.svg)
The operational resilience Memorandum of Understanding (MoU) is intended to reduce the risk of fragmented or conflicting supervisory responses during crises, but does not affect payments firms’ responsibility for their own third-party risk management.
The MoU was signed in January 2026 by the UK’s Financial Conduct Authority (FCA), the Bank of England and the Prudential Regulation Authority (PRA), together with the European Supervisory Authorities (ESAs): the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA).
Its aim is to enhance cooperation by establishing a framework for coordinating and sharing information on the oversight of technology and infrastructure providers whose disruption could pose systemic risks to financial services, including via incidents such as power outages or cyber-attacks.
These include cloud service providers, data and connectivity firms and other ICT suppliers that support large numbers of regulated firms across borders.
The UK's regime for the supervision of critical third parties (CTPs) was established under the Financial Services and Markets Act (FSMA) 2023; the EU’s Digital Operational Resilience Act (DORA) created the critical third-party providers (CTPPs) regime.
For payment service providers (PSPs), the primary benefit of the MoU should be a more coordinated regulatory response during significant operational disruptions.
In November 2025, the ESAs announced their first list of CTPPs under DORA, marking a significant milestone in the EU’s implementation of the regime. By contrast, the UK has yet to announce its initial list, despite growing pressure to act.
In October 2025, for example, a widespread outage at Amazon Web Services (AWS) disrupted several organisations, including Lloyds Banking Group, and prompted the UK’s Treasury Select Committee to write to the economic secretary to the Treasury questioning why AWS had not yet been designated under the CTP regime.
The designation of systemic providers marks the beginning of a significant operational shift for financial institutions, including PSPs, which will need to strengthen their understanding of third-party dependencies and the risks that accompany them.
Smoother supervisory responses, but no let up in firms’ accountability
The MoU means that PSPs operating across jurisdictions should face a diminished risk from fragmented or conflicting supervisory responses during crises.
The creation of formal communication channels between UK and EU authorities during systemic incidents that affect payment firms in both markets should enable regulators to exchange information and align expectations in real time.
This is particularly relevant in the payments space, where outages can have immediate effects on consumers and on financial stability.
The MoU creates effective interoperability between the UK and EU regimes rather than full harmonisation, with CTP and CTTP designation criteria and enforcement tools differing.
In the UK, designation is made by HM Treasury based on systemic risk to financial stability, with an outcomes-focused supervisory approach. Under DORA, the ESAs designate critical ICT third-party providers using more prescriptive criteria around scale, concentration and substitutability.
However, the MoU increases the likelihood that regulators will be willing to accept equivalent information, testing results or incident reports across regimes.
For PSPs, this should reduce supply-chain complexity over time, as key providers face more consistent resilience expectations rather than duplicative or conflicting demands.
It is important to note that both the UK and EU authorities are clear that direct oversight of CTPs does not reduce accountability for PSPs, which still have firm-level responsibility for their own operational resilience, outsourcing and third-party risk management.
A provider’s designation as “critical” does not remove PSPs’ obligation to conduct due diligence or ensure contractual protections and internal controls, and firms cannot rely on regulatory supervision of a CTP as a defence if their own arrangements fail.
The CTP and CTTP regimes, and the MoU, are intended to complement, not replace, PSPs’ duty to manage their own ICT-related risks, so relevant organisations must maintain robust contractual and operational controls to meet their own resilience requirements, regardless of their provider’s status.
Reviewing operational resilience processes
Because financial organisations typically rely on a small number of third-party providers for core ICT services, any failure can affect large parts of the banking and finance sector. The CTP and CTTP regimes are intended to address this risk, and the MoU should increase their ability to do so effectively in the event of cross-border incidents.
Although PSPs are affected only indirectly by the MoU, given that it refers to the supervision of technology and infrastructure providers, they should still consider a strategic response.
To begin with, it is important to ensure that internal stakeholders understand that regulatory oversight does not replace firm responsibilities. The whole business should be primed to rebuff any suggestion from providers that regulator scrutiny reduces the need for contractual commitments, audits or transparency.
Firms should also implement processes to integrate new information such as CTP self-assessments or incident notifications into risk frameworks, and be able to demonstrate how this information is reviewed, challenged and used to inform risk decisions.
This is also an opportunity for PSPs to review service-level agreements (SLAs), incident reporting timelines, audit rights and escalation provisions to ensure they remain aligned with regulatory expectations. For EU-facing firms, this includes ensuring contracts meet DORA’s mandatory ICT outsourcing clauses.
The UK–EU operational resilience MoU is not a headline compliance change for PSPs, but it is a clear signal of regulatory direction, with authorities converging on a system-wide approach to technology risk.
PSPs should be prepared to operate in a world where third-party resilience is more transparent, more scrutinised and more tightly coordinated across borders.
