UK and EU Sign Historic MoU on Critical Third-Party Oversight: The Post-Brexit DORA Bridge
UK and EU Sign Historic MoU on Critical Third-Party Oversight: The Post-Brexit DORA Bridge
On January 14, 2026, the Bank of England and the three European Supervisory Authorities — the EBA, ESMA, and EIOPA — signed a Memorandum of Understanding (MoU) establishing a cooperative framework for the oversight of critical third-party technology providers (CTPPs) serving financial institutions in both jurisdictions.
The MoU is a landmark in post-Brexit financial regulation. Since the UK left the EU, the divergence between the UK's operational resilience framework (PS1/21, PS6/24) and DORA has created compliance complexity for cloud providers, payment processors, and technology platforms that serve financial institutions on both sides of the Channel. The MoU does not eliminate this divergence, but it creates bridges across it.
The Problem the MoU Solves
The fundamental challenge is that most critical technology providers serving European financial institutions also serve UK financial institutions — and vice versa. AWS, Azure, Google Cloud, Bloomberg, Refinitiv, SWIFT, and major payment processors operate across both jurisdictions. When the UK was part of the EU, a single supervisory framework applied. Post-Brexit, these providers face two distinct oversight regimes:
| Dimension | EU (DORA) | UK (PS1/21 + PS6/24) |
|---|---|---|
| Legal framework | Regulation (EU) 2022/2554 | FCA/PRA operational resilience rules |
| CTPP oversight | ESA-led designation and oversight | Bank of England CTPP oversight regime |
| Scope | All financial entities + CTPPs | Banks, insurers, FMIs + CTPPs |
| Testing requirements | TLPT (Art. 26-27) | Scenario testing within impact tolerances |
| Third-party register | Mandatory register of information | Mapping of important business services |
| Incident reporting | 4h/72h/1mo to competent authority | FCA/PRA notification (varying timelines) |
For a cloud provider like AWS, compliance with both regimes means maintaining two sets of documentation, participating in two sets of examinations, and responding to two sets of supervisory inquiries — often covering the same infrastructure and services.
For financial institutions, the dual regime creates uncertainty about which standards their providers should meet and whether compliance with one regime implies compliance with the other.
What the MoU Establishes
The MoU creates five cooperation mechanisms:
1. Information Sharing Framework
The most immediately impactful provision is the bilateral information sharing framework. The ESAs and the Bank of England will share:
- Designation decisions (when a provider is designated as a CTPP in either jurisdiction)
- Supervisory findings from examinations of CTPPs
- Incident intelligence related to CTPPs
- Concentration risk assessments at the system level
2. Joint Examination Protocols
The MoU establishes protocols for joint examinations of CTPPs. When both the ESAs and the Bank of England plan to examine the same provider, the MoU enables:
- Coordinated examination timing (to reduce the burden on the provider)
- Shared examination teams (with appropriate information barriers)
- Common assessment criteria (aligned where possible between DORA and UK requirements)
- Mutual reliance on examination findings (where standards are equivalent)
3. Coordinated Enforcement
When a CTPP is found to have deficiencies in both jurisdictions, the MoU enables coordinated enforcement action. This includes:
- Aligned remediation timelines (so the provider receives consistent deadlines)
- Coordinated communication (so the provider and affected institutions receive a coherent message)
- Mutual notification of enforcement actions
4. Mutual Recognition Principles
The MoU establishes principles for mutual recognition of supervisory assessments. Where DORA and UK requirements are substantially equivalent, an examination conducted under one regime may be recognized by the other — reducing duplication for both the provider and the supervisory authorities.
This is not a blanket equivalence determination. It applies on a case-by-case basis, subject to the judgment of both sides. But it provides a mechanism for avoiding the worst-case scenario: a provider undergoing two identical examinations in the same quarter.
5. Crisis Communication Channels
The MoU creates dedicated communication channels for use during CTPP-related crises. When a critical technology provider experiences a significant incident affecting financial institutions in both jurisdictions, the ESAs and the Bank of England will coordinate their responses through these channels.
The Gulf crisis — which affected cloud providers serving institutions in both jurisdictions — has already tested these channels within weeks of the MoU's signing.
Why This Matters for DORA Compliance
The MoU has several practical implications for DORA-regulated entities:
Reduced Compliance Friction for Multi-Jurisdictional Institutions
European financial institutions with UK operations (and vice versa) face dual compliance requirements for their technology providers. The MoU's mutual recognition principles may allow institutions to demonstrate compliance with one regime as partial evidence of compliance with the other, reducing the total compliance burden.
Enhanced CTPP Oversight Quality
Joint examinations produce better oversight outcomes than separate examinations of the same provider. The MoU enables supervisory authorities to share expertise — the Bank of England has extensive experience with operational resilience supervision since PS1/21 took effect in March 2022, while the ESAs bring DORA's more prescriptive requirements.
Faster Incident Response Coordination
When a CTPP incident affects both UK and EU financial institutions, coordinated supervisory communication ensures that both sets of institutions receive consistent guidance. This is particularly important for DORA Article 19 incident reporting, where institutions need clarity on supervisory expectations during a crisis.
| Benefit | Mechanism | DORA Article |
|---|---|---|
| Reduced compliance duplication | Mutual recognition of examinations | Art. 31-44 CTPP oversight |
| Enhanced oversight quality | Joint examination teams | Art. 33 examination rights |
| Faster incident coordination | Crisis communication channels | Art. 19 incident reporting |
| Consistent expectations | Coordinated enforcement | Art. 35 recommendations |
| Better concentration risk view | Shared system-level assessments | Art. 29 concentration risk |
The Broader Significance: Post-Brexit Regulatory Cooperation
The MoU is significant beyond its immediate DORA implications. It represents the first major post-Brexit cooperation agreement on financial technology regulation between the UK and EU. Previous MoUs covered traditional financial activities (banking, securities, insurance) but not the technology layer that increasingly underpins all financial services.
The MoU also signals that both jurisdictions recognize the reality of technology infrastructure: cloud providers and payment processors do not respect regulatory borders. Effective oversight requires cooperation, not competition, between supervisory authorities.
Limitations and Open Questions
The MoU is a cooperation agreement, not a legal treaty. Several limitations apply:
Non-binding nature: The MoU establishes intentions and protocols but does not create legally enforceable obligations. Either party can withdraw or modify its commitments with notice.
Information barriers: While the MoU enables information sharing, confidentiality constraints limit what can be shared. Supervisory findings that include commercially sensitive information about a CTPP may not be shareable in full.
Equivalence ambiguity: The mutual recognition principles apply "where requirements are substantially equivalent." The determination of substantial equivalence is subjective and will need to be negotiated case by case. Divergence between DORA's prescriptive approach and the UK's outcomes-based approach may limit equivalence findings.
Enforcement coordination limits: Coordinated enforcement requires both authorities to reach consistent conclusions. Where supervisory judgments differ — entirely possible given different regulatory philosophies — coordination becomes challenging.
CTPP designation alignment: The UK and EU may designate different providers as CTPPs, or the same providers at different criticality levels. Misalignment in designation creates an asymmetric cooperation dynamic.
Practical Implications for Financial Institutions
Financial institutions operating across the UK-EU divide should take three practical steps:
- Map your cross-border CTPP dependencies. Identify which of your critical technology providers serve both your UK and EU operations. These are the providers most likely to benefit from the MoU's coordination mechanisms.
- Engage with your providers on dual-regime compliance. Ask your cloud providers and technology platforms how they plan to leverage the MoU's mutual recognition provisions. Providers that can demonstrate compliance with both regimes through a single examination process reduce your compliance burden.
- Align your own oversight frameworks. If you assess the same provider for both DORA Article 28 and UK operational resilience requirements, align your assessment methodologies where possible. This mirrors what the supervisory authorities are doing and positions you to benefit from mutual recognition.
The MoU is a pragmatic solution to a structural problem created by Brexit. It does not restore the single market for financial technology oversight, but it creates the cooperation mechanisms needed to manage the reality of shared technology infrastructure across a regulatory boundary.
Voir aussi: DORA vs UK PS1/6 Comparison | ECB Supervisory Priorities 2026-28 | Critical Third-Party Provider Designations
Resume en francais
Le 14 janvier 2026, la Banque d'Angleterre et les autorites europeennes de surveillance (ABE, AEMF, AEAPP) ont signe un protocole d'accord historique etablissant un cadre cooperatif pour la surveillance des fournisseurs technologiques tiers critiques (CTPPs). Le MoU cree cinq mecanismes : partage d'information bilateral (decisions de designation, constats de supervision, intelligence sur les incidents), protocoles d'examen conjoints (equipes partagees, criteres d'evaluation communs), execution coordonnee (calendriers de remediation alignes), principes de reconnaissance mutuelle (reduction de la duplication des examens), et canaux de communication de crise. Pour les entites DORA, le MoU reduit les frictions de conformite pour les institutions multi-juridictionnelles, ameliore la qualite de la surveillance des CTPPs, accelere la coordination des reponses aux incidents et fournit une vue systeme du risque de concentration. Les limites incluent le caractere non contraignant, les barrieres de confidentialite, l'ambiguite de l'equivalence, et le potentiel de divergence dans les designations CTPP.