Tech & Sourcing @ Morgan Lewis

The European Parliament recently published a report (the Report) on the interplay between several key EU digital regulations to assess overlap and gaps and highlight the regulatory complexity that these different regimes have collectively imposed on businesses.

Morgan Lewis’s technology, outsourcing, and commercial contract team, along with Boston Consulting Group, recently hosted a roundtable dinner in London, during which senior stakeholders from technology suppliers and large businesses discussed how the rapid evolution of artificial intelligence (AI) is impacting offshoring and outsourcing.

The European Supervisory Authorities (ESAs) published on November 18, 2025 a list of 19 critical information and communications technology (ICT) third-party providers (CTPP) that will be subject to direct oversight under the EU Digital Operational Resilience Act (DORA). The list includes hyperscale cloud providers, data center providers, infrastructure and network providers, and providers of financial services-specific technology.

The European Banking Authority (EBA) recently published a consultation paper (Consultation) that proposes to expand third-party risk management requirements for certain EU-regulated financial entities. The Consultation would extend the EBA’s current guidelines around outsourcing arrangements (EBA Guidelines) to all third-party services arrangements, excluding those services that are within scope of the EU Digital Operational Resilience Act (DORA), and would add further requirements to the existing guidelines, aligning with those requirements introduced under DORA.

We are excited to welcome Mathilde Carle as a partner in Morgan Lewis’s Paris office and as a guest contributor to our Tech & Sourcing Spotlight series to discuss intellectual property (IP) protection and other related issues in agreements to design, build, license, host, and support digital solutions, including automation, AI, and software as a service (SaaS) products.

Digital transformation continues to be a buzzword for 2025, with companies considering or implementing new user-facing and back-office artificial intelligence (AI) solutions and other digital tools to enhance end-user experience (UX), business operations, IT infrastructure and resilience, and data flow and connectivity between devices and environments. These digital transformation projects often require project-based resources with specific skill sets that may not be readily available within a company to meet the desired implementation timelines. As a result, many companies engage third-party providers to design, build, test, and/or implement their digital transformation strategies.

As part of our Spotlight series, we welcome Marie Davy, who recently joined Morgan Lewis as a partner in our Paris office, to discuss key issues to consider when negotiating global distribution agreements.

Gone are the days when a company could outsource the “people” that perform a business process without considering, and likely including in the outsourcing arrangement, the digital enablement of the underlying workflows and activities.

UK financial regulators recently published their supervisory expectations for critical third party service providers (CTPs) to the financial sector under the United Kingdom’s new regime extending regulatory oversight to CTPs. The final rules align with key themes of other regulatory regimes seeking to reinforce operational resilience (e.g., the EU Digital Operational Resilience Act (DORA)) around risk management, supply chain management, and incident management, among other areas.

The UK Financial Conduct Authority (FCA) on October 31, 2024 published observations and key lessons from how firms responded to the CrowdStrike IT outage. The outage caused disruption across several industries globally, and the FCA highlights for UK financial services the importance of ensuring operational resilience in order to minimize the potential impact of future events on consumers and markets.