UK Operational Resilience
The Bank of England supervises and regulates financial services firms through the Prudential Regulation Authority (“PRA”). Together with another key regulator, the Financial Conduct Authority, the PRA supervises the stability and resiliency of UK financial services firms, and has developed requirements and guidance to improve the operational resilience of the UK financial sector.
Learn more below about how these UK operational resilience requirements affect Cloudflare, and our customers who are supervised by these regulators.
Established in 2013, the UK Prudential Regulation Authority (“PRA”) is a financial regulator responsible for supervising about 1,500 financial institutions in the UK, including banks, building societies, credit unions, insurers, and major investment firms. The PRA's core objective is to ensure these institutions operate in a secure and consistent manner, contributing to the stability and resiliency of the UK financial system. The PRA ensures that financial firms plan for potential business disruptions through a unified approach to risk management.
The UK's operational resilience requirements are rules from the PRA and the Financial Conduct Authority (“FCA”) for UK financial firms, mandating them to prevent, adapt, respond to, and recover from operational disruptions, achieved by setting impact tolerances for their critical business services by March 31, 2025.
Alongside the requirements, the PRA publishes Supervisory Statements (“SS”). A supervisory statement is a document issued by a financial regulator that provides guidance on how firms should comply with regulatory requirements and outlines the regulator's expectations and judgment calls, rather than setting absolute rules. These policies complement the PRA’s policy on operational resilience (referenced here together as the “PRA guidelines”).
The SS1/21 sets out the PRA’s expectations for the operational resilience of firms’ important business services, for which they are required to set impact tolerances. The policy objective is to improve the resilience of both firms and the wider financial sector.
SS2/21 covers the entire lifecycle of an outsourcing and third party arrangement.
While Cloudflare, a technology provider, is not directly regulated by the PRA, Cloudflare designs its network and services with resilience, transparency, and security to help its customers meet their regulatory obligations.
SS1/21 on Operational Resilience: Financial institutions must build and maintain operational resilience, which includes establishing impact tolerances for their most important business services. This directly applies to managing the potential impact of any cloud service outages.
SS2/21 on Outsourcing and third-party risk management: Outlines how PRA-regulated firms should comply with requirements related to outsourcing and managing third-party risks, such as those associated with cloud providers.
Critical Third Parties (“CTPs” Regime): A new regulatory framework that mandates third-party service providers designed as “critical” to the UK financial system to be directly overseen by the Bank of England, the PRA, and the Financial Conduct Authority (“FCA”).
No, Cloudflare does not require direct compliance because the PRA’s mandate applies only to regulated financial firms. Cloudflare is a technology and network services provider which falls outside of PRA’s direct supervisory scope.
Cloudflare has not been designated as a “critical” third-party service provider at this time. However, Cloudflare understands our important role as a cloud service provider and is prepared to work with regulated customers to support their compliance obligations and cooperate with regulatory authorities.
Yes, SS2/21 outlines specific key contractual provisions that must be included in the contract between third-party services providers and financial entities. These ensure relevant third-party risks are addressed, and can be properly managed by the financial entity. These include data security and confidentiality, audit and information rights, termination strategies, regulatory access, and more.
Many of the requirements stated under SS2/21 are already defined in Cloudflare's standard terms. Cloudflare is drafting a UK PRA mapping document which outlines these contractual requirements and how they are met by Cloudflare’s current standard terms.
For additional questions or concerns about individual contracts, Cloudflare customers should contact their account team.
Cloudflare recognizes that many of its customers are regulated firms. Cloudflare aligns its infrastructure, compliance documentation, and contractual commitments to help customers meet their third-party and operational resilience requirements. Cloudflare's platform and contractual model are designed to help firms address these requirements:
Independent third-party audits (SOC 2, ISO 27001, ISO 27701, PCI DSS): To meet audit and oversight requirements.
Contractual commitments and Data Processing Addendum (DPA): To support governance, data security, and GDPR/DPA compliance.
Transparency into sub-processing arrangements: To help customers evaluate supply chain dependencies.
Learn more about how Cloudflare’s connectivity cloud capabilities help enterprises streamline and map to compliance requirements across multiple standards including UK operational resilience and DORA by visiting the data compliance and protection page. For information on how Cloudflare helps meet other financial service industry relevant legislation like NIS 2, visit the NIS 2 Compliance Strategy Hub.
For info on how Cloudflare helps financial institutions ensure security, resiliency, sovereignty and regulatory compliance with redundancy for key security controls and by keeping transactions within regions visit the Cloudflare Banking & Financial Services page.
The EU's Digital Operational Resilience Act (“DORA”) took effect after the UK left the EU, so this regulation doesn't directly apply in the UK. However many of the operational resilience requirements are very similar between the two sets of rules, as well as the guidance given to both regulated financial services firms, and critical third-party service providers.
Learn more about how DORA affects Cloudflare and our customers that fall under the scope of the regulation on our DORA page.
Compliance with the UK financial sector regulations is the responsibility of financial firms, and organizations must understand their responsibilities when it comes to working with cloud third-party providers. As part of ensuring effective governance of an outsourcing arrangement, the PRA expects financial firms to define, document, and understand their and the service provider’s respective responsibilities. Cloudflare provides several responsibility matrices as part of our compliance package for customers to review.
Customers are responsible for their own secure implementation of the Cloudflare platform. This includes managing their data, configuring access controls, and using Cloudflare’s services in a way that aligns with their firm’s specific risk management and operational resilience strategies. Cloudflare provides the tools and controls that allow organizations to maintain visibility, auditability, and governance over their customer environment.
Cloudflare offers customers documentation, certification, and security compliance information through the Cloudflare Trust Hub and Developer Documentation. These resources enable firms to assess the risks and materiality of outsourcing arrangements in line with the PRA rules.
For detailed instructions, visit Cloudflare’s guide.
The Bank of England published information about the PRA, including the PRA Rule Book and Guidance.