The UK’s Critical Third-Party (CTP) regime is now operational, and boards cannot afford to treat it as an IT department concern. Under the Financial Services and Markets Act 2023, the FCA, Bank of England, and PRA have direct supervisory powers over the most systemically important technology providers in UK financial services — but accountability for resilience outcomes remains squarely with the regulated firm, its board, and named senior managers.

What Is the UK Critical Third-Party Regime and Why Does It Matter Now?

The CTP regime exists because a handful of cloud providers, data processors, and payments infrastructure firms now underpin the operations of a significant proportion of UK financial services. The Bank of England has been explicit: disruption to a single designated provider could trigger cascading failures across multiple regulated firms simultaneously, threatening financial stability and consumer confidence at scale. HM Treasury designates which providers become CTPs; once designated, they face mandatory resilience testing, regular assurance submissions, and incident reporting to the FCA, PRA, and Bank of England.

The regime reached a significant milestone in January 2026, when UK and EU regulators signed a Memorandum of Understanding on coordinated CTP oversight — a signal that cross-border third-party risk management is becoming a permanent feature of the supervisory landscape, not a one-cycle compliance exercise. Critically, CTP designation does not shift liability away from the regulated firm. Boards and senior managers remain fully responsible for their own operational resilience posture, regardless of their suppliers’ CTP status.

Executive Action:

• Confirm whether any of your material technology providers are, or are likely to be, designated as CTPs by HM Treasury — your legal and risk teams should be tracking this actively.
• Ensure CTP exposure is captured as a distinct category in your operational resilience framework, separate from generic third-party risk.
• Brief your board on CTP designation criteria and the firm’s accountability obligations before your next risk committee meeting.

How Does CTP Designation Change Your Contracts and Due Diligence?

The FCA’s outsourcing rules — already demanding under PS6/21 and supervisory statement SS6/24 — apply in parallel with the CTP regime. Contracts with material third parties must include adequate provisions for information access, audit rights, exit and wind-down planning, and sub-outsourcing controls. Deloitte’s analysis of the CTP framework identified exit and wind-down planning as the most common gap: firms that have not modelled what a CTP failure would look like in practice, or whether an alternative provider could be onboarded within their impact tolerance window.

Executive Action:

• Commission a contract audit of tier-one and tier-two technology supplier agreements against FCA outsourcing requirements — gaps in audit rights and exit planning are the areas most likely to attract scrutiny.
• Run a CTP concentration risk scenario at board level: what happens if your largest cloud provider faces a multi-day outage or withdraws from the UK market?
• Ensure exit planning for all material third parties has been stress-tested and formally approved at board or ExCo level.

What Do the March 2026 Incident Reporting Rules Require?

In March 2026, the FCA published new incident reporting and third-party notification requirements, removing ambiguity that had led to inconsistent notification practices across the sector. Firms must notify the FCA promptly when a third-party incident materially impacts their ability to deliver important business services — a definition broad enough to capture incidents affecting a significant number of customers, breaching impact tolerances, or carrying the potential for market-wide harm.

This is not a standard that operations teams can apply on instinct. According to the FCA’s updated guidance, firms must have written escalation protocols and pre-agreed notification thresholds that have been formally approved at senior management level. For CFOs, regulatory censure for late or inadequate notifications carries both financial and reputational consequences that warrant explicit risk provisioning. INFORMD tracks developments of this kind across the FCA’s supervisory calendar so that senior executives receive the context they need to act, not just the headline.

Executive Action:

• Update incident response playbooks to include specific escalation scenarios for CTP and material third-party failures — the path to FCA notification must be documented and rehearsed, not improvised.
• Present your updated incident response framework to the board for formal approval, mapping it explicitly to your Important Business Services and impact tolerances.

How Should the Board Own Third-Party Risk as a Governance Matter?

The CTP regime reinforces a principle regulators have repeated for several years: the board cannot outsource accountability. Named senior managers holding SMF24 (Chief Operations) and SMF2 (Chief Finance) designations under the Senior Managers and Certification Regime remain personally accountable for operational resilience outcomes, regardless of how functions are delegated. Research from the Corporate Governance Institute indicates that a significant proportion of UK boards have yet to formalise third-party risk as a standing governance matter — a gap regulators are increasingly well-positioned to identify through supervisory engagement.

For NEDs and audit committee chairs, CTP concentration may represent a material risk warranting disclosure under the Companies Act 2006 and the UK Corporate Governance Code. The question boards should be asking in 2026 is not whether they have outsourced a function, but whether they can demonstrate to the FCA that they fully own the outcomes, even when the systems and services are not theirs.

Executive Action:

• Add CTP and third-party concentration risk as a standing agenda item at risk committee meetings — it should not appear only after an incident has occurred.
• Assign explicit SMF accountability for third-party risk oversight and document it in your responsibilities map — ambiguity here is a direct regulatory vulnerability under SMCR.

INFORMD provides intelligence briefings for senior business leaders across technology, finance, strategy, and compliance. Based in Milton Keynes, UK, we help executives stay informed and act with confidence. Explore our full library of executive briefings or speak to our team.

Frequently Asked Questions

What is the UK Critical Third-Party (CTP) regime?

The CTP regime, established under the Financial Services and Markets Act 2023, gives the FCA, Bank of England, and PRA direct supervisory powers over technology and service providers whose failure could destabilise the UK financial system. Designated CTPs face mandatory resilience testing, assurance requirements, and incident reporting obligations. Regulated firms remain accountable for their own resilience regardless of their suppliers’ CTP status.

Which firms are affected by the CTP regime?

Any FCA-regulated or PRA-regulated financial services firm that relies on a designated CTP for important business services is directly affected. HM Treasury decides which providers receive designation. The regime does not restrict the use of CTPs — it intensifies the due diligence, governance, and contractual obligations on regulated firms that depend on them.

How does the UK CTP regime relate to DORA?

The EU’s Digital Operational Resilience Act (DORA) established a parallel oversight regime for ICT third-party providers in EU financial services. UK firms with EU operations face dual obligations. The January 2026 Memorandum of Understanding between UK and EU regulators reflects an effort to align supervisory approaches — though the two regimes remain distinct and compliance with one does not guarantee compliance with the other.

What are the consequences of non-compliance?

The FCA and PRA can issue public censure, financial penalties, and — where SMCR accountability applies — take enforcement action against named senior managers. Late incident notifications and inadequate exit planning for material third-party relationships are areas of particular focus. Boards that cannot evidence active oversight of CTP risk face both regulatory and reputational exposure.

Stay ahead. Subscribe to INFORMD’s executive briefing at informd.co.uk/services.

---

Related Tools & Templates: Apply a structured framework to your board agenda — use the Project Review Tool or test your AI & Tech Governance knowledge. Explore all INFORMD executive tools and assessments →