EU and UK operational resilience

One aim, two approaches

Regulated financial institutions operating in the UK and EU often rely on third-party service providers to help run or facilitate important parts of their business. The July 2024 CrowdStrike outage illustrates the critical role that third-party service providers can play in the financial sector, and the risks they could pose to financial stability when things go wrong. In this article we outline the key provisions, points of difference, and implications of incoming UK and EU regimes designed to meet this risk and bolster operational resilience. Under both regimes, and for the first time, technology services to the financial sector will be subject to direct supervision by financial services regulators.

The regimes at a glance

From 17 January 2025, new EU rules concerning the provision of information and communication technology (ICT) services to regulated financial institutions will apply under the Digital Operational Resilience Act (DORA). DORA sets digital operational resilience standards for EU regulated financial institutions, requiring them to manage their ICT risks effectively, and will subject critical ICT third-party service providers (ICT CTPs) to a brand new oversight framework.

The UK, meanwhile, has adopted a two-pronged approach. First, through the implementation of a framework for operational resilience in the financial sector, which was introduced in March 2022 with a longstop compliance date of 31 March 2025, and which applies to regulated financial institutions. Second, through the introduction of a new oversight regime for CTPs who provide material services to regulated financial institutions, which will take effect from 1 January 2025.

No CTPs have yet been designated under either regime, but initial designations are expected to focus on large cloud and other infrastructure providers (and increasingly, artificial intelligence solutions). Importantly, the UK regime is broader than DORA and could, in future, capture other firms – for example, those providing claims management services to insurers.

Both the EU and UK regimes will have significant consequences for regulated financial institutions and CTPs. In the sections below, we outline several important considerations for firms when preparing for these changes.

What this means for the financial sector in 2025

Leaving aside DORA’s focus on ICT risk, there are several areas where the UK and EU regimes are aligned. In both jurisdictions, operational resilience rules require regulated financial institutions to implement internal governance and control frameworks to identify, prevent, manage and respond to risks which may arise. Under DORA, these measures will include a requirement to implement an ICT risk management framework and digital operational resilience strategy which establishes risk tolerances. Firms subject to the UK’s operational resilience rules are already required to identify their important business services (IBS), set impact tolerances for service disruption and implement strategies, processes and systems to enable the firm to remain within those impact tolerances.

There are also similarities in terms of the testing and incident management requirements that apply under both regimes. DORA mandates that regulated financial institutions perform threat-led penetration testing (TLPT) on ICT tools, systems and processes, which is likely to be more exacting than the testing processes many may have faced previously. UK regulated financial institutions are already required to carry out scenario testing of their ability to deliver IBS during a disruption event, which may, and in most cases should, include penetration tests. Under both regimes, firms must maintain a communication strategy to minimise harm caused by disruption events.

One key distinction for firms to bear in mind is that DORA prescribes minimum contractual arrangements that must be included in contracts between EU regulated financial institutions and ICT service providers and provides for the ability to rely on standardised contractual provisions. Enhanced provisions apply where the services support critical or important functions of the financial institution. No equivalent requirements apply under the UK operational resilience rules or CTP regime, although existing outsourcing rules will overlap with these requirements in many areas.

What this means for CTPs in 2025

The obligations that apply to CTPs exist in parallel and are intended to complement rather than to blur, eliminate or reduce the responsibilities of regulated financial institutions.

Under DORA, ICT CTPs which are designated as critical to the EU financial sector will be subject to oversight by the European Supervisory Authorities (ESAs) acting as so-called “Lead Overseers”. This designation will depend on both quantitative and qualitative factors and focusses on the substitutability of the service provision. Under the UK CTP regime, designation is based on the likelihood that a failure in, or disruption to, a CTP’s service provision could threaten the stability of, or confidence in, the financial system of the UK. This assessment will consider the materiality of the services and the number and type of regulated financial institutions to which the services are provided, and oversight is conducted by the UK regulators (the Bank of England, PRA and FCA).

The effect of designation for any CTP is similar in the EU and the UK. CTPs will be subject to new obligations to establish and maintain risk management policies and communication strategies, carry out testing programmes, and implement incident monitoring and reporting mechanisms. There is a deliberate symmetry between these rules and the operational resilience rules that apply to regulated firms, strengthening the alignment of interests between CTPs and their financial sector clients.

Supervisory powers exercisable by the Lead Overseer under DORA and the UK regulators are also comparable, including investigatory and information gathering powers, and disciplinary measures in the event of non-compliance. Penalties, however, presents a significant area of difference. DORA provides the ESAs with the power to hand down significant fines to ICT CTPs for non-compliance, but the UK regime does not include fining powers.

Another important area of divergence is territorial scope:

Under DORA, the powers of the Lead Overseer extend beyond the EU, and third country ICT CTPs will be required to establish or designate an EU subsidiary as the primary point of contact.
The UK CTP regime is location agnostic (i.e., it is not concerned with the location of service providers) but does not provide for extensive extraterritorial powers for the UK regulators in the same way that DORA does. UK CTPs are also not required to set up a branch or subsidiary in the UK.

Next steps

For financial institutions that are used to operating within the ambit of the UK and EU’s existing outsourcing rules, these new frameworks are unlikely to require fundamental changes to existing processes, controls and arrangements. For technology providers designated as CTPs however, the changes are likely to be more significant, as firms adapt for the first time to direct supervision by UK and EU financial services regulators. While driven by different motivations, it is no coincidence that these changes are taking effect at the same time, as legislators and regulators in the UK and EU adopt a more muscular approach to the regulation of “big tech”. Both developments seek in their own way to address sources of systemic risk within the technology sector, and to remedy perceived imbalances of power between tech providers and their customers. Whether this will prevent another CrowdStrike incident is debatable (it is unlikely that CrowdStrike itself would have been designated as a CTP), but both the UK and EU regimes demonstrate the significant supervisory concern as to those risks and a willingness to intervene directly to mitigate them.