Financial regulators have been concerned for a few years now about the concentration of cyber and operational risk created by the (unregulated) technology suppliers to banks. The BCBS operational risk working group, for example, has been concerned about risk concentration among dominant cloud service providers. So it is understandable that EU regulators want the ability to direct banks to stop using providers with proven problems. This reinforces the need for banks to actively manage their risk profile across their whole ecosystem, not just their internal technology assets.