Regulators do not coordinate oversight of ICT providers because it makes everyone’s lives easier. They coordinate when they believe a disruption could ripple across the financial system, overwhelm firms’ contingency plans, and erode trust in markets.
That is the message behind the EU/UK Memorandum of Understanding (MoU) signed in January 2026 between the European Supervisory Authorities (EBA, EIOPA, ESMA) and the UK authorities (Bank of England, PRA, FCA) [1].
It sets a framework for cooperation and information-sharing on the oversight of critical information and communications technology (ICT) third-party providers (CTPPs): technology firms whose services underpin key financial activities across multiple institutions and markets. The agreement focuses particularly on incidents where cross-border dependencies mean ‘local’ oversight is no longer sufficient. [2]
For risk, compliance and cyber leaders, the main significance is what the MoU signals about where supervision is heading: toward system-wide dependency risk, more joined-up scrutiny, and a higher bar for evidence. This direction is also reflected in the UK’s critical third party (CTP) regime, which allows regulators to designate technology providers whose disruption could threaten the resilience of the financial system.
Need a practical playbook for connecting cyber risk, controls, incidents and assurance? Download Protecht’s cyber risk eBook:
Why regulators coordinate only at the systemic layer
Most supervisory oversight is designed to be firm-specific: are you managing your risks in line with expectations? Coordination becomes a priority when the risk is no longer contained within an individual firm’s perimeter.
That is what systemic ICT risk looks like. It is created by three forces that are now difficult to avoid:
- Concentration: A small number of providers (cloud platforms, identity services, core connectivity, managed security, market data) support a large share of financial activity
- Interdependence: The same providers underpin not just technology functions, but core business services: payments, trading, customer onboarding, credit decisioning
- Common-mode failure: Even well-managed firms can be exposed to the same failure mode at the same time: a misconfiguration, a software update, a region outage, a compromised component in the supply chain.
This is the lens that sits behind both DORA’s oversight of CTPPs in the EU and the UK’s CTP regime, and it is why authorities have built mechanisms to coordinate oversight activity when providers have material footprints in both jurisdictions. [3]
When regulators coordinate, they are asking whether your operating model can withstand a shock that arrives through shared dependencies.
This systemic lens is already being applied in practice. In November 2025, the European Supervisory Authorities published the first official list of designated CTPPs under DORA oversight [4]. These providers were identified following submissions from financial institutions across the EU and represent technology services whose disruption could have broad market impact. The initial list highlights how concentrated certain financial technology dependencies have become [5].
The governance problem: systemic risk exposes fragmented truths
Systemic risk is hard to manage inside a firm, because it does not map neatly to organisational charts.
Third-party risk sits in procurement, vendor management, or a dedicated risk team. Controls sit with information security and compliance. Service mapping sits with IT operations or resilience teams. Incident management sits with security operations and crisis teams. Board reporting sits with enterprise risk.
Each function is competent within its lane, but the weakness happens between lanes. Under coordinated, DORA-style scrutiny, that fragmentation stops being an internal inconvenience and becomes a governance weakness. You see it when an outage or compromise forces leadership to ask basic questions and the answers are slow, partial, or contradictory:
- Which critical services depend on this provider, and where are the single points of failure?
- What controls actually reduce exposure and what evidence do we have right now?
- What is the impact pathway: from provider disruption to service failure to customer harm to regulatory breach?
- What have we tested, what failed, and what residual risk remains?
- Identify: Map critical services to ICT assets, data and third-party dependencies (including sub-outsourcing and concentration), and be clear on likely impact pathways
- Protect and prevent: Apply core safeguards consistently (access, configuration, change, backup/recovery and resilience design) across entities, environments and key third-party touchpoints
- Detect: Detect early enough to prevent cascade, with monitoring tied to service impact and agreed escalation thresholds
- Respond and recover: Execute under pressure with clear ownership and tested playbooks. Maintain critical services, restore control, and document decisions and residual risk
- Learn and evolve: Feed incidents, tests and near misses back into risk assessments, control improvements and third-party governance
- Communicate and escalate: Use defined escalation paths and timely coordination to meet reporting and stakeholder expectations, often across multiple regulators.
If your dependency map is a spreadsheet, your control evidence is in folders, your incident records sit in a separate platform, and your assurance is a point-in-time activity, the organisation will struggle to demonstrate resilience as a connected, decision-ready capability.
What good ICT governance looks like under systemic scrutiny
Good ICT governance in a systemic risk environment is about having an operating model that can withstand a provider-led shock and demonstrate quickly, coherently, and repeatedly that resilience is real.
Thought leadership webinar on demand:
“It’s no longer enough to focus purely on preventing threats from getting inside your perimeter. It's about managing the whole lifecycle.”
Join Protecht’s Cyber Security Lead Michael Franklin and Head of Risk Research & Knowledge Michael Howell to find out more
A practical way to frame this model is using the ICT risk management capability lifecycle:
This lifecycle aligns with both DORA and the UK regulators’ intent for the CTP regime.
UK authorities have been explicit that CTP designation is not a badge of safety, and it does not transfer accountability away from firms.
Firms still need to manage the risks arising from third-party dependencies, particularly concentration and the credibility of exit and resilience planning. [6]
Regulators may focus more on providers at the systemic level, but they will still judge firms on whether governance holds together when a shared dependency fails.
What the MoU world means for evidence provision
The EU/UK MoU itself is a cooperation instrument, rather than a new rulebook. It won’t change your obligations overnight, but it will change the tempo of scrutiny when a shared provider fails. It’s still a meaningful signal of where supervisory attention will gather:
-
Dependency clarity. Boards and regulators expect firms to know where they are exposed to critical providers, including ‘hidden’ dependencies through sub-contractors and shared infrastructure
-
Assurance that holds together. Scrutiny increasingly focuses on whether firms can connect controls, testing, incidents, and remediation into a coherent assurance story.
-
Operational resilience as lived capability. During incidents, regulators will look for timeliness, accountability, and decision-quality. The MoU explicitly anticipates more intensive cooperation in emergencies, including rapid information-sharing and coordination.
The firms that cope best tend to be those that have already treated cyber resilience as part of enterprise governance, connected to risk, compliance, resilience, and third-party management, rather than as a siloed technical discipline.
Conclusions and next steps for your organisation
The EU–UK MoU should be read as a signpost. Regulators are building the machinery to coordinate when a provider failure could harm more than one firm, more than one market, or more than one jurisdiction.
That does not mean every firm will face the same intensity of scrutiny tomorrow. It does mean the direction is clear: ICT governance needs to be connected, measurable, and decision-ready.
If your resilience story depends on manual stitching between vendor registers, control evidence, incident records, service maps, and board packs, it will be harder to sustain under systemic pressure. If your resilience story is integrated, it becomes easier to evidence, easier to improve, and easier to defend.
Wondering how quickly you could evidence ICT governance under a major provider disruption? Our cyber risk eBook gives a practical playbook for connecting risk, controls, incidents and assurance:
If you’re already investing in a stronger governance model, request a demo to see how Protecht supports connected, auditable resilience:
[1] EU/UK MoU https://www.eba.europa.eu/sites/default/files/2026-01/de600abf-6683-4b73-ac38-4e941ff10a58/MoU%20DORA%20oversight%20ICT%20CTPPs%20_EU-UK%20%28publication%29.pdf
[2] ESMA announcement on MoU signing: https://www.esma.europa.eu/press-news/esma-news/european-supervisory-authorities-and-uk-financial-regulators-sign-memorandum
[3] FCA statement on the MoU: https://www.fca.org.uk/news/statements/uk-and-eu-regulators-sign-memorandum-understanding-strengthen-oversight-critical-third-parties
[4] XRBL article: https://www.xbrl.org/news/doras-list-lands-as-scrutiny-of-critical-ict-third-party-providers-begins/
[5] EIOPA full list (PDF): https://www.eiopa.europa.eu/document/download/56b1ca78-5dd2-4d36-8377-47a538eb7558_en?filename=List%20of%20designated%20CTPPs.pdf
[6] Bank of England / PRA / FCA joint policy statement on UK CTP regime: https://www.bankofengland.co.uk/prudential-regulation/publication/2024/november/operational-resilience-critical-third-parties-to-the-uk-financial-sector-policy-statement