Model Context Protocol (MCP)

What is the Model Context Protocol (MCP)?

The Model Context Protocol (MCP) is an open standard that connects AI Agents and AI applications with external systems — file systems, databases, business systems and developer tools. Anthropic introduced MCP on 25 November 2024; the authors were David Soria Parra and Justin Spahr-Summers. The goal: a unified interface between a language model and the world of tools and data, so that every agent project does not have to reinvent its tool integration.

The central conceptual role of MCP can be captured in a single sentence: in 2026, MCP is the fundamental protocol for Agent-to-Tool. An agent — understood as an LLM that autonomously uses tools in a loop — needs a standardised way to call functions, query data and trigger actions in external systems. This is exactly the layer that MCP standardises. The official, and by now industry-wide shared, distinction is: MCP is for Capabilities (Agent-to-Tool), A2A is for Collaboration (Agent-to-Agent). Google, Salesforce and Microsoft use this phrasing consistently.

Technical Architecture

MCP is based on JSON-RPC 2.0 across multiple transports:

• stdio for local connections,
• originally Server-Sent Events, and since the spec revision of April 2025 additionally Streamable HTTP.

Beyond the transport, the April 2025 revision brought three significant innovations: OAuth 2.1 support, JSON-RPC batching and Tool Annotations. The spec release of November 2025 added asynchronous operations, statelessness, server identity and official extensions. In early 2026, MCP Apps (SEP-1865) standardised the delivery of interactive UI from MCP servers to host applications such as Claude and ChatGPT.

Architecturally, MCP distinguishes between the host application (e.g. Claude, a Copilot Studio agent), the client and the MCP server. The MCP server encapsulates the integration with a specific external system and exposes its capabilities in tool form. From the agent's perspective, every data source and every target system therefore looks the same — a list of clearly described tools with a schema that the agent can call.

A practically relevant side effect: MCP is increasingly being used agent-to-agent as well, by exposing another agent as an MCP "server" with tool-shaped capabilities. This works, but it is not what MCP was designed for. Anthropic, Google and Microsoft consistently recommend using A2A for genuine peer collaboration and limiting MCP to the tool layer.

Governance: Linux Foundation and the Agentic AI Foundation (AAIF)

The most important governance step came on 9 December 2025: Anthropic donated MCP to the newly founded Agentic AI Foundation (AAIF) — a Directed Fund under the Linux Foundation. The AAIF was co-founded by Anthropic, Block and OpenAI, with Platinum support from Amazon Web Services, Bloomberg, Cloudflare, Google and Microsoft.

Further Gold/Silver members include, among others, Adyen, Cisco, Datadog, Docker, IBM, JetBrains, Okta, Oracle, SAP, Snowflake, Twilio, Hugging Face, Pydantic, Uber and SUSE — in other words, practically the entire Agentic-AI stack. MCP joined the AAIF together with Block's goose and OpenAI's AGENTS.md.

Important for context: the technical day-to-day governance remains with the existing MCP maintainers. The AAIF Governing Board is responsible for strategic investments and member recruiting. The move under the Linux Foundation is thus the structurally strongest available signal against fragmentation into proprietary vendor variants — even if, as Cisco itself noted in December 2025, the individual protocol projects are in some cases "still operating as islands".

Adoption 2025/2026

MCP's spread in 2025 was explosive:

• OpenAI officially adopted MCP in March 2025.
• Google DeepMind followed in April 2025 (via a tweet from Demis Hassabis).
• Within the same timeframe, Microsoft Copilot Studio, Cursor, Zed, Windsurf, Replit, Sourcegraph, Block, Apollo and dozens more integrated it.
• Anthropic's Claude offers a directory of over 75 official MCP connectors.
• The SDKs record over 97 million monthly downloads across Python and TypeScript.

MCP is therefore not a niche standard but de facto the universally accepted tool layer across Anthropic, OpenAI, Google, Microsoft, AWS, SAP, Salesforce, ServiceNow, IBM and Cisco.

MCP in the Convergent Protocol Stack

After twelve months of public realignment, the convergent stack for 2026 is unambiguous. Within it, MCP occupies the tool layer and A2A the agent-to-agent layer:

Noteworthy: AGNTCY (Cisco/LangChain/Galileo, donated to the Linux Foundation on 29 July 2025) also builds on MCP rather than replacing it — A2A agents and MCP servers are discoverable via AGNTCY directories. The honest assessment is: MCP + A2A is the convergent industry stack. AGNTCY is the identity/observability layer where it is needed; NANDA remains conceptual.

Security: the Optimistic Trust Model

MCP is the right enabler of the agent ecosystem, but its fundamentally optimistic trust model is not the right basis for trust. In 2025, several classes of attack were documented:

• Indirect Prompt Injection via MCP server descriptions.
• Tool Poisoning — the Invariant Labs WhatsApp proof-of-concept (March 2025).
• Look-alike Server Squatting — fake servers that imitate genuine ones.
• Full-Schema Poisoning (CyberArk) — every part of a tool schema is a potential injection point, not just the description.
• The GitHub MCP integration "Toxic Agent Flow" — a malicious GitHub issue forces the agent to leak from private repos.

These risks intensify in multi-agent architectures: every fresh sub-agent context window is a new attack surface. The EchoLeak class of zero-click-capable prompt injection exploits (CVE-2025-32711, Microsoft 365 Copilot, disclosed by Aim Labs in June 2025) was a single-agent attack — but the underlying trust-boundary flaws scale linearly with the number of agents that take in untrusted content.

The mitigation is the deployer's responsibility in 2026: sandboxing, scope-limited OAuth 2.1 tokens (in line with the April 2025 spec), least-privilege and — as a rule of thumb — never let the agent autonomously install MCP servers from untrusted registries. Whether this is sufficient at large scale is an open question that has not been conclusively answered in 2026.

DACH Relevance

For the DACH region, MCP's relevance is very high — practically unavoidable. Anyone starting an agent project in the mid-market or enterprise in 2026 writes or consumes MCP servers, whether planned or not.

• SAP Joule Studio 2.0 (Sapphire 2026) integrates MCP natively, including an MCP server for ABAP, LeanIX and the Integration Suite. Since the SAP installed base in DACH towers over every other platform, this is the practically most important MCP entry point in the region. SAP's decision to embed Anthropic Claude as the primary reasoning model within an SAP-governed environment is often the decisive procurement option, particularly for BFSI and health deployers.
• Microsoft 365 Copilot, Copilot Studio, Salesforce Agentforce, n8n, LangGraph, Mastra and PydanticAI all speak MCP. Microsoft's own multi-agent guidance is explicit: "Use MCP for tool and data access. Use Linux Foundation A2A for cross-platform agent-to-agent messaging."
• n8n — a German, MCP-native open-core company from Berlin — gained additional significance in 2026 when SAP announced embedded n8n in Joule Studio (its valuation doubled to USD 5.2 billion).

Compliance Notes (informational, not legal advice)

As soon as agents cross multiple compute providers, data-residency and processor boundaries via MCP and A2A hops, every MCP server operator potentially becomes a sub-processor within the meaning of the GDPR. This lengthens the DPA chain (Art. 28 GDPR) and makes it more complex. Cross-border steps additionally trigger Art. 44–49 GDPR; the EU–US Data Privacy Framework remains in force in 2026 but is subject to legal challenge, which is why Standard Contractual Clauses (SCCs) and transfer impact assessments continue to serve as safeguards. These notes are informational and do not replace legal advice; the classifications mentioned are provisional as of the current state and must be assessed sector-dependently (BFSI, health, energy). In practice it is advisable to make MCP tool calls auditable: propagate correlation IDs through every MCP call and pin model versions in production.

Outlook and Practical Guidance

MCP has established itself in 2026 as the standard tool layer of the Agentic stack and is structurally safeguarded against fragmentation under the Linux Foundation. For a DACH project, the rational default recommendation is: MCP for tools, A2A for agents — anything else is a deliberate deviation from the convergent stack and requires justification.

Three concrete practical pointers for getting started: First, use the vendor's standard MCP servers and only write your own MCP servers for proprietary internal APIs — do not build more agents and servers than the problem requires. Second, operate MCP servers behind OAuth 2.1 with least-privilege scopes and never allow autonomous server installation from unknown registries. Third, build observability and auditability into the topology from day one — the EchoLeak class shows that every additional tool and agent integration enlarges the attack surface. What remains open in 2026 is the question of at what point MCP's optimistic trust model creates more security risk than benefit at large scale — a point for the watchlist of every responsible architecture review.