The new practice statement (PS24/16), along with the supervisory statement (SS6/24), set out the oversight regime for those technology firms designated as critical.

The objective of the regulatory regime is ensuring that the failure of or disruption to the services provided by a technology firm does not compromise the stability of or confidence in the UK’s financial system.

While the regulators may recommend third parties for designation as critical by HM Treasury, it is the latter who is the ultimate decision maker on this matter. This choice of decision maker further underlines the systemic risk focus of the rules.

Identification and designation

Additional guidance has been provided in the practice statement on how the regulators will identify CTPs. The document notes, however, that this aspect of the regime is subject to change because the approach to identification and designation will evolve over time.

The eight operational and risk resilience requirements set out for third parties are closely aligned with the EU’s DORA rules and cover:

• governance;
• risk management;
• dependency and supply chain risk management;
• technology and cyber resilience;
• change management;
• mapping;
• incident management; and
• termination of services.

There are also new requirements around scenario testing and incident management playbook exercises.

Obligations for more comprehensive information sharing and a duty to notify regulators of “serious” incidents are also being introduced. The “notion of seriousness in the definition” has been retained by the regulator despite criticism from some stakeholders of its subjective nature.

In this context the BoE’s revised approach to enforcement is also essential reading as it covers enforcement policy and procedure connected with CTPs.

The final rules will take effect from 1 January 2025.