A spotlight on Digital Resilience and the Financial Sector

Regulators in the EU and the UK are reshaping the rules which govern outsourcing and third‑party risk management. They are doing this with a clear objective - to increase digital operational resilience for the financial services sector. This new body of regulation is born out of the recognition that the financial services sector is fundamentally reliant on technology and, as such, is increasingly vulnerable to the impacts of cyber-attacks, IT outages and failures in the IT supply chain.

The new regulatory requirements are set out in the EU’s Digital Operational Resilience Act (DORA) and the UK’s Critical Third-Party (CTP) regime.

EU DORA Regulation

DORA came into effect on 17 January 2025. It applies to regulated firms in the EU: banks, lenders, payment institutions, insurers, reinsurance and insurance intermediaries, investment firms, crypto-asset firms, and so on.

Importantly (for the purposes of this article) it also applies to information and communication technology (ICT) third-party service providers in two ways:

Firstly, financial entities will seek to flow down the regulatory requirements (enshrined in Arts. 28 and 30 of the Regulation) through a combination of more extensive due diligence requirements and contractual assurances. Typical DORA flow-downs include specifications around: data, security and resilience; business contingency management; incident support; cooperation with supervisory authorities; termination rights; audit and regulatory access; subcontracting management and mandatory flow‑down terms; (where relevant) cooperation with resilience testing, including threat-led penetration testing (TLPT). These obligations now cascade across the entire supply chain - from the financial entity to its material subcontractors (e.g., cloud/hyperscale infrastructure and data‑center providers).

Secondly, designated ICT third-party service providers will be, for the first time, subject to the direct supervision and oversight of the financial sector regulators. To identify such suppliers, which are considered critical to the financial and insurance sector as a whole, the authorities have undertaken an extensive mapping of the market. Unless the European Supervisory Authorities (consisting of the EBA, ESMA and EIOPA) accept the substantive basis upon which a designation is challenged, such designated third-party service providers will be named officially in due course. The first designations are expected to be published in Q4 of 2025 and will be updated on a yearly basis.

Updates to EBA Outsourcing Guidelines

The EBA has consulted on replacing and broadening its 2019 Outsourcing Guidelines with third‑party risk management guidance aligned to DORA. The EBA, ESMA and EIOPA are expected to apply a more consistent approach across all third‑party arrangements, while focusing on DORA for ICT services specifically.

UK Critical Third-Party Regime

In the UK, the CTP framework established by the Financial Services and Markets Act, in force since 1 January 2025, parallels the DORA oversight framework. The CTP regime will sit alongside existing rules implemented by the FCA and PRA with respect to outsourcing, third-party risk management, and operational resilience. Under the CTP regime, HM Treasury may designate certain suppliers as CTPs, bringing them within the supervisory remit of the Bank of England, PRA and FCA. While regulated firms remain responsible for functions, activities or services which they chose to outsource, supervisors will be able to set resilience standards for designated providers. HMT has originally targeted to publish its designations in the Autumn of 2025, but the process does appear to be running behind its European cousin. Equally, suppliers may find themselves designated in Europe but not in the UK.

What should technology firms do to prepare?

Immediate priorities for tech providers serving financial institutions will be to

• review contract templates and playbooks
• map the supply chain of material subcontractors and flow-down terms
• have the Legal Entity Identifier (LEI) available
• prepare and review incident management, protocols and procedures
• define safe test environments to protect services

In our experience, it pays to be prepared. Technology service providers who have prepared DORA addenda and playbooks (ideally supported by customer-facing white papers and educated sales teams) have found that they can radically shorten negotiation cycles. Having pre-set positions on tricky issues (such as audits and pen testing) will put you on the front foot and avoid unnecessary escalations.