The European Supervisory Authorities and UK Financial Regulators Sign Memorandum of Understanding on Oversight of Critical ICT Third-Party Service Providers Under DORA

Digital Operational Resilience Act (DORA) has become the cornerstone of EU financial stability, mandating rigorous oversight of critical information and communication technology (ICT) third‑party service providers. As financial institutions increasingly rely on cloud platforms, data analytics and outsourced cybersecurity solutions, regulators face the challenge of ensuring that these external dependencies do not become vectors for systemic disruption. DORA’s articles on oversight, international cooperation and cross‑sector exercises aim to create a harmonised risk‑management framework that can be applied uniformly across member states, fostering both transparency and accountability among ICT vendors.

The newly signed MoU between the European Supervisory Authorities and the United Kingdom’s BoE, PRA and FCA marks a pivotal step in extending DORA’s reach beyond EU borders. By conducting a targeted equivalence assessment, the ESAs verified that the UK’s confidentiality and professional‑secrecy regime meets EU standards, clearing a major legal hurdle for information exchange. This cooperation signals a pragmatic post‑Brexit approach, where regulatory alignment is pursued where it adds value, rather than being hindered by political divisions. The MoU establishes clear procedures for joint monitoring, data sharing and coordinated supervisory actions, effectively creating a trans‑national safety net for critical ICT services.

For banks, insurers and asset managers, the MoU translates into more predictable oversight and reduced duplication of compliance efforts. Institutions operating in both jurisdictions can now expect a more streamlined reporting process and clearer expectations around third‑party risk assessments. Moreover, the collaborative framework encourages the development of industry‑wide best practices, potentially accelerating the adoption of resilient cloud architectures and automated risk‑analytics tools. As cyber threats evolve, such cross‑border regulatory synergy will be essential to safeguard the integrity of the global financial system.