International cooperation

Article 44 addresses the reality that the most critical ICT third-party service providers operate globally, serving financial entities across multiple jurisdictions. Effective oversight of these providers requires cooperation between the EU's oversight framework and the supervisory regimes of third countries — particularly the United States, the United Kingdom, and other jurisdictions where major technology providers are headquartered.

The ESAs may establish cooperation arrangements with third-country supervisory authorities that have comparable oversight objectives. These arrangements facilitate the exchange of information on oversight findings, risk assessments, and supervisory approaches, enabling a more comprehensive view of a globally operating provider's risk profile than any single jurisdiction could achieve independently.

Information exchange under these arrangements must respect confidentiality and data protection requirements. The ESAs cannot share sensitive information about financial entities or providers without adequate safeguards, and third-country authorities must provide equivalent confidentiality protections. This balancing act between openness and protection is essential for building the mutual trust that effective cooperation requires.

Where a third-country jurisdiction maintains an oversight framework that the ESAs assess as equivalent to DORA's, the Lead Overseer may place some degree of reliance on the third country's oversight findings, potentially reducing duplicative activities. However, this is discretionary, not automatic — the Lead Overseer retains the right to conduct its own assessments where necessary to fulfill its mandate. For the global technology industry, Article 44 signals the EU's willingness to cooperate rather than impose unilateral requirements, but its effectiveness depends on the reciprocal willingness of major third-country jurisdictions to engage in supervisory cooperation for the financial sector's technology supply chain.