Guide Contents
TPRM for Financial Services: FCA, DORA & SS2/21 Guide
Guide Contents
In Summary
Financial services firms face third-party risk management obligations under at least two and often three distinct regulatory frameworks: the FCA's systems and controls requirements in SYSC, the PRA's Supervisory Statement SS2/21 on outsourcing and third-party risk management, and DORA (Regulation (EU) 2022/2554) for entities with EU operations or clients. Each framework uses different terminology, covers different scopes, and places different documentation and reporting obligations on firms. But they share enough common ground that a well-designed TPRM programme can satisfy all of them without running parallel workstreams.
This guide maps the requirements across the three frameworks, identifies where they overlap and where they diverge, and sets out what financial services TPRM programmes and software must deliver to be compliant in 2026.
- SS2/21 and FCA SYSC cover all outsourcing: ICT and non-ICT. DORA Article 28 covers ICT third-party services specifically. A unified TPRM programme must address both without running separate compliance workstreams.
- DORA's Register of Information has a prescribed format: Commission Implementing Regulation (EU) 2024/2956 defines the exact template structure. Using DORA's format as your baseline register, extended with SS2/21 fields, satisfies both frameworks.
- DORA Article 30 goes further than SS2/21 on contracts: Agreements covering critical or important functions must include TLPT participation rights, ESA cooperation obligations, and data recoverability provisions not required under SS2/21.
- Concentration risk is a DORA-specific obligation: Article 29 requires firms to assess and document dependency on individual ICT providers before contracting. SS2/21 doesn't impose a formal equivalent.
- The FCA has confirmed new material third-party reporting rules: Final rules published in March 2026 require firms to notify the FCA before entering material third-party arrangements. These come into force 18 March 2027.
Expert View
|
Matt Davies
Chief Product Officer, SureCloud |
What our experts say about managing FCA, PRA, and DORA TPRM obligations
"The firms that struggle most are those that set up one register for SS2/21 and another for DORA, then spend their annual review cycle reconciling two documents that describe the same providers. Start with DORA's prescribed format, extend it to capture non-ICT outsourcing for SS2/21, and you're maintaining one record. That single decision cuts the compliance overhead considerably." |
The regulatory landscape for financial services TPRM
Third-party risk in financial services has been a regulatory concern since the early 2000s, but the obligations firms face today are considerably more specific. Three separate frameworks now govern how UK and EU financial services firms must manage their third-party relationships, each with its own documentation requirements, due diligence standards, and reporting obligations.
The PRA's SS2/21 ('Outsourcing and third party risk management'), published in March 2021, sets the standard for PRA-regulated firms: banks, building societies, PRA-designated investment firms, and insurers. It aligns with the EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02) and applies to all outsourcing, ICT and non-ICT alike. The FCA's SYSC applies parallel requirements to FCA-solo regulated firms, and the FCA confirmed new material third-party reporting rules in March 2026, coming into force on 18 March 2027.
DORA (Regulation (EU) 2022/2554), which became applicable on 17 January 2025, adds a third layer for EU-active entities. Its Article 28 imposes specific obligations for ICT third-party risk, with more prescriptive contractual requirements, a formally structured Register of Information, and a novel oversight regime for critical ICT third-party providers.
FCA and PRA SS2/21: what the UK frameworks require
SS2/21 establishes the PRA's expectations for outsourcing and third-party risk management across its regulated population. It draws on the EBA Guidelines but is tailored to the UK regulatory environment post-Brexit. FCA SYSC applies analogous requirements to FCA-solo regulated firms. Together, they define the UK baseline for financial services TPRM.
A critical point for programme design: SS2/21 covers all outsourcing, not just ICT. A firm that outsources its claims handling, compliance monitoring, or customer due diligence functions is subject to SS2/21 for those arrangements in exactly the same way as for technology outsourcing. This broader scope distinguishes SS2/21 from DORA, which is specifically scoped to ICT services.
|
Requirement |
What firms must do |
|
Material outsourcing identification |
Identify which arrangements are 'material': those that could materially impact the firm's operations, reputation, or regulatory compliance. Document the basis for each materiality assessment. |
|
Due diligence |
Conduct proportionate due diligence on service providers before entering material outsourcing arrangements and on an ongoing basis. Intensity scales with the materiality and risk of the arrangement. |
|
Contractual requirements |
Material outsourcing contracts must include: service level specifications; right to audit; access for the regulator; data security provisions; continuity and exit provisions; sub-outsourcing controls; termination rights. |
|
Notification to regulator |
Firms must notify the PRA or FCA before entering material outsourcing arrangements. Ongoing material changes must also be notified. |
|
Register of outsourcing arrangements |
Maintain a register of all material outsourcing arrangements, reviewed at least annually. |
|
Exit planning |
Documented exit plans for material outsourcing arrangements, tested at appropriate intervals. |
|
Ongoing monitoring |
Regular performance monitoring and risk assessment for all material third parties. More intensive monitoring applies to higher-risk arrangements. |
|
Sub-outsourcing |
Material sub-outsourcing arrangements must meet the same due diligence and contractual standards as primary outsourcing. |
DORA: ICT third-party risk for EU-active financial entities
DORA Article 28 applies specifically to ICT third-party risk. It covers financial entities within the scope of DORA Article 2: EU-based banks, insurers, investment firms, payment institutions, and others. UK-only firms fall outside DORA's direct scope, but UK financial institutions operating through EU-authorised entities, branches, or subsidiaries must comply for those entities.
DORA's framework for ICT third-party risk is more prescriptive than SS2/21 in three key respects. Article 28(3) requires a Register of Information in the format specified by Commission Implementing Regulation (EU) 2024/2956, published in November 2024. Article 29 requires financial entities to assess ICT concentration risk: the risk that excessive dependence on a small number of ICT providers creates systemic vulnerability. And Article 30 specifies the minimum contractual provisions that must appear in contracts with ICT providers supporting critical or important functions, going beyond standard service level agreements to include DORA-specific requirements.
DORA Article 30: minimum contractual provisions for critical ICT services
Contracts with ICT providers supporting critical or important functions must include all of the following:
- Full service descriptions, including service levels and quantitative performance targets.
- Locations from which ICT services will be provided and where data will be processed and stored.
- Provisions on data accessibility, recoverability, and return in case of insolvency.
- Full cooperation with competent authorities and the ESAs, including participation in TLPT exercises.
- Right to audit by the financial entity, competent authorities, and ESAs.
- Obligation for the provider to notify the financial entity of any material ICT incident affecting the service.
- Sub-contracting provisions: the provider must identify material sub-contractors and ensure they meet equivalent standards.
- Exit assistance provisions: the provider must cooperate in transitioning the service at contract end, including during insolvency.
For guidance on the DORA critical ICT third-party provider oversight regime, see SureCloud's DORA critical ICT third-party providers guide.
Where SS2/21 and DORA overlap, and where they diverge
Treating SS2/21 and DORA as two separate compliance workstreams is the most common design mistake in financial services TPRM. It doubles the documentation effort, creates inconsistencies between two registers that describe the same providers, and produces a TPRM function that's spending the majority of its time on reporting administration rather than risk management. A unified approach, using the most demanding standard where requirements overlap, is both more efficient and more defensible with regulators.
|
Dimension |
FCA/PRA SS2/21 |
DORA Article 28 |
Unified programme approach |
|
Scope |
All outsourcing (ICT and non-ICT); materiality threshold applies for PRA firms |
ICT services only; all in-scope DORA entities regardless of materiality threshold |
One TPRM register covering all third parties; ICT services flagged separately for DORA fields |
|
Register format |
Firm-defined format; reviewed annually |
Prescribed format per Commission Implementing Regulation (EU) 2024/2956; submitted to competent authority |
Use DORA format as baseline; extend with SS2/21 fields for non-ICT outsourcing |
|
Due diligence |
Risk-proportionate; more intensive for material arrangements |
Proportionate to risk; specific requirements for arrangements supporting critical or important functions |
Single due diligence workflow; escalation triggers for material and CIF-supporting services |
|
Contract requirements |
Specific provisions required for material arrangements: audit rights, continuity, exit |
Article 30 provisions required for CIF-supporting ICT services; goes further than SS2/21 on ESA cooperation and TLPT |
Master contractual clause library covering both SS2/21 and DORA Article 30 requirements |
|
Exit planning |
Required for material arrangements; tested at appropriate intervals |
Required for services supporting critical or important functions; part of ICT risk management framework |
Single exit plan per critical provider; tested within operational resilience testing programme |
|
Concentration risk |
No formal equivalent requirement |
Article 29 requires assessment and documentation of ICT concentration risk before contracting |
ICT concentration risk assessment embedded in due diligence workflow; documented for all CIF-supporting services |
|
Regulatory reporting |
Notification before entering material outsourcing; ongoing register; new FCA material third-party rules from March 2027 |
Register submitted to competent authority for CTPP designation process; reference date 31 March annually |
Align annual register review to regulatory submission cycle; single notification process for dual-regulated arrangements |
And it's worth being clear on the concentration risk point. SS2/21 requires firms to consider concentration risk as part of their broader operational resilience and risk management frameworks, but DORA Article 29 makes it an explicit pre-contract assessment obligation. Firms designing a unified programme should adopt the DORA standard and apply it across all ICT arrangements, not just those covered by DORA directly.
What financial services TPRM software must deliver
The compliance obligations above create specific requirements for TPRM software that go beyond what a general procurement risk or supplier management platform can meet. Platforms covering only one aspect, such as questionnaire management or contract storage in isolation, aren't sufficient for financial services compliance in 2026. Here's what a purpose-built TPRM platform must do.
Unified third-party inventory
A single register covering all third parties, ICT and non-ICT, outsourcing and other arrangements, with fields supporting both SS2/21 and DORA Article 28 requirements. Each record needs dual tagging: material outsourcing status for PRA/FCA purposes, and critical or important function classification for DORA. The inventory is the foundation everything else depends on.
DORA Register of Information export
The ability to generate a register submission in the format required by Commission Implementing Regulation (EU) 2024/2956, with all required fields populated from the core TPRM record. The first reference date for RoI submissions was 31 March 2025, with competent authorities reporting to the ESAs by 30 April 2025. Firms that can't produce this export accurately are at immediate supervisory risk.
Critical function classification and contractual tracking
A structured workflow for classifying which third-party services support critical or important functions, with documented rationale and approval workflow. Linked directly to contractual compliance tracking: every contract against critical or important services must be checked for Article 30 compliance, with gap flagging and renewal alerts built into the process. These two capabilities don't work properly in isolation from each other.
Risk-proportionate due diligence workflows
Structured, risk-proportionate due diligence processes for onboarding and annual review, with distinct workflows for material and CIF-supporting services versus lower-risk arrangements. The workflow must support both SS2/21's materiality-based escalation and DORA's criticality-based escalation without requiring duplication of effort.
Ongoing monitoring, exit planning, and concentration risk analysis
Continuous monitoring of third-party financial health, cyber security incidents, and regulatory actions, with alerts feeding the risk assessment process. Exit plan documentation and testing for critical providers, linked to the firm's wider operational resilience programme. And concentration risk analysis: which functions depend on which providers, and where single-provider dependency creates unacceptable exposure. DORA makes this a regulatory obligation; good TPRM practice makes it a board-level concern.
For a broader assessment of TPRM software capabilities, see SureCloud's guide to vendor assurance automation software. For context specific to UK financial services firms, see third-party risk management for UK financial institutions.
See How SureCloud Supports DORA Register of Information Compliance
Regulatory Compliance FAQ's
What is SS2/21 and who does it apply to?
SS2/21 is the PRA Supervisory Statement 'Outsourcing and third party risk management', published in March 2021. It applies to PRA-regulated firms: banks, building societies, credit unions, PRA-designated investment firms, and insurers. It sets out the PRA's expectations for identifying, managing, and documenting outsourcing and third-party risk, drawing on the EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02).
SS2/21 requires firms to identify material outsourcing arrangements, conduct due diligence, maintain contracts with specific provisions including audit rights and exit terms, notify the regulator before entering material outsourcing, and maintain and annually review a register of material arrangements. FCA-solo regulated firms face equivalent requirements through FCA Handbook SYSC.
Does DORA apply to UK financial services firms?
DORA (Regulation (EU) 2022/2554) applies directly to financial entities authorised or registered in EU member states. UK-based financial services firms fall outside DORA's direct scope by virtue of their UK authorisation alone. But UK firms operating through EU-authorised entities, branches established in EU member states, or subsidiaries that are themselves DORA in-scope entities must comply with DORA for those EU operations. Additionally, UK firms providing ICT services to EU-regulated financial entities may face indirect obligations as ICT third-party service providers, including requirements to support audit rights and cooperation with ESA oversight.
What is the difference between outsourcing under SS2/21 and ICT third-party arrangements under DORA?
Under PRA SS2/21 and FCA SYSC, 'outsourcing' refers to any arrangement under which a third party provides a service on an ongoing basis that the firm would otherwise perform itself, covering ICT and non-ICT functions alike. DORA focuses specifically on ICT third-party services: cloud computing, data analytics, software, and other ICT capabilities, regardless of whether they meet the traditional outsourcing definition.
A legal function using external counsel for advisory services is outsourcing for SS2/21 purposes but falls outside DORA's scope. A firm using cloud-hosted software for compliance monitoring is an ICT third-party arrangement under DORA and may also be material outsourcing under SS2/21. The distinction determines which contractual and reporting requirements apply.
What should financial services TPRM software be able to do?
Financial services TPRM software must support a unified third-party inventory covering all outsourcing and ICT arrangements; a DORA Register of Information export in the Commission Implementing Regulation (EU) 2024/2956 format; critical function classification with documented rationale; contractual compliance tracking for both SS2/21 and DORA Article 30; risk-proportionate due diligence workflows; ongoing monitoring for third-party risk events; exit plan documentation and testing; and ICT concentration risk analysis. Platforms covering only one of these areas are insufficient. Producing accurate DORA Register submissions, demonstrating SS2/21 compliance, and reporting to regulators requires an integrated system, not a collection of disconnected tools.
What are the DORA Register of Information submission requirements?
Under DORA Article 28(3) and Commission Implementing Regulation (EU) 2024/2956, financial entities must maintain a Register of Information covering all contractual arrangements with ICT third-party service providers, available at entity, sub-consolidated, and consolidated levels. The register format follows 15 templates across 8 groups, structured in xBRL-CSV format to the EBA Taxonomy 4.0 specification.
Competent authorities collect and submit registers to the ESAs for the critical ICT third-party provider designation process. The first reference date was 31 March 2025. Firms that can't generate this output accurately are already operating with a compliance gap.
What does DORA Article 29 on ICT concentration risk require?
Article 29 requires financial entities to assess ICT concentration risk before entering into new arrangements. Where a single ICT provider is contracted for multiple critical or important functions, or where multiple contracts exist with closely connected providers, the firm must document the concentration risk and assess whether mitigation is feasible.
This includes weighing the benefits and costs of alternative solutions and assessing provider substitutability. Firms must also consider concentration risk from sub-contractors established in third countries. It's a pre-contract obligation, not a retrospective review.
Platform +
Frameworks +
Products +
Industries +
Resources +
Company +
London Office
1 Sherwood Street, London, W1F 7BL, United Kingdom
US Headquarters
6010 W. Spring Creek Pkwy., Plano, TX 75024, United States of America
© SureCloud 2026. All rights reserved.
