The UK-EU Critical Third-Party MoU: Post-Brexit Regulatory Cooperation on Cloud Oversight

The Architecture of Cross-Border CTP Oversight

The Bank of England-EU MoU established a structured framework for cross-border cooperation on critical third-party oversight, addressing the practical challenges of supervising global technology providers that serve financial institutions in both jurisdictions.

Information Sharing Framework

The MoU established protocols for sharing supervisory information about designated critical third-party providers between UK and EU authorities. This includes sharing examination findings and recommendations, coordinating on identified risks and vulnerabilities, exchanging information about provider remediation actions and timelines, and alerting each other to significant incidents affecting shared providers.

For financial institutions, this information sharing has practical implications. A risk or vulnerability identified by the PRA during its examination of a cloud provider's UK operations can be shared with the ESAs, who can then assess whether the same risk exists in the provider's EU operations. This creates a more comprehensive supervisory picture than either jurisdiction could achieve independently.

Coordinated Examination Approach

The MoU addressed the risk of duplicative examinations — a concern raised by cloud providers who argued that parallel, uncoordinated examinations from multiple regulators would be burdensome and potentially contradictory. The agreement established mechanisms for coordinating examination schedules, sharing examination methodologies, and where possible conducting joint or coordinated examinations that address both UK and EU supervisory objectives simultaneously.

This coordination benefits financial institutions indirectly. Cloud providers facing coordinated rather than duplicative regulatory demands are better positioned to invest in resilience improvements rather than compliance administration. And examination findings that address cross-jurisdictional risks — such as the resilience of data replication between UK and EU regions — are more useful to financial institutions than findings limited to a single jurisdiction.

Aligned Recommendations

Perhaps most significantly, the MoU established a framework for aligning supervisory recommendations to critical third-party providers. Without coordination, the UK and EU could impose contradictory requirements — for example, the UK requiring data to be stored in the UK and the EU requiring the same data to be stored in the EU, creating an impossible compliance situation for cloud providers serving both jurisdictions.

The alignment framework does not require identical recommendations — the UK and EU maintain independent supervisory authority — but it creates a process for identifying and resolving conflicts before they reach the provider, reducing the risk of contradictory compliance obligations.

Implications for Financial Institutions

For financial institutions operating in both UK and EU markets, the MoU has several practical implications:

Simplified compliance landscape: The coordination between UK and EU CTP oversight reduces the risk that cloud providers will be subject to contradictory requirements, simplifying the compliance environment for financial institutions that use these providers in both jurisdictions.

Enhanced oversight quality: Cross-border information sharing improves the quality of supervisory oversight, giving regulators a more complete picture of provider resilience and enabling more effective identification of cross-jurisdictional risks.

Greater predictability: The establishment of a formal cooperation framework creates greater predictability for financial institutions planning their cloud strategies, reducing the risk of unexpected regulatory changes that affect cross-border cloud deployments.

Continued cross-border cloud usage: The MoU implicitly validates the use of cloud infrastructure that spans UK and EU jurisdictions, addressing concerns that post-Brexit regulatory divergence might force financial institutions to separate their UK and EU cloud deployments entirely.

Bridging the Post-Brexit Regulatory Gap

On January 14, 2026, the Bank of England announced the signing of a memorandum of understanding (MoU) with EU supervisory authorities on the oversight of critical third-party technology providers serving the financial sector. This agreement represented a significant development in post-Brexit regulatory cooperation — and a practical acknowledgment that the major technology providers serving European finance (AWS, Microsoft Azure, Google Cloud, and others) operate across both UK and EU jurisdictions without regard for political boundaries.

The MoU addressed a structural problem created by Brexit. Before the UK's departure from the EU, the oversight of technology providers serving EU financial institutions was coordinated through the European Supervisory Authorities (ESAs). After Brexit, the UK developed its own critical third-party (CTP) oversight framework through the Financial Services and Markets Act 2023, while the EU developed its framework through DORA Art. 31-44. Both frameworks recognized the same systemic risk — the concentration of financial sector technology services in a small number of global providers — but they operated independently, creating the potential for duplicative or contradictory oversight demands on the same technology providers.

The practical challenge was straightforward: AWS operates data centers in both London and Frankfurt. Microsoft Azure serves banks in both the City of London and Paris. Google Cloud processes financial data for institutions supervised by both the PRA and the ECB. If the UK and EU each independently examine these providers and impose different requirements, the providers face conflicting compliance obligations while gaps in oversight emerge at the jurisdictional boundary.

For DORA compliance, the MoU represented a significant step forward. Art. 31-44 of DORA establishes the framework for designating and overseeing Critical ICT Third-Party Providers (CTPPs), and the Joint Oversight Network coordinates EU-level supervision. The MoU extended this coordination to include the UK's parallel CTP framework, creating a mechanism for information sharing, coordinated examinations, and aligned recommendations.

The significance extended beyond administrative convenience. The major cloud providers' European operations are deeply interconnected across UK and EU infrastructure. Data replication, failover mechanisms, and multi-region architectures routinely span both jurisdictions. Effective oversight of these providers' resilience requires visibility into both their UK and EU operations — which is only possible through cross-border regulatory cooperation.

DORA Art. 31-44 in Practice: What the MoU Means

The UK-EU MoU on critical third-party oversight is the first practical implementation of cross-border cooperation under DORA's third-party oversight framework. It provides concrete answers to questions that the regulation's text left open.

Art. 31 — Designation of Critical ICT Third-Party Providers

DORA Art. 31 establishes criteria for designating CTPPs, including the systemic importance of the services provided, the degree of substitutability, and the number of financial entities relying on the provider. The MoU implicitly coordinates the designation process between the UK and EU — ensuring that providers designated as critical in one jurisdiction are considered for equivalent treatment in the other.

This coordination matters because the major cloud providers' criticality is inherently cross-jurisdictional. AWS's importance to European finance is not limited to either the UK or the EU — it spans both. A coherent designation approach that recognizes this cross-jurisdictional criticality is more effective than independent designations that may reach different conclusions about the same provider.

Art. 33 — Lead Overseer Powers

DORA Art. 33 empowers the designated Lead Overseer to conduct general investigations and on-site inspections of CTPPs. The MoU establishes how these oversight activities are coordinated when the CTPP operates in both jurisdictions. Rather than requiring the provider to undergo separate, potentially contradictory examinations, the MoU enables coordinated oversight that covers both UK and EU operations.

For CTPPs, this coordination reduces compliance burden. For supervisory authorities, it improves oversight effectiveness by providing a complete picture of the provider's operations and resilience across both jurisdictions. For financial institutions, it provides greater assurance that their critical technology providers are subject to comprehensive oversight.

Art. 35 — Recommendations and Remediation

DORA Art. 35 enables the Lead Overseer to issue recommendations to CTPPs. The MoU addresses the challenge of aligning recommendations across jurisdictions — ensuring that the UK's recommendations to a cloud provider are consistent with the EU's, and that providers are not forced to implement contradictory measures.

The alignment process does not subordinate either jurisdiction's authority — both maintain independent regulatory autonomy. Instead, it creates a structured dialogue that identifies potential conflicts early and resolves them before they reach the provider. This is a pragmatic approach that respects regulatory sovereignty while acknowledging the reality that global technology providers cannot implement contradictory requirements.

Art. 44 — International Cooperation

DORA Art. 44 specifically addresses cooperation with third-country (non-EU) authorities on ICT third-party risk. The UK-EU MoU is the first concrete implementation of this provision — establishing a bilateral cooperation mechanism between the EU's DORA framework and the UK's parallel CTP framework.

The MoU may serve as a template for similar agreements with other non-EU jurisdictions that are developing their own CTP oversight frameworks — the US (through the Federal Reserve and OCC), Australia (through APRA), and Singapore (through MAS). As CTP oversight becomes a global regulatory norm, bilateral cooperation agreements will be essential to prevent regulatory fragmentation.

The Global CTP Oversight Landscape

The UK-EU MoU is a milestone in the development of global critical third-party oversight for financial services. It demonstrates that cross-border regulatory cooperation on technology provider oversight is both necessary and achievable, even between jurisdictions with different regulatory frameworks and political relationships.

A Template for Global Cooperation

The MoU's structure — information sharing, coordinated examinations, aligned recommendations, and conflict resolution — provides a template that can be adapted for other bilateral relationships. As more jurisdictions develop CTP oversight frameworks, the number of bilateral cooperation agreements will grow. The UK-EU MoU establishes practical precedents for how these agreements function.

Key design principles that other jurisdictions can adopt include mutual recognition of examination findings (reducing duplicative provider examinations), structured conflict resolution for contradictory recommendations, joint or coordinated examination options for cross-jurisdictional risks, and early warning mechanisms for incidents affecting shared providers.

The Provider Perspective

For major cloud providers, the MoU represents both an opportunity and a constraint. The opportunity is reduced compliance burden — coordinated oversight is less burdensome than duplicative, uncoordinated examinations from multiple regulators. The constraint is comprehensive oversight — cross-border cooperation eliminates the possibility of regulatory gaps at jurisdictional boundaries.

Providers that have been positioning their European operations to meet both UK and EU requirements will find that the MoU validates their approach. Providers that have been relying on jurisdictional gaps to avoid scrutiny will find those gaps closing.

Remaining Gaps

The MoU addresses UK-EU cooperation but leaves several gaps in the global CTP oversight landscape:

US-EU cooperation: US cloud providers (AWS, Azure, GCP) are the dominant providers in European finance. While DORA Art. 44 enables cooperation with non-EU authorities, no formal US-EU CTP oversight MoU exists. Given that the US does not have an equivalent federal CTP oversight framework, establishing such cooperation will require creative regulatory design.

Multi-jurisdictional coordination: As more countries develop CTP frameworks, bilateral MoUs will multiply. Eventually, multilateral coordination mechanisms may be needed to prevent the proliferation of bilateral agreements from creating its own complexity.

Emerging market coverage: Financial institutions in the EU increasingly use cloud services hosted in emerging markets (India, Southeast Asia, Gulf states). CTP oversight cooperation with these jurisdictions is underdeveloped compared to cooperation with established regulatory partners.

Implications for Financial Institution Strategy

Validate cross-border cloud strategies. The MoU implicitly endorses the use of cloud infrastructure spanning UK and EU jurisdictions, reducing the risk that regulatory divergence will force institutions to separate their deployments. Financial institutions can plan cross-border cloud strategies with greater confidence.

Monitor designation processes. As both UK and EU CTP designation processes advance, financial institutions should monitor which providers are designated and what requirements are imposed. Designation-triggered requirements may affect cloud service configurations, data residency arrangements, and exit planning.

Engage in consultation processes. Both UK and EU authorities will consult with industry during the development of CTP oversight procedures. Financial institutions should actively participate in these consultations to ensure that oversight requirements are practical and proportionate.

Assess provider readiness. Financial institutions should assess whether their critical cloud providers are prepared for CTP oversight — including whether providers have the governance structures, reporting capabilities, and operational transparency necessary to meet oversight requirements. Provider readiness affects the institution's operational resilience.