UK Trends and Developments Contributed by: Alison Beal, Joel Harrison and Michelle Kirschner, Gibson, Dunn & Crutcher LLP
assistance and orderly exit – and by requiring more granular mapping of ICT assets and interdependen - cies. The UK has complemented its operational resil - ience regime with reinforced outsourcing and third- party risk expectations under the FCA Handbook (eg, SYSC 8) and PRA materials, as well as a statutory regime established under the Financial Services and Markets Act 2023 to designate and oversee third par - ties critical to the finance sector. Under that regime, the FCA, PRA and Bank of England will set and super - vise minimum resilience standards for designated pro - viders to mitigate systemic supplier risk. UK supervisors (FCA, PRA and the Bank of England) are placing increasing weight on concentration risk, particularly reliance on major cloud providers and shared platforms. They expect firms to evidence sup - plier diversification or robust mitigation where diversi - fication is impracticable, and to conduct scenario test - ing that follows dependencies end to end through the supply chain and into fourth and fifth parties. DORA’s advanced testing requirements, including threat-led penetration testing aligned with TIBER EU, are con - ceptually consistent with established UK threat-led testing approaches (eg, CBEST). In effect, DORA’s prescriptiveness is driving uplift in documentation, mapping and testing, while the UK’s focus on resilience outcomes and impact tolerances is shaping board-level governance and investment priorities. Together, these regimes are reshaping how firms design, monitor and govern ICT ecosystems, with implications not only for financial services but also for the broader digital infrastructure that under - pins critical national and cross-border operations in the sector. Cybersecurity Cybersecurity has evolved from a technical concern into a core element of corporate governance. Currently the Network and Information Systems Reg - ulations 2018 (SI 2018/506) (the “NIS Regulations”), which implemented the EU’s original NIS Directive (NIS1), continue to apply in the UK despite the EU’s move towards NIS2. In force since 10 May 2018, the NIS Regulations established a framework to improve the security and resilience of network and information
systems used to deliver essential and digital services. The NIS Regulations apply to designated Operators of Essential Services in sectors such as energy, trans - port, health, water and digital infrastructure and to Relevant Digital Service Providers, ie, online market - places, cloud computing services and search engines. Under the NIS Regulations, Operators of Essential Services must take appropriate and proportionate technical and organisational measures to manage risks to the security of the systems underpinning their essential services and to prevent and minimise the impact of incidents on service continuity. Operators must also report significant incidents to their com - petent authority and co-operate with investigations. Similar requirements apply to Relevant Digital Service Providers. Although the NIS Regulations do not prescribe con - tractual wording, robust technology and outsourcing arrangements will assist with compliance in practice. Contracts supporting essential or digital services should include security and risk management clauses, incident reporting and co-operation procedures, audit and inspection rights, business continuity and disas - ter recovery commitments, and supply chain manage - ment provisions. Looking forward, the King’s Speech in July 2024 announced the introduction of a Cyber Security and Resilience Bill (the “Bill”) which is intended to strengthen the UK’s cyber defences and enhance the resilience of essential services, critical infrastructure and digital supply chains. The Cyber Security and Resilience Policy statement issued on 1 April 2025 (“Policy Statement”) indicates that a central objective of the Bill is to expand the scope of the existing regu - latory framework. The government intends to bring a wider range of organisations within regulation. This includes managed service providers, which play a vital role in the delivery and operation of IT systems and often have access to clients’ networks and data. It will also introduce a power for regulators to identify and designate specific high-impact suppliers as “desig - nated critical suppliers”, bringing them under com - parable obligations as apply to Operators of Essential Services and Relevant Digital Service Providers.
86 CHAMBERS.COM
Powered by FlippingBook