On 1 January 2025, the Financial Conduct Authority (FCA), Bank of England, and Prudential Regulation Authority (PRA) rules to strengthen the resilience of critical third parties (CTPs) providing services to the financial sector enter into force. The rules aim to address the risks posed by reliance on a limited number of third-party providers, which could disrupt the financial system due to failures or cyber incidents. The rules are aligned with international standards, such as the EU’s Digital Operational Resilience Act (DORA), and complement existing operational resilience requirements for financial firms and market infrastructures. The government will determine which third parties fall under the regime based on advice from regulators. Once designated, critical third parties will be subject to specific oversight related to the services they provide to the financial sector rather than being overseen in their entirety. The rules require these third parties to provide regular assurance, information, and notifications to regulators, as well as undertake resilience testing, including scenario-based exercises with firms and financial market infrastructures (FMIs). Additionally, critical third parties will be required to report major incidents, such as cyber-attacks.
Original source