DORA and UK inspection powers differ, EU-UK agreement highlights

Earlier this week, EU and UK authorities announced that they have agreed a memorandum of understanding (MoU) (23-page / 341KB PDF) on how they will cooperate on and coordinate, and exchange information relating to, their respective oversight of ‘critical ICT third-party service providers’ (CTPPs) and ‘critical third parties’ (CTPs).

In the EU, the Digital Operational Resilience Act (DORA) provides for regulation of CTPPs by the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), and/or European Securities and Markets Authority (ESMA).

CTTPs face a series of requirements under DORA, including around incident management and reporting, and also must confirm that they can withstand and manage a wide range of ICT disruptions and cyber threats and comply with uniform requirements for the security of network and information systems.

In November last year, the EBA, EIOPA, and ESMA – together, the European supervisory authorities (ESAs) – designated 19 providers as CTTPs, including businesses that provide software, data and technology infrastructure to financial entities in the EU. Those authorities have various powers under DORA to monitor and enforce compliance, including powers to undertake on-site inspections at premises or property operated by designated CTTPs.

Like the CTTP regime under DORA, the UK’s CTP regime is designed to address the risk that reliance financial entities have on services provided by third parties poses to the effective functioning of the financial services market and to financial stability more broadly.

The UK Treasury is responsible for designating providers as CTPs. Following designation, CTPs fall subject to the oversight of the Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA) and/or Bank of England. The regulators have a range of oversight powers rooted in the Financial Services and Markets Act 2000 – including information-gathering, investigatory powers, and rights to enter premises.

Unlike the CTTP regime, the CTP regime is only notionally in effect. This is because no CTPs have been designated since 1 January 2025, when the regime began to apply.

While the two regulatory regimes are distinct, the MoU addresses the possibility that providers designated as CTTPs in the EU might also be designated as CTPs in the UK. Among other things, for example, the MoU requires the respective regulators to promptly notify one another where they identify infringement or non-compliance by a “mutually designated” provider.

However, despite some cross-over between the respective powers of the ESAs and UK authorities, the MoU reflects significant differences – particularly in relation to their powers to conduct on-site inspections outside of their jurisdiction.

Article 5 of the MoU, for example, reflects the DORA-derived criteria that the ESAs must fulfil to undertake inspections at CTTP sites located outside of the EU, Norway, Iceland or Liechtenstein. Those conditions include that the regulators notify and face no objections from the UK regulators and that they obtain the consent of the CTTP concerned to the inspection.

In contrast, while Article 6 of the MoU requires the UK regulators to notify the ESAs when seeking to undertake inspections at CTP sites in the EU, it does not state that they require EU regulators’ permission to proceed with those visits. Nor does it state that the consent of the CTP is required.

The process summarised in Article 6 rather provides for the ESAs to provide relevant contact details for national regulators in the specific EU member state in which the UK regulators wish to conduct their inspection. The relevant provisions around consent in Article 6 only state that, in their notification to the EU that the UK regulators “detail to the best of [their] knowledge … whether the CTP has consented to the inspection”.

Luke Scanlon of Pinsent Masons in London said: “CTPPs that might become mutually designated as CTPs in the UK should consider how they would comply with the breadth of local supervisory authority powers they could face, while understanding the limits of those powers. The issue is complex and there is a degree of inconsistency, which creates uncertainty as to how CTPPs ought to respond. Undertaking some strategic planning around this will help.”

Düsseldorf-based Florian Elsinghorst, also of Pinsent Masons, said: “There is a broad desire of businesses to see greater international alignment in legal and regulatory standards. This MoU highlights how the ESAs will interact with the UK regulators, but it also alludes to the fact that the ESAs would only be conduits for CTP inspections led by the UK authorities within the EU - the UK authorities will need to deal with national regulators. In Germany, that will be BaFin. In the context of its promise to harmonise DORA requirements around third-party risk management and outsourcing for financial entities, it seems unlikely that it would add further regulatory barriers to UK-led inspections in Germany, but it is clear that the position is complicated and requires upfront thinking by businesses that might be impacted by both regimes.” 

In addition to addressing the issue of cross-border on-site inspections, the MoU provides for the treatment of information exchanged between the ESAs and UK regulators under the agreement as being confidential – “unless otherwise agreed in writing” – and generally commits the authorities to preserve that confidentiality “as far as legally possible”.

However, the MoU also recognises the possibility that the information exchanged might need to be shared, in accordance with separate legal frameworks, with a range of other EU or UK authorities. It provides for standards of professional secrecy to apply where there is such onwards sharing.