If your business depends on a small set of shared providers like cloud, identity, payments, or data platforms, your operational resilience risk is no longer just a “your firm” issue. It’s a system wide dependency. Regulators are now shifting supervision to where that risk sits: at the provider level, not just inside each1 regulated company.
On 14 January 2026, EU and UK authorities signed a Memorandum of Understanding (MoU) to cooperate and exchange information on oversight of critical Information and Communications Technology (ICT) third-party providers that sit across both jurisdictions.
Translation: if a provider is “critical” to the EU under DORA law and also matters to UK financial stability under the UK’s CTP framework, supervision is meant to be more coordinated and less siloed.
What is a Memorandum of Understanding (MoU)?
Quick point on the MoUs. They’re explicitly not legally binding, so it does not create new legal powers by itself. However, it still matters because it formalizes how supervisors coordinate, share information, and avoid the classic failure mode where everyone assumes “the other regulator has it covered.”2
“The MoU establishes clear principles and procedures for cooperation, information sharing and coordination of oversight activities.”
EU’s DORA law and the UK’s CTP framework explained
Now the context you need upfront.
Under DORA, certain Information and Communications Technology (ICT) third-party service providers can be designated “Critical ICT Third-Party Service Providers” (CTPPs) and put under an EU oversight framework led by a “Lead Overseer.”
Similarly, under the UK regime, HM Treasury can designate “critical third parties” (CTPs) where disruption could threaten UK financial stability or confidence, and UK regulators set resilience expectations for those providers.
Different legal mechanics, same outcome: systemic ICT dependency cannot be managed firm-by-firm anymore.
The effects of this EU UK ICT oversight pact in reality
Why this matters is straightforward. When disruption hits, regulators increasingly do not care that your business had a policy, a contract clause, or an annual questionnaire.
“This is not a box ticking exercise.”
Instead, they want to know about what you actually tested, what broke, who signed off on the risk, what evidence you can produce, and how fast you fixed the problem.
That’s the shift we’re watching at CoreStream GRC: from third-party risk as procurement to third-party risk as operational accountability. In practice, this is where risk management tools and risk assessment software either prove their value or get exposed as box-ticking.
“A fundamental reframing of third-party risk management; from a procurement and compliance function into an enterprise resilience capability.”
What changes after this pact? 3 things tend to follow.
- First, the same major provider will face more scrutiny from multiple regulators at once, with more pressure to align oversight, so providers cannot exploit gaps between jurisdictions.
- Second, firms will be expected to show that their controls are consistent across regions. If your UK setup is tighter than your EU setup (or vice versa), that inconsistency becomes a governance problem, not a local preference. This is where strong governance, risk and compliance (GRC) platforms matter, because you need one view of controls, testing, issues, and remediation across the business.
- Third, there’s a bigger push toward provider-level resilience and concentration risk. The question is not only “are our internal controls good enough?” It’s “what happens to us, and to everyone else, if this one vendor goes down?”
That puts vendor risk management software under pressure to show real operational insight: dependencies, testing evidence, failure scenarios, and tracked remediation, not just due diligence artifacts.
DORA vs UK CTP oversight: same direction, stronger enforcement
On the EU side, DORA’s oversight model is designed to get close to how the provider actually operates. Supervisors can request information, run investigations, carry out inspections, and issue recommendations that reach into subcontracting arrangements. In some cases, that can include asking a provider to pause new subcontracting deals until specific risks are addressed. This is a big shift for anyone relying on third party risk management software and a risk management system to monitor vendor controls, because the regulator’s lens is increasingly on the provider’s real-world setup, not just what the customer firm collects in due diligence.
And DORA has real enforcement behind it. It allows for periodic penalty payments that can be imposed daily, up to a % of a provider’s average daily worldwide turnover within the limits set by the Regulation, to compel compliance by a critical ICT third-party provider.
This is not “naming and shaming.” It is a lever designed for providers that ignore supervisory measures. That changes the stakes for risk and compliance software and compliance software more broadly, because evidence, issue tracking, and remediation timelines stop being internal hygiene and start being supervisory-grade expectations.
On the UK side, the direction is similar, but it is framed through operational resilience standards for Critical Third Parties. UK supervisors have been clear that they want proof of resilience, not just written intent.
That means scenario testing, incident simulations, and practiced response plans. If you are serious about this, incident management software and incident reporting software need to connect to business continuity planning in a way that produces clear evidence of what was tested, what failed, and what was fixed.
The wider trend looking beyond the UK
The wider trend is obvious once you look past the first contract. The hard problems sit in the subcontracting chain and fourth parties, where services are layered, accountability gets blurry, and the blast radius of an outage expands fast.
Supervisors globally have been signaling this for years, especially on cloud concentration and third-party dependency risk. This is exactly where vendor risk management software and third-party risk management software either gives you real visibility, or it just stores PDFs.
A quick reality check across other regions shows the same trajectory.
In the US, regulators have pushed a lifecycle model for third-party relationships: planning, due diligence, contract negotiation, ongoing monitoring, and termination, with clear board and senior management accountability throughout.
In the Middle East, outsourcing regimes often set strong baselines too, including minimum standards, auditability, and the principle that risk ownership stays with the regulated entity, for example through UAE Central Bank outsourcing requirements and SAMA outsourcing rules.
Different labels, same direction: outsourced tech is treated as core risk, not admin. That is why a risk management system, audit management system, and compliance management software increasingly need to work together, because oversight is moving from paperwork to provable operational control.
What resilience and third-party leaders should do now
If you want this to land as a practical close, keep it tight and specific:
- Map critical services to providers at service-impact level, not just vendor registers.
- Treat fourth parties as first-class citizens: require visibility, controls, and exit thinking.
- Build an evidence model (tests run, outcomes, decisions, remediation trails), not a document library.
- Assume “one provider, multiple regulators”: define internal owners and response playbooks now.
- Move from annual reviews to continuous oversight for truly critical dependencies.
As EU and UK supervisors start comparing notes, the bar is getting brutally simple: show how a critical service stays up, how you know, and what you changed when it did not.
The teams that cope will be the ones who can pull evidence fast, clearly, and consistently across regions: who own the dependency, what was tested, what failed, what was fixed, and when. That level of proof is hard to run from documents and spreadsheets once you have dozens of critical third parties and constant change.
CoreStream GRC is built for that reality, keeping ownership, controls, testing evidence, and remediation history in one place so you can answer the question regulators actually ask, not the one your policy was written for.
FAQ on the EU UK ICT MoU, DORA and third party risk
The EU–UK ICT oversight MoU is an agreement between EU supervisory authorities and UK financial regulators to cooperate and share information on oversight of critical ICT third-party providers. It focuses on coordination, especially during incidents such as cyber attacks or major service outages, rather than creating new legal powers.
No. The MoU is not legally binding and does not create new regulatory powers. Its importance lies in how it formalizes cooperation between regulators, reduces supervisory gaps, and supports coordinated oversight of providers that are critical across both jurisdictions.
Under DORA, certain ICT third-party providers can be designated as Critical ICT Third-Party Service Providers and placed under EU-level oversight. The MoU supports cooperation between EU and UK authorities when a provider falls within both DORA’s scope and the UK’s critical third-party framework.
The UK CTP regime allows HM Treasury to designate third-party providers whose disruption could threaten UK financial stability or confidence. Regulators then set operational resilience expectations for those providers, focusing on real-world testing, incident response, and service continuity.
Fourth-party risk increases complexity and obscures accountability. Services are often layered through subcontractors, meaning a single outage can cascade across multiple providers. Regulators increasingly expect firms to understand and manage these downstream dependencies, not just direct vendors.
