EU–UK Financial Regulators Collaborate on Oversight of Critical ICT Third-Party Providers

Certain large scale ICT companies (known as critical ICT third party providers, "CTPPs") which provide critical cloud storage, technology and data services to banks and other financial institutions play an increasingly significant role in the functioning of financial markets. Post-Brexit, policymakers in the United Kingdom and the European Union have been concerned that CTPPs may now represent a systemic risk to the financial sector.  To address this, they have implemented separate regulatory frameworks for supervision of these CTPPs in their respective jurisdictions (the Digital Operational Resilience Act (Regulation (EU)2022/2554 – "DORA" in the EU and the critical third parties regime under the UK Financial Services and Markets Act (2000) (as amended) the "UK CTP Regime"). To manage for legal and operational divergence, the UK and EU have agreed to collaborate on their oversight of CTPPs, as further explained below.

On 12 January 2026, the European Banking Authority, the European Insurance and Occupational Pensions Authority and the European Securities and Markets Authority (together the "ESAs") and the Bank of England, the Prudential Regulation Authority and the Financial Conduct Authority (the "UK Regulators") signed a memorandum of understanding ("MoU"). The MoU establishes cooperation procedures focusing on information exchange, coordinated supervision and enhanced operational resilience of CTPPs they supervise.

This Legal Update explains the MoU’s key provisions, regulatory implications and practical impact for cross-border CTPPs and the banks and financial institutions who rely upon their ICT services.

What is the purpose of the MoU?

The MoU’s primary objective is to facilitate cooperation and coordination between the ESAs and the UK Regulators overseeing CTTPs. It aims to:

• mitigate operational risks that could impact the financial system;
• ensure the disclosure and sharing of timely information on CTPPs; and
• avoid duplicative supervisory activity for CTPPs operating across both the EU and UK.

The MoU reflects the understanding that any credible management of digital operational resilience of these CTTPs must be undertaken on a cross border basis.

Which CTTPs fall under the MOU?

CTTPs are designated in the EU by the ESAs in accordance with prescribed criteria under DORA; with an oversight role attributed to one of the ESAs as "Lead Overseer". In November 2025, the ESAs published the official list of CTPPs designated under DORA.

In the UK, HM Treasury has yet to release its list of the CTPPs to be designated under the UK CTP regime. The designation criteria include: (i) the concentration of services provided by the CTPPs to regulated banks and financial institutions, (ii) the materiality of those services and (iii) other drivers of potential systemic impact.

Most of the provisions of the MOU will apply to CTPPs which are mutually designated by both the ESAs and the UK Regulators under both the DORA and the UK CTP Regime. 

What are the key provisions of the MOU?

The MoU establishes structured mechanisms for cooperation between the ESAs and UK Regulators (see Articles 3–10 of the MOU):

• Information exchange: to share relevant supervisory information about CTPPs, including compliance assessments, incident reports, risk analyses and annual oversight plans. For example, if a UK-based cloud provider serving EU banks experiences a cyber incident, both ESAs and UK authorities can coordinate response and oversight, sharing relevant information in real time. Any assistance provided will not prejudice the right of either the Lead Overseer or the UK Regulators to exercise other enforcement powers to compel the non-cooperation of a CTPP.
• Joint planning: to conduct on-site inspections or other oversight activities requiring on-site access to CTPPs' premises used or owned in the UK or EU and provide advance notice of any such inspection or access. Consent of the CTPPs to on-site access may be necessary where required under DORA or the CTP Regime (e.g. where an ESA seeks to access UK premises of an EU CTPP).
• Infringement notifications: to provide information on non-compliance and infringement of obligations under DORA and the CTP Regime, including any enforcement action to suspend ICT services, investigative or disciplinary proceedings and/or penalties or sanctions imposed by the UK Regulators or the Lead Overseer on the CTPP.
• Ad-hoc meetings: to convene emergency meetings for systemic events affecting CTPPs, including without limitation, operational or financial difficulties.This will also include sharing post-incident reporting on lessons learned.
• Secure communication: to use secure electronic channels and designated points of contact to exchange information.

What are the implications for CTPPs operating cross-border in the EU and UK?

• Mutually designated CTPPs may face coordinated oversight from both EU and UK authorities.
• They should prepare for potential information requests, on-site inspections, and joint supervisory exercises from the UK Regulators and/or Lead Overseer.
• The MoU may reduce the administrative burden for mutually designated CTPPs where common areas of oversight are a concern for the UK Regulators and Lead Overseer.
• The MoU ensures that shared information is subject to confidentiality and professional secrecy (Article 7). It also specifies that information may only be used for supervisory purposes and cannot override existing national or EU legal restrictions.

For example, a pan-European CTPP cloud provider (with a UK presence) may benefit from a single coordinated inspection plan instead of separate EU and UK inspections, but must be ready to cooperate fully with both authorities.

How does this affect banks and financial institutions relying on CTPPs to provide critical ICT services?

• The MOU will provide enhanced and more coherent supervision of CTPPs to support and improve the resilience of these firms to systemic events which could disrupt the operation of financial markets.
• The MOU may result in more predictable dual-jurisdiction incident reporting and coordinated responses from the UK and EU subsidiaries of a CTPP to the banks and financial institutions requesting similar information to discharge their own regulatory obligations.
• This is particularly relevant for banks, insurers and investment firms that, in conjunction with regulators, seek information on technology risks relating to cloud computing, payment processing or core banking platforms and systems; as the UK Regulators and Lead Overseers will be able to coordinate a cross border view of these risks with greater ease using the coordination procedures under the MOU.

Does the MoU create legal obligations for CTPPs?

No. The MoU governs inter-regulatory cooperation only. It does not impose new obligations on CTPPs under DORA or the UK CTP regime.

CTPPs remain liable under their respective national and EU regulatory frameworks, but can expect more coordinated supervision where they are designated and operate across both jurisdictions.

What are the next steps?

• UK Regulators and the Lead Overseer will communicate in due course the extent of any joint exercises, coordinated inspections, or incident response drills regarding oversight of CTPPs.
• The designation of CTPPs under the UK CTP Regime later in 2026 will give the CTPPs already designated in the EU greater insight on the extent of the co-ordinated supervision which will apply to them as a result of this MOU.
• For non-mutually designated CTPPs, there are fewer requirements under the MOU for UK Regulators and the Lead Overseer to collaborate but information sharing and co-ordination will occur where deemed necessary by both regulatory authorities.