Financial regulators have been concerned for a few years now about the concentration of cyber and operational risk created by the (unregulated) technology suppliers to banks. The BCBS operational risk working group, for example, has been concerned about risk concentration among dominant cloud service providers. So it is understandable that EU regulators want the ability to direct banks to stop using providers with proven problems. This reinforces the need for banks to actively manage their risk profile across their whole ecosystem, not just their internal technology assets.
Banks and other financial institutions could be forced to cut ties with cloud providers and other technology suppliers under a draft European Union regulation that aims to limit cybersecurity risks to the sector. National regulators in EU countries could require banks to stop using external technology services if their providers fail to fix cybersecurity problems identified in government inspections. The bill goes beyond existing European legislation mandating cybersecurity rules for the finance sector by requiring technology suppliers to also undergo regulatory scrutiny.