The EU’s Digital Operational Resilience Act and the UK’s critical third parties regime are converging on the same fear — that a handful of cloud and technology providers now underpin the entire financial system — but they reach for very different tools, and the United States barely reaches at all. The result is a three-track compliance map that every broker, exchange and crypto-asset service provider operating across borders must now navigate.
The Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, entered application on January 17, 2025, and on November 18, 2025 the three European Supervisory Authorities (ESAs) designated the first 19 Critical ICT Third-Party Providers (CTPPs) subject to direct EU oversight — a list led by Amazon Web Services, Microsoft, Google Cloud, Oracle, SAP, IBM and Deutsche Telekom (European Banking Authority). The UK is building a parallel regime with sharply different mechanics, and the US relies on guidance alone. This analysis walks through what each rule actually requires, how four jurisdictions compare, the enforcement precedent that gives the rules teeth, and what compliance teams must do before the next set of deadlines lands.
Key Facts:
• DORA (Regulation (EU) 2022/2554) entered application on January 17, 2025 — EUR-Lex
• The ESAs designated 19 Critical ICT Third-Party Providers on November 18, 2025 — European Banking Authority
• DORA lets lead overseers fine a CTPP up to 1% of its average daily worldwide turnover, levied daily for up to six months until compliance — Regulation (EU) 2022/2554
• More than 65% of EU financial entities rely on at least two of AWS, Microsoft Azure and Google Cloud for critical functions — industry analysis of the CTPP list
• The UK critical third parties regime (PS16/24) sees its FMI Fundamental Rules take effect on July 18, 2026, with the first UK designations expected later in 2026 — Bank of England / FCA
• The EU and UK regulators signed a Memorandum of Understanding on cross-border CTPP oversight on January 14, 2026 — European Banking Authority
• The US relies on the June 2023 Interagency Guidance on Third-Party Relationships (SR 23-4), which creates no designation or fining regime — Federal Reserve
Methodology and sources
This analysis rests on primary regulatory documents: the DORA text (Regulation (EU) 2022/2554), the ESAs’ November 18, 2025 CTPP designation, the joint Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) policy statement PS16/24 (FCA PS24/16), the US Interagency Guidance on Third-Party Relationships (SR 23-4, June 2023), and the EU–UK Memorandum of Understanding of January 14, 2026. The jurisdictional scope is the EU, the UK, the US and Singapore, chosen because they capture the three dominant regulatory models — designation-and-fine, principles-based oversight, and guidance-only — plus a leading Asian framework. The time window runs through July 2026. Caveats: the UK’s first designations had not been made at the time of writing, and the interpretation of DORA’s oversight powers is still developing.
What DORA actually requires
DORA is a single, directly applicable EU regulation that harmonises information and communication technology (ICT) risk management across banks, insurers, investment firms and, via the Markets in Crypto-Assets Regulation (MiCA), crypto-asset service providers (CASPs). It rests on five pillars: ICT risk management, incident reporting, digital operational resilience testing, third-party risk management, and information sharing. Its most novel feature is the oversight of CTPPs — the providers on which the sector most depends.
A Critical ICT Third-Party Provider under DORA is a technology supplier the ESAs have formally designated as systemically important to EU financial entities, based on the number and significance of the institutions it serves and how substitutable it is. Once designated, the provider falls under a lead overseer drawn from the ESAs, which can demand information, conduct on-site inspections, issue binding recommendations, and — critically — fine the provider up to 1% of its average daily worldwide turnover for each day of non-compliance, for up to six months (Regulation (EU) 2022/2554). Lead overseers can also prohibit a non-compliant provider from taking on new financial-sector clients. In-scope financial entities must maintain a Register of Information cataloguing every ICT arrangement and file it annually by March 31.
“Once designated, CTPPs are subject to an extensive supervisory toolkit,” notes Florence Danis, a partner at Linklaters LLP, describing companies “whose operational failures could send shockwaves through the EU financial system” (Oxford Business Law Blog).
How four jurisdictions compare
The same systemic concern produces markedly different regimes. The EU designates and fines; the UK oversees but cannot fine; the US issues guidance and supervises through existing safety-and-soundness powers; and Singapore leans on outsourcing and technology-risk guidelines. The table below sets out the split.
| Jurisdiction / Regulator | Effective date | Scope | Key requirement | Penalty / sanction |
|---|---|---|---|---|
| EU (ESAs under DORA) | January 17, 2025 | Financial entities + 19 designated CTPPs | Five-pillar ICT risk framework; Register of Information by March 31; direct CTPP oversight | Up to 1% of a CTPP’s average daily worldwide turnover, daily for up to 6 months |
| UK (BoE / PRA / FCA, PS16/24) | FMI Fundamental Rules July 18, 2026; PS26/2 March 18, 2027 | Designated critical third parties to the UK financial sector | Fundamental Rules, operational risk and resilience requirements, scenario testing, direct incident reporting | No fining power; oversight, directions and potential prohibition on providing services |
| US (Fed / FDIC / OCC, SR 23-4) | June 2023 | Banking organisations’ third-party relationships | Lifecycle risk management: planning, due diligence, contracting, monitoring, termination | No designation regime; enforced via existing supervisory and safety-and-soundness powers |
| Singapore (MAS) | Outsourcing and Technology Risk Management Guidelines (in force) | All MAS-regulated financial institutions | Outsourcing risk management, cloud controls, incident notification | No dedicated CTP fining regime; supervisory action under the MAS Act |
Sources: Regulation (EU) 2022/2554; Bank of England / FCA PS16/24 (PS24/16); US Interagency Guidance SR 23-4; MAS guidelines. Last updated: July 2026.
How does the UK critical third parties regime differ from DORA? The objectives are aligned, but three differences matter operationally. First, approach: DORA is detailed and rule-based, while the UK regime is principles-based and, notably, risk-agnostic — it extends beyond ICT to any critical service. Second, reporting: under the UK rules a critical third party reports incidents directly to the regulator, whereas DORA routes CTPP incident reporting through the regulated financial entities that use the provider. Third, and most consequential, enforcement: DORA arms the ESAs with fines of up to 1% of daily global turnover, but the UK regime contains no fining power at all, relying instead on oversight, directions and, ultimately, the ability to bar a provider from serving the sector. The January 2026 EU–UK Memorandum of Understanding is intended to stop these two systems pulling the same global providers in different directions.
“In an increasingly digital world, financial businesses are more dependent on a small number of third-party providers. That can bring significant benefits, but also comes with resilience risk.”
— Nikhil Rathi, Chief Executive, Financial Conduct Authority (FCA)
Enforcement context: why the rules have teeth
The regimes did not emerge in a vacuum; they followed a decade of costly operational failures. The defining UK precedent is TSB Bank. In December 2022, the FCA and the PRA jointly fined TSB £48.65 million for operational-resilience and risk-management failings tied to its 2018 core-banking migration, a botched transfer to a new platform supplied through its banking group that locked roughly two million customers out of their accounts for days. The regulators found the bank had failed to manage the operational risks of its technology provider — precisely the third-party dependency that DORA and the UK CTP regime now target directly.
The concentration risk those regimes address became vivid in July 2024, when a single faulty software update from a cybersecurity vendor triggered a global IT outage that grounded airlines, hospitals and financial firms simultaneously — a live demonstration that one provider’s failure can cascade across the system. Regulators have flagged that more than 65% of EU financial entities depend on at least two of the three dominant cloud hyperscalers for critical functions, and that five of the 19 designated CTPPs are generic cloud infrastructure providers. The supervisory logic is straightforward: if substitutability is low and dependence is high, the provider itself, not just its customers, must be supervised. That is the conceptual leap DORA makes and the US guidance does not.
What this means for brokers, exchanges, CASPs and compliance teams
For retail foreign-exchange and contract-for-difference brokers authorised in the EU, DORA is not optional: as “financial entities” they must operate the full five-pillar framework, file the Register of Information by March 31, run digital operational resilience testing, and — for the largest — undergo threat-led penetration testing. For exchanges and CASPs brought into scope through MiCA, the same obligations apply, layering ICT resilience on top of the authorisation requirements that followed the end of MiCA’s grandfathering window.
For fund managers and custodians, the immediate task is contractual: DORA prescribes specific clauses — audit rights, sub-outsourcing controls, exit strategies and service-level guarantees — that must appear in ICT contracts, and legacy agreements with the newly designated CTPPs will need remediation. For legal and compliance teams operating across the EU, UK and US, the challenge is mapping three overlapping regimes onto one technology estate: a firm using AWS in Frankfurt, London and New York faces EU oversight of the provider, a UK regime that reports incidents differently, and a US framework that pushes the obligation entirely onto the firm. The practical response most large firms are adopting is to build to the strictest standard — DORA — and document how the same controls satisfy the UK and US regimes, a pattern familiar from the divergence in best-execution rules and the EU’s single AML rulebook.
What’s next — the forward view
The immediate calendar is UK-led. The Fundamental Rules for financial market infrastructure firms take effect on July 18, 2026, the first UK CTP designations are expected later in the year, and the incident-and-third-party reporting rules in PS26/2 come into force on March 18, 2027. In the EU, the first full oversight cycle of the 19 CTPPs is under way, led by the ESAs’ new joint oversight directorate, and the sector is watching for the first binding recommendations — and the first test of the fining power. Legal commentators expect designation itself to be contested: the Oxford Business Law Blog has framed the CTPP regime as a path “from designation to litigation”, anticipating challenges from providers that dispute their systemic status.
Convergence is the wildcard. The January 2026 EU–UK Memorandum of Understanding and the alignment of both regimes with the Financial Stability Board’s Format for Incident Reporting Exchange point toward interoperable reporting, even as the underlying enforcement models diverge. The US remains the outlier: no federal DORA equivalent is expected, leaving the now-familiar pattern of the EU setting the global baseline while the US opts for a lighter touch. For globally active firms, the safe assumption is that the strictest regime sets the standard.
TL;DR
The EU’s DORA (in force since January 17, 2025) and the UK’s critical third parties regime both target the financial sector’s dependence on a few dominant cloud and ICT providers, but with different tools: DORA designates providers — 19 so far, including AWS, Microsoft and Google Cloud — and can fine them up to 1% of daily global turnover, while the UK regime is principles-based with no fining power and its first designations due later in 2026. The US relies on 2023 interagency guidance and no designation regime. With more than 65% of EU financial entities dependent on at least two major clouds, brokers, exchanges and CASPs must now build to the strictest standard and map it across all three jurisdictions.
FAQ
What is DORA?
The Digital Operational Resilience Act, Regulation (EU) 2022/2554, is an EU law in force since January 17, 2025 that harmonises ICT risk management for financial entities and creates direct EU oversight of critical technology providers.
What is a Critical ICT Third-Party Provider (CTPP)?
A CTPP is a technology supplier the European Supervisory Authorities have designated as systemically important to EU finance. The first 19, named on November 18, 2025, include Amazon Web Services, Microsoft, Google Cloud, Oracle, SAP and IBM.
How much can regulators fine a CTPP under DORA?
A lead overseer can impose a periodic penalty of up to 1% of the provider’s average daily worldwide turnover, levied each day for up to six months until the provider complies.
Does the UK have an equivalent to DORA?
Yes, but different. The BoE, PRA and FCA critical third parties regime (PS16/24) is principles-based, requires direct incident reporting, and has no fining power. Its FMI Fundamental Rules take effect on July 18, 2026, with first designations expected later in 2026.
How does the US approach compare?
The US has no CTPP designation regime. It relies on the June 2023 Interagency Guidance on Third-Party Relationships (SR 23-4), which sets lifecycle risk-management expectations for banks but places the obligation on the firm, not the provider.
What must in-scope firms do now?
Maintain a DORA Register of Information (filed annually by March 31), remediate ICT contracts to include audit rights and exit plans, run resilience testing, and map EU, UK and US obligations onto shared providers.
This article is informational analysis only and does not constitute legal, regulatory, tax, or investment advice. Regulatory frameworks change frequently and interpretation depends on facts and circumstances; primary documents and official regulator guidance always supersede summaries. Firms should consult qualified legal counsel and their relevant supervisory authority before taking any action based on the analysis above.