UK Independent. Sourced. Primary. · Est. 2024
Home News UK Regulators to Oversee AWS, Google Cloud, Microsoft and Oracle
News

UK Regulators to Oversee AWS, Google Cloud, Microsoft and Oracle

The Bank of England, PRA and FCA start jointly overseeing four cloud and tech providers, AWS, Google Cloud, Microsoft Ireland and Oracle, from 13 July 2026, after Treasury designated them as critical to UK financial stability. What this means and why it matters beyond the firms involved.

CT
Chandraketu Tripathi
Finance Editor, Kaeltripton
Published 10 Jul 2026
Last reviewed 10 Jul 2026
✓ Fact-checked
UK Regulators to Oversee AWS, Google Cloud, Microsoft and Oracle

Illustrative image. AI-generated and does not depict real people, places or events.

Advertisement
BUSINESS & REGULATIONUpdated 10 July 2026

From Monday 13 July 2026, the Bank of England, the Prudential Regulation Authority and the FCA will jointly oversee four technology providers, Amazon Web Services EMEA, Google Cloud EMEA, Microsoft Ireland Operations and Oracle Corporation UK, designated by HM Treasury as "critical third parties" because so much of the UK financial system depends on their cloud services. The aim is to reduce the risk of a single outage disrupting multiple banks or payment providers at once.

TL;DR · LAST REVIEWED 10 July 2026

  • The Bank of England, PRA and FCA start jointly overseeing four cloud and technology providers from 13 July 2026, following designation by HM Treasury.
  • The four firms are Amazon Web Services EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Ltd, and Oracle Corporation UK Limited.
  • This is oversight of operational resilience, not authorisation. The firms are not becoming FCA-regulated financial firms; the focus is whether their services can keep running, and how they communicate during major incidents.
  • The underlying concern is concentration risk: when thousands of firms rely on the same handful of cloud providers, one outage can disrupt banking apps, payments or trading across the sector simultaneously.

KEY FACTS

  • Oversight regime takes effect 13 July 2026, jointly run by the Bank of England, PRA and FCA
  • Four designated Critical Third Parties (CTPs): Amazon Web Services EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Ltd, Oracle Corporation UK Limited
  • Legal basis: Financial Services and Markets Act 2000, as amended by FSMA 2023; final rules published November 2024, in effect since 1 January 2025, applying once a firm is designated
  • HM Treasury decides which providers are designated, based on regulator recommendations, and can add or remove firms in future
  • Designation is not authorisation: oversight is limited to the resilience of the services CTPs provide to UK financial firms
  • Regulators have signed a Memorandum of Understanding with EU counterparts to coordinate with the EU's Digital Operational Resilience Act (DORA)

What's Happening

From Monday 13 July 2026, the Bank of England, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) begin jointly overseeing the UK's first designated "critical third parties" (CTPs), following an announcement by HM Treasury. This is the first time these three regulators have jointly overseen technology providers in this way, rather than each firm managing its own third-party risk in isolation.

Who's Been Designated, and Why These Four

The four firms named are Amazon Web Services EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Ltd, and Oracle Corporation UK Limited. All four are major cloud infrastructure providers. HM Treasury is responsible for deciding which providers are designated, generally based on recommendations from the regulators, and the scope is expected to expand over time as further designations are considered.

A CTP is not defined by size alone, but by how many financial firms rely on it and what would happen if its services failed. As the FCA puts it, when a large number of firms depend on the same handful of providers, a single outage or failure at one of them could ripple across multiple banks, insurers or payment providers at the same time, rather than being contained to one company.

What This Actually Requires of These Companies

The new regime is about operational resilience, not financial authorisation. Designated CTPs are not becoming regulated financial firms in the way a bank or insurer is; the FCA is explicit that designation is not the same as authorisation. Instead, CTPs must identify and manage risks to the critical services they provide, and maintain open, timely communication with regulators and the financial firms that depend on them, particularly during major incidents.

Individual banks, insurers and other regulated firms remain responsible for managing their own arrangements with these providers, including due diligence, risk management and contingency planning; the CTP regime sits alongside existing operational resilience rules rather than replacing them.

Why This Matters Beyond the Firms Involved

For most people, this will never be visible directly, but the underlying risk it addresses is one that has caused real disruption before: when a banking app, payment system or trading platform goes down, it is sometimes because of a fault deep in shared infrastructure that many different companies rely on, rather than a problem specific to one bank. Because so much of the UK financial sector now runs on a small number of cloud platforms, a serious outage at one of them has the potential to affect several banks or payment providers on the same day. This regime is aimed at reducing how often that happens and how quickly it's dealt with when it does.

The Legal Basis

The power for regulators to oversee CTPs comes from the Financial Services and Markets Act 2000, as amended by the Financial Services and Markets Act 2023. The FCA, Bank of England and PRA published their final rules and policy for the regime in November 2024, which came into effect on 1 January 2025 and apply automatically once a provider is formally designated by Treasury, as these four now have been.

How This Fits Internationally

Large cloud and technology providers used by financial firms may also be regulated under similar regimes elsewhere, including the EU's Digital Operational Resilience Act (DORA). UK regulators have signed a Memorandum of Understanding with EU counterparts specifically to coordinate oversight of shared providers, reducing the risk of firms facing conflicting requirements across jurisdictions.

What Happens Next

The regulators will periodically review whether each CTP continues to meet the designation criteria, reporting back to Treasury, and will evaluate how well the oversight approach is working in practice. Further providers could be added to the list in future if regulators judge them similarly critical to the stability of UK financial services.

DISCLAIMER

This article is for general information only. Kael Tripton Ltd is an independent editorial publisher and is not authorised or regulated by the Financial Conduct Authority (FCA). It reflects a regulatory oversight regime for technology providers and is not investment, business or compliance advice. ICO registration ZC135439.

Frequently asked questions

What is a Critical Third Party under this new regime?

A technology or service provider, such as a cloud computing company, whose services underpin such a large part of the UK financial system that its failure or disruption could affect multiple firms or markets at once, potentially threatening financial stability.

Does this mean AWS, Google Cloud, Microsoft and Oracle are now FCA-authorised firms?

No. The FCA is explicit that designation as a Critical Third Party is not the same as authorisation. Oversight is limited to the resilience of the specific services these firms provide to UK financial firms, not their business as a whole.

Why should I care about this if I'm not a business?

Because so many banks and payment providers now rely on the same handful of cloud platforms, an outage at one of them can disrupt several banking apps or payment services at the same time. This regime is designed to reduce how often that happens and improve how quickly it's resolved.

When did this take effect?

The oversight regime for these four designated providers takes effect on Monday 13 July 2026, though the underlying rules were finalised in November 2024 and have applied since 1 January 2025.

Could more companies be added to this list later?

Yes. HM Treasury, generally acting on regulator recommendations, can designate further Critical Third Parties in future, and the regulators say the scope is expected to evolve over time.

Advertisement

Kael Tripton Deals

Verified UK deals: bank switch bonuses, savings rates, insurance offers and more

Checked against provider pages and updated weekly. Every listing labelled. No commission on any financial offer.

See all offers →

Editorial Disclaimer

The content on Kaeltripton.com is for informational and educational purposes only and does not constitute financial, investment, tax, legal or regulatory advice. Kaeltripton.com is not authorised or regulated by the Financial Conduct Authority (FCA) and is not a financial adviser, mortgage broker, insurance intermediary or investment firm. Nothing on this site should be construed as a personal recommendation. Rates, figures and product details are indicative only, subject to change without notice, and should always be verified directly with the relevant provider, HMRC, the FCA register, the Bank of England, Ofgem or other appropriate authority before any financial decision is made. Past performance is not a reliable indicator of future results. If you require regulated financial advice, please consult a qualified adviser authorised by the FCA.

CT
Chandraketu Tripathi
Finance Editor · Kaeltripton.com
Chandraketu (CK) Tripathi, founder and lead editor of Kael Tripton. 22 years in finance and marketing across 23 markets. Writes on UK personal finance, tax, mortgages, insurance, energy, and investing. Sources: HMRC, FCA, Ofgem, BoE, ONS.

Stay ahead of your money

Free UK finance guides, rate changes and money-saving tips — straight to your inbox. No spam, unsubscribe anytime.

Read More

Get Kael Tripton in your Google feed

⭐ Add as Preferred Source on Google