From today, some of the companies that run much of the world’s computing come under the oversight of Britain’s financial regulators. On Monday, July 13, the Bank of England, the Prudential Regulation Authority and the Financial Conduct Authority began jointly overseeing the first Critical Third Parties to the UK financial system, and all four are cloud and technology providers: Amazon Web Services, Google Cloud, Microsoft and Oracle. It is the first time these firms have faced direct oversight from UK financial regulators, and it is a formal acknowledgement of something the industry has known for years: a large share of regulated finance now runs on a handful of clouds, and the failure of one could ripple across the system.

What Was Designated, and Under What Power

The designations were made by HM Treasury, which under the regime decides which providers count as critical, generally on the regulators’ recommendation. The essentials:

  • The four providers: Amazon Web Services EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Ltd and Oracle Corporation UK Limited.
  • The legal basis: the Financial Services and Markets Act 2000 as amended by the Financial Services and Markets Act 2023, which gave the three regulators new powers over critical third parties.
  • The timeline: the rules were finalised in November 2024 and took effect on 1 January 2025, applying immediately to any provider once HM Treasury designates it; the Critical Third Parties (Designation) Regulations 2026 brought the first four into scope from July 13.

One distinction matters: designation is not authorisation. The regulators are not licensing these companies or supervising their wider businesses, only the resilience of the critical services they supply to UK financial firms.

The Problem It Targets: Concentration as Systemic Risk

The logic is concentration. When thousands of banks, insurers and payment firms depend on the same few cloud providers, a single outage stops being one company’s problem and becomes the sector’s. “As critical third parties become increasingly embedded in the operations of financial institutions, they can introduce new forms of systemic risk,” said Sarah Breeden, the Bank of England’s Deputy Governor for Financial Stability. The Bank’s framing is blunt: disruption or failure at one of these providers could affect multiple firms or markets at the same time, potentially hitting UK financial stability and services used by millions of consumers and businesses. Under the regime, the designated providers must identify and manage risks to their critical services and keep open, timely communication with regulators and the firms that rely on them, particularly during major incidents.

What the Regulators Can Now Do

The oversight is described as proportionate and focused narrowly on resilience, but it comes with teeth. The regulators can gather information, assess the providers’ resilience, and work with them to address risks to the continuity of critical services, including by making and enforcing CTP-specific rules where necessary. “By bringing critical third parties into the scope of oversight, we are ensuring that the infrastructure underpinning UK financial services is robust enough to support UK financial stability and confidence,” said Katharine Braddick, Deputy Governor for Prudential Regulation and chief executive of the PRA. Crucially, the regime complements rather than replaces existing rules: regulated firms remain responsible for their own outsourcing, due diligence and contingency planning. The cloud providers become a second line of accountability, not a substitute for the first.

Part of a Global Move on Cloud Concentration

The UK is not acting alone. The Bank explicitly notes that these providers may also fall under similar regimes elsewhere, notably the European Union’s Digital Operational Resilience Act, and in January the UK and EU regulators signed a memorandum of understanding to coordinate and share information on overseeing critical third parties. Together the two frameworks reach the same conclusion on both sides of the Channel: cloud infrastructure has become too systemically important to sit outside financial regulation. For the hyperscalers, it means resilience obligations and a regulator relationship in one more critical market. For the cloud and hosting industry more broadly, it is a marker of how far the centre of gravity has shifted, from a market where scale was purely a commercial advantage to one where, past a certain size, it draws the attention of the people whose job is systemic risk.