EU & UK Regulators Align on Oversight of Critical Tech Providers Under DORA

Key Takeaways

• Regulators Close Ranks on Tech Risk: EU and UK financial authorities have signed a formal cooperation agreement to jointly oversee critical ICT third-party providers whose services underpin banks, insurers, and markets on both sides of the Channel.
• DORA Oversight Goes Cross-Border: The MoU supports the Digital Operational Resilience Act by setting out how EU and UK supervisors will coordinate oversight, inspections, and information sharing when providers are deemed critical in both jurisdictions.
• UK Confidentiality Regime Cleared: Before signing, the European Supervisory Authorities confirmed that the UK’s professional secrecy and confidentiality framework is equivalent to EU requirements under DORA, clearing a key legal hurdle for information exchange.
• Less Duplication, More Coordination: The agreement is designed to reduce overlapping supervisory demands on providers while still allowing regulators to address systemic ICT and cyber risks effectively.
• Incident Response Is a Core Focus: The MoU strengthens coordination during major ICT and cyber incidents with cross-border impact, linking EU and UK incident response frameworks to enable faster, more coherent action.

Deep Dive

The European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), and European Securities and Markets Authority (ESMA) signed a new Memorandum of Understanding with the Bank of England, the Prudential Regulation Authority, and the Financial Conduct Authority, formalizing how they will work together to oversee critical ICT third-party service providers under the EU’s Digital Operational Resilience Act.

The agreement reflects a shared reality regulators have been grappling with for years. Cloud providers, data processors, and other ICT firms now sit deep inside the financial system, often serving banks, insurers, and markets on both sides of the Channel at once. When something goes wrong at one of those providers, the impact rarely respects borders.

The new MoU is designed to make sure supervision doesn’t fragment along jurisdictional lines. It sets out how EU and UK authorities will cooperate, share information, and coordinate oversight when a technology provider is deemed critical to both markets. The goal is straightforward: stronger third-party risk management and fewer blind spots in the operational resilience of the financial sector.

Much of the framework flows directly from the Digital Operational Resilience Act, which gives the European Supervisory Authorities direct oversight powers over ICT providers designated as critical to the EU financial system. Under DORA, one of the ESAs acts as a Lead Overseer for each designated provider, with the ability to request information, carry out investigations, and conduct on-site inspections.

Where those providers are based outside the EU, DORA adds a further safeguard. Non-EU firms designated as critical must establish an EU subsidiary within 12 months, which becomes the focal point for supervisory engagement. The MoU explains how that EU-side oversight will mesh with the UK’s own regime when the same provider is also considered critical to the stability or confidence of the UK financial system.

On the UK side, oversight of critical third parties sits within a dedicated framework under the Financial Services and Markets Act 2000. Once HM Treasury designates a provider as critical, responsibility is shared between the Bank of England, the PRA, and the FCA, operating under aligned rules and joint supervisory expectations. The MoU effectively stitches the two systems together, setting out how inspections, reviews, and information requests will be coordinated to avoid unnecessary duplication while still giving regulators what they need.

Incident response is another major theme running through the agreement. DORA has already established a pan-European coordination framework for handling major cyber incidents with systemic impact. The UK regime places similar emphasis on collective incident response and close cooperation between authorities, firms, and affected financial entities. The MoU provides a structured way for those frameworks to talk to each other when an incident crosses borders, which regulators increasingly see as the norm rather than the exception.

Before signing the agreement, the ESAs also carried out an assessment of the UK’s confidentiality and professional secrecy regime, confirming it meets the equivalence threshold required under DORA. That step was essential, as information sharing between authorities depends on confidence that sensitive supervisory data will be protected to the same standard on both sides.

The MoU does not introduce new legal requirements for firms, but it sends a clear signal about regulatory direction. Oversight of critical ICT providers is no longer a purely domestic exercise, and resilience expectations are converging across the EU and UK. For firms that sit at the heart of the financial system’s digital infrastructure, operational resilience and third-party risk are now being supervised through a genuinely cross-border lens.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.