The European Supervisory Authorities and UK Financial Regulators Sign Memorandum of Understanding on Oversight of Critical ICT Third-Party Service Providers Under DORA

Digital operational resilience has become a cornerstone of modern finance, as banks and asset managers increasingly rely on cloud platforms, data analytics firms and cybersecurity specialists. The EU’s Digital Operational Resilience Act (DORA) was introduced to create a uniform framework for managing ICT risks, mandating that critical third‑party service providers meet strict oversight criteria. By targeting the same set of providers, regulators aim to prevent service disruptions that could cascade through interconnected markets, safeguarding both consumer confidence and systemic stability.

The newly signed Memorandum of Understanding translates DORA’s cross‑border provisions into concrete cooperation between the European Supervisory Authorities and the United Kingdom’s BoE, PRA and FCA. Built on Articles 36, 44 and 49, the MoU defines protocols for sharing confidential information, conducting joint inspections and coordinating enforcement actions. A key prerequisite was the ESAs’ targeted equivalence assessment, which verified that the UK’s confidentiality and professional‑secrecy regime matches EU requirements, thereby unlocking seamless data exchange. This legal alignment ensures that supervisory bodies can act swiftly on emerging ICT threats without breaching privacy safeguards.

For the financial industry, the agreement signals a more predictable regulatory landscape for ICT outsourcing decisions. Firms operating in both jurisdictions can now anticipate harmonized expectations, reducing duplication of compliance efforts and lowering the cost of risk assessments. Moreover, the strengthened oversight framework is likely to accelerate the adoption of best‑in‑class security practices among technology vendors, fostering a more resilient supply chain. As digital services continue to evolve, the EU‑UK collaboration sets a precedent for broader international cooperation on cyber‑risk governance.