The UK Bank of England is consulting on a new regulation that would address the operational resilience of critical third parties that work with the finance sector. The first round of consultation on the matter ended on 15-Mar-2024 and there will probably be another one before the regulation is finalised. The regulation does not have a definite date yet, but our guess is that it will come into place by 2027.

The new regulation, currently labelled “CP26/23 – Operational resilience: Critical third parties to the UK financial sector” follows on the footsteps of the EU DORA regulation which is coming into force January-2025.

Expected Minimum Requirements

CTPs must meet requirements for:

  • 1

    Governance: clear structures for responsibility and oversight of resilience.

  • 2

    Risk Management: effective identification and mitigation of risks to service delivery.

  • 3

    Dependency and Supply Chain Risk Management: management of risks from reliance on other parties for service continuity.

  • 4

    Technology and Cyber Resilience: strong technology infrastructure and cyber security.

  • 5

    Change Management: management of changes in services or operations to maintain resilience.

  • 6

    Mapping: documentation of services and processes to manage risks.

  • 7

    Incident Management: readiness to deal with and recover from incidents.