European supervisors propose new continuity rules for carriers’ third‑party suppliers as boards face tougher oversight

European supervisors propose new continuity rules for carriers' third‑party suppliers as boards face tougher oversight

Who: European and U.K. insurance supervisors, national competent authorities, and large insurance groups and their boards.
What: Proposals and consultations to impose stricter continuity, reporting and oversight requirements on insurers’ third‑party suppliers — including cloud and other critical service providers — and to heighten board-level accountability for third‑party risk.
When: Initiatives accelerated after the Digital Operational Resilience Act took effect Jan. 17, 2025; regulators published consultations and timelines through 2024–2025 (notably Nov. 15, 2024; Dec. 13, 2024; July 2 and July 10, 2025).
Where: European Union and the United Kingdom, with cross‑border implications for insurers operating in other first‑world jurisdictions.
Why: Supervisors cite rising concentration in hyperscale cloud providers, growing use of AI and cloud services by insurers, and a surge in cyber and operational incidents that create systemic contagion risks if third‑party suppliers fail.

European and U.K. supervisors — from the European Supervisory Authorities and EIOPA to the Prudential Regulation Authority and the Bank of England — have in the past 18 months laid out a stepped‑up regulatory architecture aimed at shrinking the blind spots created by insurers’ reliance on third parties. The reforms combine (1) new lifecycle rules for third‑party arrangements, (2) mandatory registers and reporting to allow supervisors to designate and oversee “critical” providers, and (3) sharper expectations that boards and senior managers actively own third‑party risk governance. The changes are intended to protect policyholders and financial stability as insurers outsource more core functions to a concentrated set of global cloud providers. (eiopa.europa.eu)

What supervisors are proposing — and why it matters
Regulators are moving beyond traditional outsourcing rules that placed primary legal responsibility on the insurer but left the on‑the‑ground oversight of critical suppliers weak, inconsistent and largely national. Under the EU’s Digital Operational Resilience Act (DORA), which entered into application on Jan. 17, 2025, and complementary supervisory action, the European authorities now require financial entities to document contractual links and maintain registers of information that supervisors will use to identify and designate “critical ICT third‑party providers” for direct oversight. The ESAs set a timetable requiring competent authorities to report internal registers to the ESAs by April 30, 2025, to enable the designation process. (eiopa.europa.eu)

The EBA, responding to the broader DORA agenda and the same systemic concerns, opened a public consultation in July 2025 proposing detailed guidelines for the management of third‑party risk beyond ICT services — covering the lifecycle of third‑party arrangements from pre‑contract due diligence to exit strategies and subcontracting. EBA’s draft explicitly aims to harmonize requirements with DORA where possible and to reduce duplicative documentation by permitting a single register for both ICT and non‑ICT third‑party arrangements. EBA noted a two‑year transitional period for firms to bring existing arrangements into line with the new guidance. (eba.europa.eu)

In the United Kingdom, the Bank of England, the PRA and the FCA have progressed a parallel agenda. The regulators’ consultation on oversight of critical third parties (CP26/23 and subsequent publications) and the PRA’s CP17/24 (Operational resilience: Operational incident and outsourcing and third‑party reporting) propose mandatory reporting of operational incidents and material third‑party arrangements and a set of “fundamental rules” for designated critical third parties (CTPs). The regulators have been explicit that these measures do not remove firms’ accountability — boards and senior managers remain responsible for operational resilience and the safe use of third parties. (bankofengland.co.uk)

How concentrated the risk is
Supervisors’ urgency stems from concentration: the major hyperscale cloud providers (AWS, Microsoft Azure, Google Cloud) together account for more than 60% of global cloud infrastructure market share, according to leading industry trackers — a figure regulators and industry analysts cite as a source of systemic vulnerability when multiple financial firms depend on a small set of providers. That concentration, paired with rising adoption of AI and cloud‑native services, means a single large outage or cyber incident can cascade across multiple insurers simultaneously. (canalys.com)

“Firms must be able to show they can remain within impact tolerances for all their important business services throughout severe but plausible disruptions,” the Prudential Regulation Authority wrote in supervisory communications that set March 31, 2025, as a milestone for embedding operational resilience outcomes. The PRA and its UK regulatory partners have underscored that boards should make operational resilience a routine element of business decision‑making, including when entering new third‑party and, in some cases, fourth‑party relationships. (pinsentmasons.com)

What the rules would require insurers to do
The emerging EU and U.K. frameworks share core features:

• Registers and reporting: Insurers must maintain detailed, standardized registers of material third‑party arrangements (including cloud contracts), and report specified data to national supervisors — data the ESAs will use to designate particularly critical providers. The ESAs conducted a voluntary dry run with roughly 1,000 financial entities in 2024 to support implementation. (eiopa.europa.eu)

• Lifecycle governance: Supervisory guidance covers the full lifecycle of third‑party relationships — vendor selection, due diligence (including resilience and financial health), contractual clauses (service levels, audit and termination rights), subcontracting controls, continuous monitoring, testing and exit strategies. EBA explicitly recommends aligning the documentation for ICT and non‑ICT providers to reduce duplication. (eba.europa.eu)

• Concentration management: Supervisors expect firms to assess and mitigate concentration risk where a single supplier (or small set of suppliers) supports critical or important functions across many firms. Measures might include multi‑region failover, multi‑cloud strategies, explicit contingency arrangements, and contractual rights enabling timely recovery. Regulators have signaled readiness to use designation and direct oversight to mitigate systemic concentration. (bankofengland.co.uk)

• Incident reporting and testing: Firms must report operational incidents using standardized thresholds and participate in resilience testing and scenario exercises. Critical third parties — if designated — can be required to undertake resilience testing and provide regulators with audit access and other assurances. (eiopa.europa.eu)

Board and senior management responsibilities
Supervisors are sharpening the lens on governance. The PRA’s supervisory priorities and related guidance leave little ambiguity: boards and senior managers must actively oversee operational resilience programs and third‑party risk, not delegate it entirely to risk or IT functions. The PRA has said that operational resilience “should be a key point of consideration for boards and executives when planning major change programmes, making strategic business decisions, or engaging in new third, or in some case fourth‑party, relationships.” (pinsentmasons.com)

Industry groups and trade bodies have warned that the new oversight burden could be heavy. Insurance Europe and other industry associations have asked for clarity to avoid duplicative audits and impracticable on‑site inspection requirements for cloud providers, arguing that some traditional supervisory tools do not fit cloud services’ remote and highly distributed architectures. Insurance Europe’s commentary urges regulators to align digital rules carefully to prevent “duplicative and burdensome audit obligations” between DORA and Solvency II‑related requirements. (metametris.com)

Industry reaction and practical challenges
Insurers generally welcome clearer rules but warn of implementation costs and complexity. Large groups that have already migrated policy‑administration, underwriting and claims systems to hyperscalers or SaaS platforms face expensive renegotiations of legacy contracts, new technical work to demonstrate multi‑region resilience, and sensitive disclosure choices when reporting commercial supplier details to supervisors.

Smaller carriers and managing general agents — which depend on third‑party administrators (TPAs) and cloud‑native core systems — face the opposite problem: limited bargaining power with suppliers and high relative costs to implement dual‑run or multi‑cloud recovery strategies. Trade bodies say a one‑size‑fits‑all approach will strain smaller firms and could reduce competition if regulatory costs entrench incumbents. The EBA’s draft guidelines attempt to address proportionality, with limited documentation requirements and transitional periods for non‑systemic firms. (eba.europa.eu)

Threat landscape: cyber, AI, and supply‑chain contagion
Supervisors’ urgency reflects evolving threats. Industry reports and insurers’ own incident experience show a rise in ransomware, supply‑chain compromises and incidents amplified by generative AI tools. QBE’s recent reporting and other industry analyses warn that cybercriminal use of AI and the proliferation of sensitive data in the cloud heighten the probability and impact of incidents that propagate through service providers. Supervisors cite the same concerns when justifying direct oversight and mandatory incident reporting frameworks. (reinsurancene.ws)

The stakes are real for insurers. A major data breach or prolonged cloud outage can simultaneously impair an insurer’s ability to process claims, administer policies and communicate with policyholders — increasing operational losses at the same time as underwriting exposures spike. Historical breaches at insurers and large service providers have shown how deeply customer trust and balance sheets can be affected when continuity fails. Regulators point to those outcomes as a rationale for more intrusive third‑party supervision. (euronews.com)

Supervisory tools: designation, audits and joint exercises
DORA empowered the three European Supervisory Authorities (EBA, EIOPA, ESMA) to designate critical ICT third‑party providers (CTPPs) and to carry out direct oversight. The ESAs issued a decision on the submission timelines and templates in November 2024, and they ran dry‑run exercises in 2024 to prepare supervisors and firms for collecting register data. If a provider is designated a CTPP, supervisors can require it to undertake resilience testing, provide detailed information on governance and subcontracting, and submit to supervisory examinations. These powers are designed to limit systemic spillovers from a single provider’s failure. (eiopa.europa.eu)

In the U.K., the PRA and Bank have proposed a set of Fundamental Rules for critical third parties, a joint supervisory statement, and expectations on how regulated firms should manage dependencies. The U.K. regime — like the EU’s — is being designed to be interoperable with DORA to the extent possible, reflecting the global nature of cloud markets. (bankofengland.co.uk)

Potential market consequences and concentration mitigation
Several likely market effects flow from the new regime:

• Contractual re‑pricing and renegotiation: Insurers will seek stronger contractual rights, audit access, and pricing that reflects continuity obligations; major cloud providers may respond with standard terms and carve‑outs that shift residual risk back to customers. Negotiation power matters — larger insurers with multiyear cloud deals are likelier to obtain favorable terms. (eba.europa.eu)

• Insurance product innovation: New products that explicitly insure cloud downtime or parametric indices linked to provider outages are already emerging, as firms and brokers seek to transfer residual operational continuity risk that standard property/cyber policies exclude. Startups and Lloyd’s market participants are piloting parametric solutions for cloud availability and outage impacts. (parametrixinsurance.com)

• Consolidation and friction for smaller carriers: Compliance and re‑contracting costs may disproportionately affect smaller carriers and MGAs, potentially accelerating consolidation or prompting more use of specialist TPAs that can amortize compliance costs across clients. EBA guidance attempts to preserve proportionality, but market pressure could still shift dynamics. (eba.europa.eu)

• Competitive responses from providers: Hyperscalers may strengthen contractual SLAs, invest in more transparent reporting and create “regulated‑sector” service tiers to keep large financial customers. Some providers have already expanded multi‑region and dedicated cloud offerings targeted at regulated financial customers. (canalys.com)

What boards should do now
Supervisors expect boards to move from oversight by exception to continuous, informed oversight. Practical steps include:

• Board‑level reporting: Provide concise, evidence‑based reports showing how important business services map to third‑party suppliers, the residual concentration exposures, and the outcomes of resilience testing and scenario exercises.

• Contractual and execution checks: Verify that contracts provide enforceable rights for audit, termination and priority support, and that technical failover architectures are implemented and tested.

• Scenario testing and exercises: Require executive teams to run joined exercises with major suppliers and to publish (to supervisors on request) after‑action reports demonstrating improvements.

• Vendor financial health and security posture: Monitor supplier financial resilience and security metrics, including third‑party SOC reports, penetration test programs and patching cadences.

Supervisors have not been shy in setting expectations. EIOPA and the U.K. regulators have said firms should be prepared to show evidence of robust contingency procedures and recovery capabilities by the relevant milestones set in 2025–2026, and national authorities will use supervisory review processes to hold boards to account. (eiopa.europa.eu)

Conclusion: an era of tighter guardrails
The regulatory shift makes clear that supervisors regard third‑party continuity as an issue of prudential safety, not simply a commercial negotiation. The combined effect of DORA, the ESAs’ designation timetable, EBA and EIOPA consultations, and the PRA’s proposals is to bring suppliers — especially the hyperscalers and large TPAs — closer to the supervisory perimeter, while simultaneously raising the bar for boards that rely on them.

For insurers in first‑world jurisdictions, the message to boards is blunt and operational: retain full accountability, document and test continuity end to end, and be prepared to produce standardized registers and incident reports to supervisors. That effort will be costly and complex; but supervisors argue the alternative — systemic interruption caused by a single supplier — is costlier still. As the supervisory architecture crystallizes through consultations and final rules in 2025–2026, the insurance sector will be tested on whether governance reforms and technical investments materially reduce the risk that a supplier failure becomes a market‑wide crisis. (eiopa.europa.eu)

Selected sources and further reading

• European Supervisory Authorities: Decision and timeline for designation of critical ICT third‑party providers under DORA (EIOPA press release, Nov. 15, 2024). (eiopa.europa.eu)
• Digital Operational Resilience Act (DORA) overview (EIOPA). (eiopa.europa.eu)
• EBA: Consultation on draft Guidelines on third‑party risk management for non‑ICT services (press release, July 8, 2025). (eba.europa.eu)
• PRA / UK regulators: Consultation CP17/24 on operational incident and outsourcing and third‑party reporting (Dec. 13, 2024) and CP26/23 on critical third parties. (bankofengland.co.uk)
• Canalys and other market trackers on cloud concentration and market share trends (2024–2025). (canalys.com)

(Reporting by [Journalist name]; analysis based on public consultations, regulator press releases, industry reports and supervisory publications between Nov. 2024 and July 2025.)