Summary
- UK regulators begin oversight of the first designated critical third parties from 13 July 2026.
- The first providers are AWS EMEA, Google Cloud EMEA, Microsoft Ireland Operations, and Oracle Corporation UK.
- The regime moves cloud concentration risk into direct financial stability supervision.
The Financial Conduct Authority, the Bank of England, and the Prudential Regulation Authority have begun direct oversight of the first technology providers designated as critical third parties to the UK financial sector.
The first designated providers are Amazon Web Services EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Limited, and Oracle Corporation UK Limited. The regime applies from 13 July 2026 and covers critical services provided to the financial sector, rather than the companies’ wider global operations.
HM Treasury’s designation notice says the providers will be subject to oversight by UK financial regulators to help ensure robust arrangements for identifying, managing, and recovering from operational disruption affecting critical services. The FCA’s statement says disruption or failure at these providers could affect multiple firms or markets at the same time, potentially affecting UK financial stability and services used by millions of consumers and businesses.
The designations change how cloud and major technology dependency is treated. Financial firms remain responsible for managing their own supplier risks, but the new regime recognises that some technology services have become systemically important. A failure at a major cloud or technology provider may not stay inside one institution’s outsourcing register; it could propagate across banks, insurers, payments firms, market infrastructure, and customer-facing services.
The regime is not a ban on cloud concentration, and it does not remove the responsibility of regulated firms to govern outsourcing and third-party risk. It gives regulators a route to gather information, assess resilience, coordinate across providers and firms, and make or enforce provider-specific rules where necessary. That is a different supervisory posture from asking each financial institution to manage systemic provider risk through bilateral contracts.
Cloud concentration has long created a governance mismatch. Individual institutions may gain resilience, scalability, and security benefits from major cloud services, while the financial system as a whole becomes more dependent on a small number of providers. The first designations acknowledge that the risk cannot be fully understood through firm-by-firm procurement decisions.
The new oversight also intersects with cyber risk. A major cloud platform incident may be caused by technical failure, operational error, malicious activity, misconfiguration, identity compromise, or a dependency failure inside the provider’s own supply chain. From a financial-stability perspective, the cause still has to be understood, but the immediate concern is simultaneous disruption across regulated firms, delayed recovery, and uncertainty over authority, evidence, and operational control during a major event.
The first operational tests will sit around critical-service definitions, information requirements, scenario testing, incident communication, and recovery expectations. Providers will need to support resilience oversight without exposing sensitive architecture or creating duplicative compliance across jurisdictions. Financial firms will need to align their own exit planning, resilience mapping, and supplier assurance with the new system-level view.
The first four designations are unlikely to be the last. HM Treasury says further providers may be designated where disruption could pose a risk to UK financial stability or confidence in the financial system. The regime gives UK regulators a rolling mechanism for supervising technology concentration as the financial sector’s operating model continues to move deeper into cloud, data, and AI-enabled infrastructure.




