (CTPs) that fall under the UK’s CTP regime. This provides a framework for coordinating and sharing information on the oversight of CTPs under the UK regime and critical third-party providers (CTPPs) under the EU’s Digital Operational Resilience Act (DORA), including during incidents such as power outages or cyber-attacks.

Key points to note and next actions

The MoU aims to manage potential risks to financial stability and market confidence, as well as strengthen international cooperation. It will also help reduce duplication and regulatory burden on CTPs and CTPPs. The UK’s CTP regime is designed to be compatible with DORA with similar international standards.

  • The background to this is that in 2024, UK regulators introduced new rules to bolster the resilience of critical third parties providing key services to the financial sector.
  • These rules came into effect on 1 January 2025 and apply once a CTP is designated by the Treasury. The Treasury is responsible for deciding which third-party service providers should fall under the new CTP regime. The rules require designated CTPs to provide regular assurance, undertake resilience testing and report major incidents.
  • Regulators will continue to work with the Treasury throughout the designation process.
  • The regime does not reduce the responsibility of financial firms and Financial Market Infrastructures (FMIs) to manage their own operational resilience and third-party risks in line with existing outsourcing rules.
  • In the EU, the Digital Operational Resilience Act (DORA) provides for regulation of CTPPs by the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), and/or European Securities and Markets Authority (ESMA). CTPPs face a series of requirements under DORA, including around incident management and reporting, and must confirm they can withstand and manage a wide range of ICT disruptions and cyber threats and comply with uniform requirements for the security of network and information systems.