On 14 January 2026, the European Supervisory Authorities (ESAs) comprising of the European Banking Authority (EBA), European Securities and Markets Authority (ESMA) and European Insurance and Occupational Pensions Authority (EIOPA), together with the UK’s key financial regulators i.e. the Bank of England (BoE), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA), signed a Memorandum of Understanding (MoU) to co-ordinate oversight of critical Information and Communication Technology (ICT) third-party service providers under the EU’s Digital Operational Resilience Act (DORA) framework.
The MoU formally sets out principles, procedures and mechanisms for cooperation, information sharing and coordinated oversight activities between the ESAs and UK authorities regarding critical third-party providers that support financial entities on both sides of the Channel. Its aims are to enhance operational resilience across the financial sector in both jurisdictions, manage systemic risks arising from ICT failures or cyber incidents, and strengthen cross-border regulatory cooperation.
What this Agreement covers
Under DORA, the EU has created a new oversight regime for critical ICT third-party providers (CTPPs) — providers of cloud, data and other ICT services that are crucial to the functioning of financial institutions and markets.
The UK has introduced a parallel regime for Critical Third Parties (CTPs) serving UK financial firms. The MoU links these two frameworks so that regulators on both sides can:
- Share supervision strategies and risk assessments;
- Coordinate responses to major operational incidents (such as outages or cyber-attacks); and
- Avoid duplicative regulatory burdens on firms that operate across the EU and UK.
The MOU widens communication lines between the two jurisdictions to enable updates on the effectiveness of their supervisory approach – and the effectiveness of industry’s response to operational resilience requirements. Essentially, the MOU promotes better co-operation amongst both jurisdictions by supporting consistent resilience expectations, improving the visibility of cross-border risks, and strengthening authorities’ ability to address systemic ICT vulnerabilities affecting financial stability.
What does it mean for the payments industry?
The MoU fosters better information sharing and joint oversight of critical suppliers (e.g. cloud services, payment processes, core infrastructure) that support payment systems, fraud monitoring, settlement platforms and distributors.
Its set to facilitate faster cross-border response management during outages or cyber incidents, reducing service flow disruption and service quality issues for consumers.
The MoU will impact technology companies relied on by payment and e-money firms to execute transactions, particularly cloud service providers, data analytics firms and core banking technology vendors; The MoU means greater regulatory scrutiny for them across both the EU and UK, but also more co-ordinated supervision, meaning providers designated as critical under DORA receive more global information requests on their technological arrangements with firms.
What does it mean for compliance teams?
For compliance teams, the MoU significantly raises the bar on operational resilience, third-party risk management and regulatory coordination.
This means outsourced providers used by firms designated as critical under DORA may face joint information requests, inspections and incident-response expectations that are shared between EU and UK regulators.
Firms are likely to experience increased demands from their critical outsourced providers in response to information requests from regulators. The growing dependency on cloud and infrastructure providers places greater scrutiny on firms to strengthen service level agreements and tighten exit strategies with critical providers.
In turn, firms should set clearer expectations for their own risk management and vendor management frameworks as wider regulatory oversight moves firms into a high-risk category. This requires firms to ensure they evidence robust and detailed risk registers based on the eco-system facilitating its payments instead of focusing solely on activity by the firm. These risk registers should encompass business continuity and incident reporting by critical third-party providers.
Compliance teams must ensure robust mapping of critical ICT providers, clear contractual rights (audit, access and exit), and strong incident reporting and escalation processes. They will need to co-ordinate closely with procurement, IT and risk teams to demonstrate ongoing oversight of vendors such as cloud and payments providers. While the MoU reduces the risk of conflicting regulatory demands, it also means regulators will share information, increasing the likelihood that weaknesses identified in one jurisdiction are scrutinised in the other.
Please feel free to get in touch if you’d like to discuss further.
