On 14 January 2026, the European Supervisory Authorities (EBA, EIOPA and ESMA) and the UK financial services regulators (the BoE, the PRA, and the FCA) (together, the “Authorities”) announced that they had entered into a Memorandum of Understanding (“MoU”) establishing a formal framework for international supervisory cooperation on the oversight of critical ICT third‑party service providers. This reflects, and gives practical effect to, the international cooperation mechanisms envisaged under the EU Digital Operational Resilience Act (“DORA”) and the UK’s Critical Third Parties (“UK CTP”) regime.
The MoU has been widely anticipated. Both the EU and UK regimes recognise that a small number of third‑party ICT providers – cloud service providers, data centres, core infrastructure firms – play a systemically significant role in supporting financial entities. The MoU therefore aims to reduce supervisory blind spots and strengthen cross‑border operational resilience by facilitating structured cooperation, information‑sharing, and coordinated oversight of providers that are designated as ‘critical ICT third-party providers’ under DORA and ‘critical third parties’ under the UK regime (referenced together as “CTPPs”).
Notably, Recital (17) of the MoU emphasises that {our emphasis}: “Nothing in this MoU restricts or prevents the Authorities from sharing information to assist each other in carrying out their functions as may be permitted by law, either under other Memoranda of Understanding between the Authorities or otherwise.”. This confirms that the MoU is intended to function as an enabling instrument rather than a limiting one, ensuring that cross‑border supervisory cooperation is not constrained where other legal gateways exist.
1. Expanded and More Systematic Information Sharing
Under the MoU, the Authorities commit to “use best endeavours” to exchange information – where appropriate and insofar as it is legally and operationally permissible – regarding CTPPs that are mutually designated under DORA and the UK CTP. Information subject to exchange includes “any information that is, in the authority’s reasonable view, material to the exercise of the other Authorities’ oversight tasks”.
Information exchanged on the basis of the MoU will be treated as {our emphasis} “confidential unless agreed in writing”, and the Authorities are obliged to “preserve the confidentiality of the information […] as far as legally possible, except as provided in this MoU or pursuant to a legally enforceable demand”. This contemplates, for example, the scenario that exchanged information may need to be shared with law enforcement agencies, in accordance with local laws – subject to the professional secrecy rules continuing to apply.
In practice, mutually‑designated CTPPs should expect:
- Closer supervisory coordination between the Authorities – including, for example, sharing of the findings of on‑site inspections, investigations, and emerging supervisory concerns; and
- Notifications where an Authority considers that a mutually designated CTPP has breached obligations under DORA or the UK CTP regime (as applicable).
Accordingly, CTPPs can anticipate an aggregated view of their compliance posture being formed across Authorities.
2. Coordination of Inspection and Oversight Activities
The MoU provides for strengthened cooperation in the conduct of on‑site inspections of mutually‑designated CTPPs – whether these take place in the UK or within the EU. In particular, the Authorities agree to support each other, as far as practicable and, where required, with CTPP consent (under DORA)[1], in carrying out on‑site inspections across jurisdictions.
The Authorities may also agree to jointly participate in certain oversight activities – the MoU cites, as an example, incident management playbook exercises in the context of the UK CTP regime, which could presumably also extend to threat-led penetration tests under DORA.
From an operational perspective, coordinated inspections will be welcomed by CTPPs, to the extent that they reduce duplication. Overlapping engagements can impose significant strain on CTPPs’ operational teams and business-as-usual activities.
3. Need for Consistency in Engagement and Documentation
The MoU provides that communications, submissions, and relevant documentation provided by CTPPs to EU Authorities (including the ESAs) may be shared with UK Authorities – and vice versa.
As a result, mutually‑designated CTPPs should take steps to ensure:
- Internal alignment between teams managing DORA compliance / ESA engagement and those with a similar UK CTP remit (unless they are one and the same team);
- Consistency and coherence in messaging, policies, and supporting material provided to both EU and UK Authorities; and
- Robust governance and version control to mitigate the risk of material discrepancies between submissions.
The EU-UK MoU marks a significant development in the cross‑border operational resilience landscape, reinforcing the Authorities’ shared commitment to managing systemic third‑party ICT risks. For CTPPs operating under both DORA and the UK CTP regime, the MoU will hopefully translate into more integrated supervision; while at the same time necessitating a high degree of coherence across their regulatory engagements.
Mutually‑designated providers should assess whether their governance structures and internal coordination mechanisms and processes are appropriately calibrated to operate in a world of coordinated cross‑border regulatory scrutiny.
If you have any questions concerning the material discussed in this client alert, please contact a member of our team.
[1] Noting that this is not a requisite under the UK CTP.
Back
