Navigating UK and EU regulation – Reflections on CTP and DORA
On Thursday 27th March techUK conducted a half day summit on navigating UK and EU regulation, specifically exploring the Critical Third Parties Regime (CTPR) in the UK and the Digital Operational Resilience Act (DORA) in the EU. The event brought together representatives from the Bank of England, Microsoft, and other key industry voices to explore how these frameworks are shaping operational resilience.
Critical Third Parties Regime (CTPR)
The CTPR segment opened with a keynote address from Simon Hall, Head of Prudential Policy Division, Bank of England (BoE), followed by a panel discussion featuring:
- Orlando Fernandez Ruiz, BoE
- Sam De Silva, CMS
- Ksenia Duxfield-Karyakina, Forefront Advisors
- Michael Jefferson, Amazon Web Services
- Tom Kohler, PwC
Simon Hall’s Keynote Highlights:
Simon Hall outlined the features of the final CTPR, emphasising its risk-focused, proportionate and pragmatic approach. He highlighted its alignment with existing operational resilience responsibilities and that it is intended to complement other regimes, such as DORA in the EU.
Simon outlined that the regime is designed to work alongside other regimes in different jurisdictions e.g. DORA in the EU. He strongly encouraged closer cooperation between critical third parties (CTPs) and the regulators. The BoE’s approach to overseeing CTPs was outlined in ‘the regulators approach to the oversight of critical third parties’.
Key messages from Simon’s speech included:
- Systemic Risk Focus: CTPR affects services where disruption could threaten the stability or confidence in the UK financial system—referred to as systemic third-party services.
- Shared Responsibility: While CTPs play a critical role, regulated firms remain accountable for their own operational resilience.
- Transparency and Cooperation: CTPs will be expected to share relevant information with their clients, enabling better risk management. Enhanced coordination between CTPs and regulators is central to the regime’s success. The approach to regulation following designation will be flexible and cooperative.
- Adaptive Oversight: The BoE intends to remain flexible, adjusting the regime as lessons emerge. Oversight will prioritise current and future risks, with early intervention where necessary.
- International Interoperability: Recognising that many CTPs operate globally, the BoE is committed to aligning its regime with other frameworks—particularly DORA—to support regulatory efficiency and reduce compliance burdens.
Panel Discussion Takeaways:
The subsequent panel discussion reflected a positive industry reception. Stakeholders welcomed the regime’s systemic risk focus, its support for existing resilience obligations, and its commitment to cross-border regulatory cooperation.
There was consensus that both regulators and technology companies face a cultural shift and that a shared understanding of expectations and transparency will take time to build. Industry anticipates that HM Treasury will begin designating CTPs in the coming months, which will mark a new phase of activity and implementation.
The Digital Operational Resilience Act (DORA)
The DORA segment of the afternoon began with a keynote address from Vijayalaxmi Aithani, Legal Director Financial Services (UK & Europe) at Microsoft, followed by a panel discussion featuring:
- Luke Scanlon, Pinsent Masons
- Anne Leslie, IBM
- Neil Hare-Brown, STORM Guidance
- Vijayalaxmi Aithani, Microsoft
Vijayalaxmi Aithani’s Keynote Highlights:
Vijayalaxmi provided an overview of DORA and its implications for both financial institutions and technology providers. Several other themes covered included the the priorities of the European Commission’s new legislative mandate, the macro-economic forces at work and the global regulatory landscape on AI, cyber security and operational resilience.
With DORA coming into full effect, Vijayalaxmi noted industry is entering a pivotal phase of regulatory adaptation and implementation, emphasising:
- Evolving threat landscape: Cyber threats are accelerating, and digital dependencies are becoming more complex. Operational resilience is increasingly crucial.
- Risk Management Mechanisms: DORA introduces a robust framework for managing ICT risk.
- Technological Innovation: As firms embrace cloud computing, AI, and eventually quantum computing, DORA sets a foundation for balancing innovation with resilience.
- Strategic Collaboration: Cross-industry collaboration and clear compliance strategies will be essential to navigate DORA’s requirements effectively.
Panel Discussion Takeaways:
The subsequent panel discussed key implementation challenges and opportunities across several areas. On supply chain risk, there was a strong emphasis on the need for improved information sharing and oversight, especially given the growing diversity of suppliers. In terms of incident reporting, panellists advocated for regular resilience testing and proposed the development of a flexible, standardised reporting portal to enhance regulatory communication.
The conversation also highlighted the importance of interoperability and harmonisation for firms operating in multiple jurisdictions, calling for clearer and more consistent regulatory guidance across regimes. Additionally, panellists underlined the need for more explicit expectations under DORA regarding ICT third-party obligations, aiming to reduce compliance uncertainty and ensure smoother implementation.
James Challinor
James leads our financial services programme of activity. He works closely with member firms from across the sector to ensure innovation and technology are fully harnessed and embraced by both industry and regulators.
