EU banks should reduce their reliance on US Big Tech, top supervisor says

BRUSSELS — European banks and other finance firms should decrease their reliance on American tech companies for digital services, a top national supervisor has said.

In an interview with POLITICO, Steven Maijoor, the Dutch central bank’s chair of supervision, said the “small number of suppliers” providing digital services to many European finance companies can pose a “concentration risk.”

“If one of those suppliers is not able to supply, you can have major operational problems,” Maijoor said.

The intervention comes as Europe’s politicians and industries grapple with the continent’s near-total dependence on U.S. technology for digital services ranging from cloud computing to software. The dominance of American companies has come into sharp focus following a decline in transatlantic relations under U.S. President Donald Trump.

While the market for European tech services isn’t nearly as developed as in the U.S. — making it difficult for banks to switch — the continent “should start to try to develop this European environment” for financial stability and the sake of its economic success, Maijoor said.

European banks being locked in to contracts with U.S. providers “will ultimately also affect their competitiveness,” Maijoor said. Dutch supervisors recently authored a report on the systemic risks posed by tech dependence in finance.

Dutch lender Amsterdam Trade Bank collapsed in 2023 after its parent company was placed on the U.S. sanctions list and its American IT provider withdrew online data storage services, in one of the sharpest examples of the impact on companies that see their tech withdrawn.

Similarly a 2024 outage of American cybersecurity company CrowdStrike highlighted the European finance sector’s vulnerabilities to operational risks from tech providers, the EU’s banking watchdog said in a post-mortem on the outage.

In his intervention, Maijoor pointed to an EU law governing the operational reliability of banks — the Digital Operational Resilience Act (DORA) — as one factor that may be worsening the problem.

Those rules govern finance firms’ outsourcing of IT functions such as cloud provision, and designate a list of “critical” tech service providers subject to extra oversight, including Amazon Web Services, Google Cloud, Microsoft and Oracle.

DORA, and other EU financial regulation, may be “inadvertently nudging financial institutions towards the largest digital service suppliers,” which wouldn’t be European, Maijoor said.

“If you simply look at quality, reliability, security … there’s a very big chance that you will end up with the largest digital service suppliers from outside Europe,” he said.

The bloc could reassess the regulatory approach to beat the risks, Maijoor said. “DORA currently is an oversight approach, which is not as strong in terms of requirements and enforcement options as regular supervision,” he said.

The Dutch supervisors are pushing for changes, writing that they are examining whether financial regulation and supervision in the EU creates barriers to choosing European IT providers, and that identified issues “may prompt policy initiatives in the European context.”

They are asking EU governments and supervisors “to evaluate whether DORA sufficiently enhances resilience to geopolitical risks and, if not, to consider issuing further guidance,” adding they “see opportunities to strengthen DORA as needed,” including through more enforcement and more explicit requirements around managing geopolitical risks.

Europe could also set up a cloud watchdog across industries to mitigate the risks of dependence on U.S. tech service providers, which are “also very important for other parts of the economy like energy and telecoms,” Maijoor said.

“Wouldn’t there be a case for supervision more generally of these hyperscalers, cloud service providers, as they are so important for major parts of the economy?”

The European Commission declined to respond.