The AI rulebook is arriving through the back office
The most important AI finance rule in Europe may not look like an AI rule.
It looks like a third-party resilience file. A register of cloud dependencies. A notification path for a data-centre failure. A supervisory question about whether a bank can keep clearing, settling and valuing collateral when one infrastructure provider has a bad day.
That is the point. EU and UK supervisors are beginning to treat AI infrastructure less as a model-compliance topic and more as market plumbing. The first enforcement surface is unlikely to be a grand debate about frontier models. It will be whether financial firms can prove that the vendors underneath their trading, custody, payments and risk systems are mapped, tested and substitutable.
The January EU-UK memorandum on critical third-party oversight made that shift concrete. The European Supervisory Authorities and the UK financial regulators signed an MoU covering cooperation on critical ICT third-party service providers under DORA and the UK critical-third-party regime. The FCA described the same agreement as a framework for coordinating and sharing information on UK CTPs and EU CTPPs, including during incidents such as power outages or cyber-attacks.
That is not a statement of vibes. It is a mechanism.
The scope is already named
DORA has applied since 17 January 2025. ESMA says the regime covers digital operational resilience across 21 types of financial entities, including ICT risk management, incident reporting, resilience testing, third-party risk and oversight of critical providers. The logic is blunt: finance now depends on ICT providers that are not always supervised like financial firms, so the failure mode moves outside the regulated perimeter.
In November 2025, the ESAs published the first EU list of designated critical ICT third-party providers. It included 19 names: Accenture, Amazon Web Services EMEA, Bloomberg, Capgemini, Colt, Deutsche Telekom, Equinix, FIS, Google Cloud EMEA, IBM, InterXion, Kyndryl, LSEG Data and Risk, Microsoft Ireland Operations, NTT Data, Oracle Nederland, Orange, SAP and TCS, according to the official list.
That list matters because it turns concentration risk into a supervised object. The cloud provider is no longer just a procurement decision. The market-data provider is no longer just a commercial dependency. The system integrator running a core workflow is no longer just vendor management. Once designated, the provider sits inside an oversight framework in which the ESAs can run risk assessments, examinations and recommendations; ESMA says the DORA process covers designation, risk assessment, planning, execution of oversight examinations, and follow-up of recommendations through Lead Overseers and Joint Examination Teams.
The UK regime is not identical, but it rhymes. The FCA, Bank of England and PRA finalised requirements for critical third parties in November 2024, with rules taking effect on 1 January 2025. The FCA says HM Treasury decides designation, and designated CTPs must provide regular assurance, undertake resilience testing and report major incidents.
So the answer to the first anchor question is yes: this has moved beyond cooperation language. The operational layer now has dates, named providers, reporting duties, testing expectations and inspection procedures.
The MoU adds operational teeth
The January MoU is useful because it shows what “coordination” means in practice.
For EU oversight of a CTPP with UK premises, the ESAs may seek an on-site inspection when oversight objectives cannot be met through EU subsidiaries. The MoU says non-urgent inspections should be notified at least six weeks in advance, and as soon as practicable but no later than three weeks before the inspection or investigation. For mutually designated providers, UK authorities are expected to cooperate when consent is obtained. The MoU also says UK authorities should, where practicable, acknowledge ESA inspection notifications within 15 business days; silence can be treated as non-objection.
For UK oversight of a CTP with EU premises, the mirror process applies. The ESAs can assist UK authorities and even people appointed by them, including skilled persons under FSMA.
This is the bureaucratic part that markets tend to underprice. Cross-border oversight is not only a diplomatic channel. It is a route for exam teams, books and records, incident reports, playbook exercises and emergency information exchange.
The MoU explicitly covers emergency situations, including CTP operational incidents and major ICT-related incidents with systemic impact. It allows authorities to exchange incident reports or summaries, seek coordinated responses, work with incident-response frameworks and share lessons learned. It also contemplates joint oversight activities to improve response and recovery, including observing incident-management playbook exercises.
That is where AI enters the story. A model does not have to make lending decisions or trade securities to become systemic. It can sit inside vulnerability discovery, code generation, fraud monitoring, cyber defence, customer workflow automation or vendor support. If the same model provider, cloud layer or software dependency supports enough regulated firms, the relevant question becomes operational: can the sector continue to function when that dependency fails, is attacked, or behaves unpredictably at scale?
The UK made that connection explicit on 15 May. The FCA, Bank and Treasury said frontier AI models have cyber implications because current frontier models’ cyber capabilities are exceeding what a skilled practitioner could achieve, at greater speed, scale and lower cost. Their guidance told regulated firms and financial market infrastructures to plan for faster vulnerability discovery, supply-chain exposure and third-party risks, including external applications, libraries and services integrated into their networks.
That is model risk by another name: not “is the model fair?”, but “does the model compress attack timelines faster than the institution can patch?”
Tokenisation raises the blast radius
The third anchor claim needs a careful answer. The EU-UK CTP MoU itself does not appear to single out tokenisation or high-velocity payment rails as named priorities. Its subject is ICT third-party oversight. But UK authorities are now treating tokenised wholesale markets, settlement hours and payment infrastructure as adjacent resilience work.
On 18 May, the Bank of England and FCA set out a joint vision for tokenisation in UK wholesale markets. They said tokenisation could make issuance, asset management and settlement faster, and that industry wants more certainty on prudential treatment, tokenised collateral and settlement instruments. The same release says the Bank is consulting on extending RTGS and CHAPS settlement hours toward near 24/7 settlement, with weekend and extended daily hours subject to readiness. It also says the Bank and FCA are working with 16 firms in the Digital Securities Sandbox, and that the Bank is targeting a live synchronisation service for 2028.
Separately, the Bank’s March 2026 operational-incident and third-party reporting policy for FMIs will take effect on 18 March 2027. The Bank says the policy is designed to collect timely, structured and accurate information on operational incidents and FMIs’ material third-party arrangements, helping identify potential CTPs and emerging risks in the sector. It also says IOREP is intended to be the sole means for FMIs to report relevant operational incidents, reducing duplicate reporting while preserving direct supervisory contact where needed.
Read together, the direction is clear. Tokenised assets and longer settlement windows do not reduce operational risk. They move more financial activity onto always-on technology dependencies. That makes the provider map more important, not less.
In a slower market, a cloud incident can be a service interruption. In a tokenised collateral market with extended settlement hours, the same incident can become a liquidity, margin and confidence problem before the next committee meeting. Regulators know this. They are quietly building the switchboard.
The investment implication is dull, which is why it matters
For banks, brokers, payment firms and FMIs, the compliance work is not mainly a legal memo. It is architecture.
Boards will need a defensible view of which AI services and ICT vendors support critical or important functions. Procurement teams will need contracts that preserve incident visibility and exit options. Operations teams will need playbooks that include vendor failure, model-enabled cyber acceleration and cross-border authority escalation. Market-infrastructure teams will need to prove that tokenised settlement and near-continuous payment windows do not depend on a single undocumented chain of cloud, data and identity providers.
For infrastructure vendors, designation is a mixed signal. It validates systemic importance. It also invites examination, incident reporting, assurance work and possible public scrutiny after failures. That is a better moat than a dashboard feature. It is also more expensive.
The policy story is not that Europe has solved AI risk. It has not. The story is that supervisors are not waiting for AI law to mature before asserting control over the rails AI will use.
The model layer gets the headlines. The dependency layer gets the enforcement file. In financial markets, the second one usually matters first.
Discussion
Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.