UK and EU regulators have taken a significant step towards strengthening cross-border supervision of critical third parties by signing a new Memorandum of Understanding (MoU) focused on operational resilience and financial stability.
The agreement brings together the Financial Conduct Authority, the Bank of England and the Prudential Regulation Authority with the European Supervisory Authorities, creating a formal framework for cooperation in overseeing key service providers that underpin the financial system.
The MoU is designed to enhance coordination and information sharing between UK and EU authorities in relation to critical third parties (CTPs) under the UK regime and Critical Third Party Providers (CTPPs) that fall within the scope of the EU’s Digital Operational Resilience Act (DORA). This includes collaboration during major incidents such as cyber-attacks, technology failures or power outages, where disruptions at third-party providers could pose systemic risks to financial markets.
A central objective of the agreement is to manage potential threats to financial stability and market confidence while strengthening international regulatory cooperation. By aligning supervisory approaches, the MoU also aims to reduce unnecessary duplication and regulatory burden for firms operating across both jurisdictions, offering greater clarity for providers subject to oversight under the UK and EU frameworks.
UK regulators have positioned the CTP regime as complementary to international standards and deliberately compatible with DORA. The agreement underscores the UK’s commitment to maintaining strong cross-border relationships following the introduction of its own operational resilience rules, while ensuring that the regulatory environment continues to support growth and market stability.
The MoU follows the introduction of new UK rules in 2024 aimed at bolstering the resilience of critical third parties that provide essential services to the financial sector. These rules came into force on 1 January 2025 and apply once a provider is formally designated as a CTP by HM Treasury. Under the regime, designated CTPs will be required to provide regular assurance to regulators, undertake resilience testing and report major incidents that could impact the financial system.
HM Treasury is responsible for determining which third-party service providers fall within the scope of the CTP regime, with the designation process already underway. UK regulators have confirmed that they will continue to work closely with HM Treasury as this process progresses.
Importantly, the new regime does not shift responsibility away from financial firms or Financial Market Infrastructures (FMIs). Firms remain fully accountable for managing their own operational resilience and third-party risks in line with existing outsourcing and resilience requirements, reinforcing the shared responsibility model that underpins the UK’s approach to operational risk management.
Keep up with all the latest FinTech news here
Copyright © 2026 FinTech Global
