Summary
- The UK has designated four major cloud providers as Critical Third Parties for financial services.
- Microsoft Ireland Operations, Google Cloud EMEA, AWS EMEA SARL, and Oracle Corporation UK are covered from 13 July 2026.
- The regime reflects regulatory concern over cloud concentration, operational resilience, incident reporting, and systemic technology dependencies.
The UK government has designated Microsoft, Google Cloud, Amazon Web Services, and Oracle as Critical Third Parties to the financial sector, bringing major cloud service providers under direct regulatory oversight from 13 July 2026.
The designations apply to Microsoft Ireland Operations Limited, Google Cloud EMEA Limited, Amazon Web Services EMEA SARL, and Oracle Corporation UK Limited. The Bank of England, Prudential Regulation Authority, and Financial Conduct Authority will oversee services whose disruption could affect the stability of, or confidence in, the UK financial system.
The government’s official update describes the regime as targeted and proportionate, with further providers potentially designated over time. The move follows information gathering and engagement with the companies.
Cloud becomes financial infrastructure
Cloud platforms are no longer only outsourced IT suppliers to banks, insurers, asset managers, and payment providers. They operate part of the digital infrastructure behind customer applications, analytics, security tooling, storage, and internal operations. Their data centres, network paths, identity systems, operational controls, and recovery architectures now sit inside the resilience profile of the financial sector.
That dependency creates concentration risk. Many regulated institutions rely on a small number of global providers, sometimes using the same regions, software stacks, and control-plane services. A major outage, cyber incident, configuration failure, or operational disruption at one provider can affect many institutions at once, even where each organisation has assessed its own supplier arrangements.
The Critical Third Party regime gives regulators a more direct line of sight into providers whose services have become shared infrastructure. Financial institutions remain responsible for their own outsourcing and operational resilience duties, but the regulatory model now recognises that some technology dependencies cannot be managed only at individual-company level.
The facility layer sits beneath that policy shift. Cloud resilience depends on data centre power, cooling, network diversity, maintenance, physical security, staffing, incident response, and regional redundancy. A cloud provider may sell abstract compute and storage, but continuity rests on whether the underlying infrastructure can withstand failure and recover cleanly.
Oversight reaches behind the service wrapper
UK and European regulators have been tightening expectations around operational resilience, incident reporting, third-party management, and cyber risk. Essential digital services are increasingly being treated like infrastructure rather than ordinary software procurement. The designation of major cloud providers underlines that direction.
The covered companies will have to show regulators how they manage risks across services that support financial-sector customers. That means closer scrutiny of availability, change management, incident response, testing, dependency mapping, cyber controls, and recovery arrangements. Some of those questions will land squarely on data centre operations, even if the regulation is framed around services rather than facilities.
The regime also arrives as AI increases reliance on cloud capacity. Financial institutions are using AI for fraud detection, risk modelling, compliance, customer service, software development, and internal analytics. Those workloads can deepen dependency on the same providers now being placed under direct oversight.
Cloud concentration will not disappear because of the designation. Large providers may even become more entrenched if they are better able to absorb the compliance burden than smaller competitors. The change does, however, make the dependency more visible and gives regulators a stronger route into examining resilience claims that were previously filtered through outsourcing contracts and firm-level risk assessments.
Financial-sector cloud resilience is now being treated as a system issue. The next test will be whether regulatory oversight can reach through the service wrapper into the physical, operational, and software layers that keep cloud platforms available during stress.

