The advent of cloud-based service delivery models undoubtedly revolutionised the outsourcing market, and customer and supplier organisations alike have benefitted from the scalability, resilience, innovation and reduced infrastructure cost advantages that they offer. However, cloud adoption has also created a new challenge on the customer side at least: concentration risk.
Across financial services (and indeed most other sectors as well), a significant proportion of critical workloads are now hosted by a small number of hyperscale cloud providers (both IaaS and SaaS).
Regulators have increasingly become concerned that the failure or disruption of one of these providers could have consequences extending well beyond any individual customer, potentially affecting entire sectors and, in the case of financial services, financial stability itself. This concern is at the heart of the UK's Critical Third Party (CTP) regime.
The CTP regime, introduced under the Financial Services and Markets Act 2023 and implemented through rules published jointly by the Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) in November 2024, represents a significant shift in the regulatory landscape.
Unlike traditional outsourcing regulation, which focuses on the regulated firm and requires the firm itself to make arrangements with its suppliers in turn (be they organisational or contractual), the CTP regime instead gives regulators direct oversight of designated third-party providers whose services are considered critical to the financial sector.
For commercial and outsourcing lawyers, the regime is important not simply because it creates obligations for designated providers. More fundamentally, it changes the dynamics of outsourcing negotiations, contractual risk allocation, resilience obligations and customer expectations.
Why Concentration Risk Matters
Historically, regulators were principally concerned with the risks arising from an individual firm's outsourcing arrangements. The focus was on governance, due diligence, audit rights, business continuity, exit planning and oversight — but still focussed on the interests and operations of that particular entity.
Cloud computing has changed that equation. Large numbers of financial services institutions now rely on the same providers for infrastructure, platform and increasingly application services (either directly, or by reason of the role that they play further down the supply chain). The concentration of critical services in a small number of providers means that a significant outage, cyber incident or operational failure could affect multiple institutions simultaneously.
The risk is no longer institution-specific; it is systemic. Regulators have expressly recognised that disruption to services provided by major third parties could spread through the financial system and threaten financial stability, market integrity and consumer confidence.
Importantly, the CTP regime is technology-neutral. While cloud providers are often cited as the most obvious candidates for designation, the regime is capable of applying to any third party whose services are sufficiently important to the financial sector (eg it could include network services, software providers and, increasingly, providers of AI based solutions). Nevertheless, cloud providers remain the primary focus of market discussions because of the high degree of concentration that already exists.
What the CTP Regime Does
The regime allows HM Treasury to designate a third party as a ‘Critical Third Party’ following recommendations from the regulators. Once designated, that provider becomes subject to direct regulatory oversight by the regulators themselves (rather than having them rely on contractual rights granted to them via their regulated entity's contract with the relevant supplier).
The regulators' requirements focus on ensuring that designated providers can deliver their services through "severe but plausible" disruption scenarios (thus including major incidents with key hyperscalers, but likely excluding the possibility of imminent alien invasion…!). The regime includes fundamental rules, operational resilience requirements, incident reporting obligations, testing requirements and the possibility of skilled person reviews.
Significantly, the regime does not replace existing outsourcing rules (such as the requirements in the PRA Supervisory Statements as to third party risk and/or operational resilience). Irrespective then of any direct oversight that may be now exercised by the regulators, financial institutions remain responsible for managing outsourcing risk, conducting due diligence and ensuring regulatory compliance. The FCA has been explicit that firms must continue to maintain comprehensive understanding and mapping of critical third-party dependencies and remain accountable for operational resilience outcomes.
As a result, organisations cannot simply assume that regulatory oversight of a designated cloud provider eliminates their own responsibilities. Rather, the regime adds an additional layer of sector-wide oversight while preserving firm-level accountability.
What does this mean for Outsourcing Contracts?
1. A focus on operational resilience
The first major contractual implication is likely to be increased scrutiny of resilience provisions.
Traditional outsourcing contracts often contain business continuity and disaster recovery clauses. Under the influence of operational resilience regulation and the CTP framework, customers are increasingly seeking more detailed commitments relating to recovery objectives, resilience testing, incident management and governance processes.
Market practice is already moving towards resilience frameworks that require parties to review severe but plausible disruption scenarios, recovery objectives and business continuity alignment on a recurring basis. Internal outsourcing precedent material increasingly emphasises operational resilience "umbrella" obligations, resilience testing and alignment of recovery tolerances.
Customers can therefore be expected to seek stronger contractual commitments regarding resilience testing, notification of vulnerabilities, remediation planning and participation in industry-wide exercises. Equally, they must take care not to set overly ambitious recovery time objectives, before ensuring that the contractual arrangements which they may already have in place are going to enable them to achieve them!
2. Supply Chain Transparency
Concentration risk is not limited to the primary service provider, be that in relation to an outsourcing arrangement or more generally. Significant risk can also arise through subcontractors, telecommunications providers, software vendors and other members of the wider supply chain, to the extent that they may also be dependent upon cloud based service models and providers.
As regulators focus increasingly on systemic dependencies, customers are likely to demand greater visibility (and potentially control) of such subcontracting arrangements. Existing regulatory guidance already highlights the importance of sub-outsourcing controls and accountability (recognising however that 'sub-outsourcing' is a narrower sub-category of 'subcontracting').
Future outsourcing agreements may therefore include:
- Enhanced notification requirements for material subcontractors.
- Approval rights for critical sub-outsourcing.
- Supply chain mapping obligations.
- Ongoing reporting on critical dependencies.
- Contractual commitments regarding fourth-party risk management.
These provisions are likely to become increasingly important where services support regulated or business-critical activities, or in relation to 'material' services as per the PRA designations.
3. Incident Reporting and Information Sharing
One of the practical benefits of the CTP regime may be increased information flow regarding incidents affecting critical providers. Regulators expect designated providers to report significant incidents and demonstrate operational resilience.
Customers, however, will still need timely information to manage their own regulatory obligations. Consequently, outsourcing contracts are likely to contain increasingly detailed incident management provisions requiring:
- Rapid notification of incidents.
- Regular status updates.
- Root cause analysis reports.
- Remediation plans.
- Co-operation with regulatory enquiries.
The quality and speed of information sharing may become a key negotiation point, particularly where customers are themselves subject to operational resilience, DORA or other sector-specific requirements. Suppliers will likewise want to ensure that they have sufficient time to carry out their own analysis before they set too many hares running (especially considering the risk of reputational harm that warnings of security breaches in particular might entail).
4. Exit Planning
Perhaps the most difficult issue raised by concentration risk is exit.
Historically, exit provisions were often treated as a back-end contractual mechanism. Today, regulators increasingly view exit planning as a core resilience requirement rather than a termination issue. Existing regulatory guidance and market precedent consistently emphasise the need for orderly transition and robust exit arrangements, and most particularly in the context of ‘stressed’ exits (eg when a supplier is in breach or goes bust, such that a termination is in effect forced upon the customer in circumstances it may not have had time to properly plan for).
The challenge, however, is that meaningful exit from a hyperscale cloud provider is often technically and commercially difficult. Many cloud providers will have involved proprietary tools and solutions as part of what might otherwise be more of a commodity offering, and/or created a wealth of interfaces with other aspects of the customer's infrastructure. The impact of a major migration of applications and data is also not to be underestimated.
As a result, customers are likely to seek:
- Detailed exit plans.
- Ongoing maintenance of exit documentation.
- Data portability commitments.
- Transition assistance obligations.
- Extended post-termination support.
- Testing of exit procedures.
The objective is increasingly to ensure that an organisation can move services if necessary within an acceptable timescale, even if such migration remains commercially unattractive.
5. Audit Rights
Audit rights have long been a contentious issue in cloud negotiations. Large cloud providers have generally resisted traditional customer audit models, favouring pooled audits, certifications and independent assurance reports. Indeed, until the regulators made audit access mandatory for outsourcing arrangements re critical/material services, it was not uncommon for them to argue that it was technically not possible to provide such access.
The continuing emphasis on regulatory oversight means that audit and regulatory access provisions remain critical. Regulatory guidance consistently identifies audit, access and oversight rights as key components of outsourcing compliance, and most major suppliers have responded by creating bespoke FS specific addenda to their standard terms, which will grant rights which mirror the specific mandatory requirements of the relevant regulatory texts (be they from the PRA in the UK or EBA in Europe etc).
Although the CTP regime may reduce some information asymmetry through direct regulatory oversight, customers are unlikely to abandon their own contractual rights. Instead, market practice may evolve towards a combination of direct audit rights, pooled assurance mechanisms, independent reports and structured regulatory engagement.
A Shift in Negotiating Leverage?
One unresolved question is whether the CTP regime will materially alter negotiating leverage between customers and hyperscale providers.
In practice, many customers have limited ability to negotiate heavily amended cloud terms. The concentration that gives rise to regulatory concern also tends to provide providers with significant market power. Nevertheless, the existence of direct regulatory oversight may strengthen customers' arguments when requesting resilience-related contractual enhancements, at least.
Over time, designated providers may choose to standardise certain contractual commitments to align with regulatory expectations, reducing the need for customer-specific negotiation.
What remains to be seen is whether the regulators will go still further, and start to extend the set of mandatory contract provisions which they will expect CTPs to adhere to.
Conclusion
The Critical Third Party regime represents a fundamental evolution in the regulation of outsourcing and operational resilience for the FS sector at least. It recognises an important reality of modern technology sourcing: some third-party providers have become so integral to the operation of the financial system that their resilience is now a matter of public interest.
For outsourcing contracts, the implications extend far beyond compliance. Concentration risk is reshaping expectations around operational resilience, supply chain transparency, incident management, audit rights and exit planning. While direct oversight of critical providers may improve systemic resilience, it does not remove responsibility from customers. Instead, it reinforces the need for carefully drafted outsourcing agreements that support resilience across the entire service lifecycle.
For lawyers negotiating cloud and technology outsourcing arrangements, the message is clear. The focus is no longer merely on whether a service can be outsourced, and on the core legal terms and conditions. The real question is whether the customer can continue to deliver its critical services if the provider experiences a severe disruption, and the role of the lawyer then becomes not just the negotiation of core contract terms, but also the wider assessment of operational risk.