To configure a new default registry that will be used to pull images that do not have fully qualified image paths, modify the containerd configuration (/etc/containerd/config.toml) as follows:

version = 2
[plugins]
  [plugins."io.containerd.grpc.v1.cri"]
    [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
        endpoint = ["https://private.registry.com:443"]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors."*"]
        endpoint = ["https://private.registry.com:443"]

Please note, that due to an unexpected behaviour of containerd it is currently necessary to explicitely define a mirror for the docker.io registry in addition to defining the default registry (using the wildcard).

Additional note:
nerdctl does not use the CRI API and as such disregards any registry configuration defined in /etc/containerd/config.toml.