UK Announces List of First Critical Third Parties
On 10 July 2026, HM Treasury designated the first Critical Third Parties (CTPs) under the UK's operational resilience regime for financial services. While the CTP rules took effect on 1 January 2025, they only apply once an entity is formally designated. These initial designations (effective 13 July 2026) therefore mark the point at which the regime becomes operational for the designated providers.
Background
The financial services sector has become increasingly reliant on a concentrated number of third-party service providers, including those offering technology and other critical services to financial services firms and financial market infrastructures. Recognising the systemic risks posed by such concentration, the Financial Services and Markets Act 2023 conferred oversight powers on the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) in respect of critical third parties.
The significance of these risks was highlighted in October 2025, when a major third-party outage across cloud infrastructure affected numerous financial firms, demonstrating the depth of the UK financial services sector’s dependence on a small number of third-party providers.
The designation of these four CTPs follows a report on the use of AI in financial services published by the Treasury Committee in January 2026. The report made various recommendations, including that by the end of 2026, HM Treasury must designate the major AI and cloud providers as critical third parties for the purposes of the Critical Third Parties Regime in order to improve oversight and resilience.
Consequences for CTPs
Being designated as CTPs brings these entities within the purview of the FCA and PRA, meaning that they must comply with operational resilience rules that are contained in the PRA and Bank of England rulebooks and the FCA Handbook. These include rules across governance and risk management, supply chain risk management, cyber resilience, change management, and incident management and reporting.
CTPs must also adhere to conduct requirements in the form of six Fundamental Rules, which broadly align with the FCA Principles for regulated firms: conducting business with integrity; conducting business with due skill, care, and diligence; acting in a prudent manner; having effective risk strategies and risk management systems; controlling its affairs responsibly and effectively; and dealing with each regulator in an open and cooperative way.
The designation of these CTPs does not diminish the regulatory responsibilities of financial services firms using the services of the CTPs. Financial services firms remain responsible for managing their own third-party risks in line with existing operational resilience and outsourcing requirements.
Potential sanctions for non-compliance
A CTP that fails to comply with the regulatory regime faces material regulatory and commercial risk. In particular, regulators may take disciplinary measures against non-compliant CTPs, including prohibiting the CTP from entering into arrangements or continuing to provide services to authorised firms, imposing conditions on a CTP’s services, and issuing public censure.
The regulators have stated that they will implement a “proportionate” approach to overseeing the CTPs; however, it is not clear what this means in practice, so we will have to wait to see the extent of the regulators’ oversight and enforcement actions.
Contrast with EU approach
The UK approach contrasts with the EU Digital Operational Resilience Act (DORA): the UK regime is broader in legal scope, but more selective in its initial designations. While DORA is focused specifically on ICT third-party service providers, the UK CTP regime can in principle apply to any technology or non-technology service provider whose disruption could threaten UK financial stability or confidence. However, in practice, the UK’s first designations are narrower, covering only four global cloud and technology providers, whereas the EU has already designated 19 critical ICT third-party providers (CTPPs) under DORA. This suggests that the UK has so far taken a more selective approach, focused on a small number of major cloud and technology providers, while preserving flexibility to expand the regime if the regulators identify further systemic dependencies.
Despite this divergence, the UK regulators have signed a Memorandum of Understanding (MoU) with the European Supervisory Authorities to establish a framework for enhanced cooperation, practical coordination, and sharing of information on the oversight of CTPs under the UK regime and CTPPs under DORA.
Analysis
The UK CTP regime marks a shift in outsourcing regulation by moving beyond the traditional model of regulators primarily supervising regulated financial services firms’ management of their outsourcing risk, to a model of direct oversight of certain third-party service providers themselves. This reflects the growing regulatory concerns surrounding the concentrated risk of third-party artificial intelligence and cloud service providers, while preserving financial services firms’ own responsibility for managing outsourcing and third-party risk.
This initial designation of CTPs is not an exhaustive list, so additional providers may be designated over time where HM Treasury decides that it is necessary to protect the resilience of the UK financial sector. Designated CTPs may also be de-designated where HM Treasury determines a reduction in risk. In practice, future designations and de-designations are likely to be driven by the regulators’ ongoing analysis of market-wide third-party dependencies, including the extent of firms’ reliance on a provider, the importance of the services it supports, the availability of substitutes, and the potential impact of disruption. There is no fixed review cycle or cap on the number of CTPs, but the regulators are expected to assess the position periodically. The FCA has indicated that data required under new material third-party reporting rules, which require in-scope firms to maintain and annually submit registers of material third-party arrangements from 18 March 2027, will help regulators identify and recommend potential CTPs to HM Treasury in the future.
How we can help
Morrison Foerster regularly advises financial services firms and their suppliers on complex regulatory requirements, including the UK’s CTP regime, and has a deep understanding of how to balance regulatory compliance with commercial and operational considerations. Please contact the authors to discuss how MoFo can help.



