What “Good” Looks Like Under New UK CTP Rules

At the start of the year, the UK switched on a new oversight regime for Critical Third Parties (CTPs) – giving the Bank of England, PRA and FCA direct powers over tech providers whose failure could rattle market stability. The rules and supervisory approach were finalised in November 2024; designations are made by HM Treasury and will cover only a small number of providers whose services are truly systemic. Crucially, this does not dilute firms’ own accountability for operational resilience or third?party risk. Whether it’s a trading venue, broker?dealer, buy?side desk, exchange or other financial market Infrastructure (FMI) provider, expect supervisors to ask firms to demonstrate, with evidence, their understanding and management of concentration risk and CTP failure scenarios.

At the same time, the FCA has proposed structured reporting by firms on material third?party arrangements, including a register that maps third?party services to critical/important business services and internal risk assessments – to help regulators spot sector?wide concentration at specific CTPs. Even before the proposals are finalised, supervisors will expect firms to organise data this way.

Cloud/CTP Concentration Evidence

The question supervisors will ask is simple is simple: “Show us your line of sight from market?critical services to third?party concentration and your contingency.” Here’s what good might look like in a capital?markets context, stitched to the regulators’ own playbook:

Quantified concentration and substitutability: Demonstrate where there are single points of failure (e.g., all lit venue connectivity terminating in a single cloud region; all reference data mastering in one SaaS).

Evidence mitigations: Architectural diversification, contractual fallbacks, data portability, pre?provisioned cross?region failover, brokered access to alternate venues, and how long it takes to switch. The BoE’s approach document is explicit that concentration and materiality drive CTP designation; supervisors will use firm’ submissions to build a system?wide picture.

A register that regulators can use: The FCA proposal sets out relational templates: firm identifiers, contract references, third?party LEIs, ICT/non?ICT service taxonomy, supply?chain ranking, and a flag for whether a service supports an important business service. It aligns its service taxonomy to DORA’s Register of Information to aid cross?border analysis. By building the register on those fields, it becomes the firm’s master view for audits and supervisor data calls.

Playbooks that match the CTP’s exercises: CTPs must run joint incident?management playbook exercises with a sample of firms, share reports, and update playbooks within six months. Firms’ should leverage this data into their own playbooks and reconcile lessons learned with impact tolerances for each important business service. Re?test any weak spots (e.g., market?wide trading halt recovery, corrupted market?data feed, clearing API brownout at T+0). This is the material supervisors could ask to see.

Incident reporting that travels across regimes:  The FCA proposes thresholds and templates that dovetail with global standards and DORA. Firms’ internal thresholds and routing should already map to those fields to ensure consistent data gets pushed to the FCA/PRA and, where relevant, EU authorities.

Example: In a tier?one trading venue ‘outage rehearsal’, the venue’s cloud provider runs a regulator?observed exercise. The provider shares a redacted annual self?assessment along with scenario?test findings, and its maximum tolerable disruption for the critical business function – e.g. the order?matching service that’s already been tagged as a critical/important business service and linked to order?routing and market data functions in the register. Within 48 hours of the rehearsal, the firm should be able to show the supervisor:

• the exact cloud region dependency
• an alternate route to a backup venue
• the pre?positioned liquidity and credit limits to tolerate slippage
• client communications templates
• a reconciliation of lessons learned into Board Management Information (MI).

DORA and Cross-Border

Whilst DORA and CTP share similar goals, their implementations are different. DORA directly supervises critical Information and Communications Technologies (ICT) providers across the EU via Lead Overseers and Joint Examination Teams (JETs); the ESAs published a detailed Oversight Guide on 15 July 2025 explaining how they will plan investigations, on?/off?site inspections and recommendations.

By contrast, the UK does not confine itself to “ICT”. The UK regime is technology?neutral, capturing any service whose disruption could threaten stability – but it does not include DORA?style administrative fines. UK regulators instead lean on directions, censure and restrictions on services. For firms that operate cross?border,  a single converged evidence pack should be the goal, i.e., a DORA?aligned register along with testing artefacts that also satisfy the UK’s outcomes?based CTP standards.

Cloud providers are preparing in public. AWS has said it is “preparing for this regime based on the assumption that we will be designated as a CTP” and describes the UK model as “outcomes?based” while pledging to share its approach with customers.

RegTech Responses

The following RegTechs are focused on DORA/UK-CTP work right now, based on what they already ship (or have publicly demonstrated) around third-party mapping, registers, and exercise orchestration.

Fusion Risk Management: Fusion has leaned hard into resilience beyond compliance for financial services, and it’s been publishing DORA-specific guidance and tooling throughout 2024–25. Their DORA material emphasises board-level accountability, mapping of important business services to third-party dependencies, scenario testing, and playbook execution – exactly the artefacts supervisors will want to see reused across DORA and the UK CTP regime. In practice, that means centralised assessments, running joint exercises, and generating evidence packs that align to DORA while reading straight across to the UK’s outcomes-based CTP standards.

The FCA/PRA are moving firms toward structured, standardised registers of material third-party arrangements and consistent incident data; Fusion’s approach to mapping and exercise orchestration fits neatly into that reporting posture.

Fusion Risk Management

Archer IRM

Archer has shipped a DORA-aligned Register of Information “app-pack,” designed to capture the exact third-party data elements regulators require under DORA (entity-, sub-consolidated- and consolidated-level views; contract and service taxonomy; supply-chain ranking). That makes Archer an obvious contender for firms that want a single source of truth to serve both EU DORA and UK CTP obligations – and to pivot quickly if/when the FCA/PRA finalise a UK template for the annual third-party register. Archer also positions its broader operational resilience and TPRM capabilities as the integrated risk management (IRM) backbone around that register.

The UK is explicitly consulting on “incident reporting + a structured register” to help supervisors spot sector-wide concentration; Archer’s DORA register provides a ready-made schema that can be repurposed for UK submissions.

Archer IRM

Risk Ledger

Risk Ledger’s proposition is multi-tier supply-chain security with real visibility beyond the first line of suppliers – precisely where both DORA and UK CTP want firms and providers to prove resilience. The company has been producing CTP-regime explainers and DORA checklists for 2025, and its leadership has signalled 2025 feature expansion aimed at helping clients meet emerging frameworks like DORA and NIS2. In a UK-CTP/DORA setting, that “whole-chain” view helps evidence subcontractor oversight, concentration risk hot-spots and dependency tiers for critical/important functions.

Risk Ledger