From Monday 13 July 2026, the Bank of England, the Prudential Regulation Authority and the FCA will jointly oversee four technology providers, Amazon Web Services EMEA, Google Cloud EMEA, Microsoft Ireland Operations and Oracle Corporation UK, designated by HM Treasury as "critical third parties" because so much of the UK financial system depends on their cloud services. The aim is to reduce the risk of a single outage disrupting multiple banks or payment providers at once.
TL;DR · LAST REVIEWED 10 July 2026
- The Bank of England, PRA and FCA start jointly overseeing four cloud and technology providers from 13 July 2026, following designation by HM Treasury.
- The four firms are Amazon Web Services EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Ltd, and Oracle Corporation UK Limited.
- This is oversight of operational resilience, not authorisation. The firms are not becoming FCA-regulated financial firms; the focus is whether their services can keep running, and how they communicate during major incidents.
- The underlying concern is concentration risk: when thousands of firms rely on the same handful of cloud providers, one outage can disrupt banking apps, payments or trading across the sector simultaneously.
KEY FACTS
- Oversight regime takes effect 13 July 2026, jointly run by the Bank of England, PRA and FCA
- Four designated Critical Third Parties (CTPs): Amazon Web Services EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Ltd, Oracle Corporation UK Limited
- Legal basis: Financial Services and Markets Act 2000, as amended by FSMA 2023; final rules published November 2024, in effect since 1 January 2025, applying once a firm is designated
- HM Treasury decides which providers are designated, based on regulator recommendations, and can add or remove firms in future
- Designation is not authorisation: oversight is limited to the resilience of the services CTPs provide to UK financial firms
- Regulators have signed a Memorandum of Understanding with EU counterparts to coordinate with the EU's Digital Operational Resilience Act (DORA)
What's Happening
From Monday 13 July 2026, the Bank of England, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) begin jointly overseeing the UK's first designated "critical third parties" (CTPs), following an announcement by HM Treasury. This is the first time these three regulators have jointly overseen technology providers in this way, rather than each firm managing its own third-party risk in isolation.
Who's Been Designated, and Why These Four
The four firms named are Amazon Web Services EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Ltd, and Oracle Corporation UK Limited. All four are major cloud infrastructure providers. HM Treasury is responsible for deciding which providers are designated, generally based on recommendations from the regulators, and the scope is expected to expand over time as further designations are considered.
A CTP is not defined by size alone, but by how many financial firms rely on it and what would happen if its services failed. As the FCA puts it, when a large number of firms depend on the same handful of providers, a single outage or failure at one of them could ripple across multiple banks, insurers or payment providers at the same time, rather than being contained to one company.
What This Actually Requires of These Companies
The new regime is about operational resilience, not financial authorisation. Designated CTPs are not becoming regulated financial firms in the way a bank or insurer is; the FCA is explicit that designation is not the same as authorisation. Instead, CTPs must identify and manage risks to the critical services they provide, and maintain open, timely communication with regulators and the financial firms that depend on them, particularly during major incidents.
Individual banks, insurers and other regulated firms remain responsible for managing their own arrangements with these providers, including due diligence, risk management and contingency planning; the CTP regime sits alongside existing operational resilience rules rather than replacing them.
Why This Matters Beyond the Firms Involved
For most people, this will never be visible directly, but the underlying risk it addresses is one that has caused real disruption before: when a banking app, payment system or trading platform goes down, it is sometimes because of a fault deep in shared infrastructure that many different companies rely on, rather than a problem specific to one bank. Because so much of the UK financial sector now runs on a small number of cloud platforms, a serious outage at one of them has the potential to affect several banks or payment providers on the same day. This regime is aimed at reducing how often that happens and how quickly it's dealt with when it does.
The Legal Basis
The power for regulators to oversee CTPs comes from the Financial Services and Markets Act 2000, as amended by the Financial Services and Markets Act 2023. The FCA, Bank of England and PRA published their final rules and policy for the regime in November 2024, which came into effect on 1 January 2025 and apply automatically once a provider is formally designated by Treasury, as these four now have been.
How This Fits Internationally
Large cloud and technology providers used by financial firms may also be regulated under similar regimes elsewhere, including the EU's Digital Operational Resilience Act (DORA). UK regulators have signed a Memorandum of Understanding with EU counterparts specifically to coordinate oversight of shared providers, reducing the risk of firms facing conflicting requirements across jurisdictions.
What Happens Next
The regulators will periodically review whether each CTP continues to meet the designation criteria, reporting back to Treasury, and will evaluate how well the oversight approach is working in practice. Further providers could be added to the list in future if regulators judge them similarly critical to the stability of UK financial services.
DISCLAIMER
This article is for general information only. Kael Tripton Ltd is an independent editorial publisher and is not authorised or regulated by the Financial Conduct Authority (FCA). It reflects a regulatory oversight regime for technology providers and is not investment, business or compliance advice. ICO registration ZC135439.
Frequently asked questions
What is a Critical Third Party under this new regime?
A technology or service provider, such as a cloud computing company, whose services underpin such a large part of the UK financial system that its failure or disruption could affect multiple firms or markets at once, potentially threatening financial stability.
Does this mean AWS, Google Cloud, Microsoft and Oracle are now FCA-authorised firms?
No. The FCA is explicit that designation as a Critical Third Party is not the same as authorisation. Oversight is limited to the resilience of the specific services these firms provide to UK financial firms, not their business as a whole.
Why should I care about this if I'm not a business?
Because so many banks and payment providers now rely on the same handful of cloud platforms, an outage at one of them can disrupt several banking apps or payment services at the same time. This regime is designed to reduce how often that happens and improve how quickly it's resolved.
When did this take effect?
The oversight regime for these four designated providers takes effect on Monday 13 July 2026, though the underlying rules were finalised in November 2024 and have applied since 1 January 2025.
Could more companies be added to this list later?
Yes. HM Treasury, generally acting on regulator recommendations, can designate further Critical Third Parties in future, and the regulators say the scope is expected to evolve over time.
SOURCES
- FCA, UK financial regulators to begin overseeing Critical Third Parties announced by Treasury – accessed 10 July 2026
- HM Treasury, UK financial system strengthened with new safeguards for major technology providers – accessed 10 July 2026
- The Financial Services and Markets Act 2000 (Critical Third Parties) Regulations 2026 – accessed 10 July 2026