The UK Treasury will designate Microsoft, Google, Amazon and Oracle as critical third parties for financial services, bringing their cloud operations under direct oversight from 13 July. Regulators say the move is meant to reduce systemic risk if a major provider fails or suffers an outage.

Treasury moves on cloud concentration

The UK Treasury will designate Microsoft, Google, Amazon and Oracle as “critical third parties” for financial services, bringing their cloud operations under direct regulatory oversight from 13 July.

The move gives UK financial regulators a formal route to scrutinize technology suppliers that sit behind much of the banking, insurance and market infrastructure used in the country.

Officials said the aim is to reduce the risk that a major outage or failure at one cloud provider could spread across multiple firms at once and disrupt customer services.

Why regulators acted

The designation reflects a long-running concern about operational resilience and concentration risk in financial services. Banks and insurers increasingly depend on a small number of large cloud providers for services that are now critical to day-to-day operations.

That concentration creates a potential single point of failure. If a provider experiences an outage, a technical fault or another disruption, the impact could be felt across many institutions simultaneously.

A Financial Times report in November 2025 said Amazon, Google and Microsoft together accounted for about 73% of UK financial firms’ cloud needs, illustrating how concentrated the market had become before this announcement.

What the new status means

The designation does not make the four companies part of the regulated financial sector. Instead, it gives authorities a direct oversight tool aimed at the services those firms provide to the financial system.

Under the Financial Services and Markets Act 2023, regulators already had the power to recommend that a provider be designated as a critical third party. Until now, the government had not used that power.

The Treasury’s move is the first reported use of the regime and marks a more active approach to supervising major technology suppliers whose systems are deeply embedded in financial services.

Company and regulator response

The Guardian reported that all four US technology companies said they would comply with the new requirements.

The FCA and other UK financial regulators are expected to explain how supervision will work in practice once the designation takes effect. That could include conditions, testing requirements, reporting duties or other forms of scrutiny.

At this stage, the government has not publicly set out the full operational detail of the regime in the material reviewed for this story.

What happens next

The new status takes effect on 13 July, and more detail is expected on how the oversight framework will operate in practice.

The immediate questions are which firms were included in the first round of designations, what specific obligations the companies will face, and how regulators will apply the new powers.

The move could also set a precedent for tighter oversight of other technology vendors that support critical infrastructure in the UK financial system.

For banks, insurers and market operators, the practical effect is likely to be closer scrutiny of cloud dependency, continuity planning and incident response.

As the regime is rolled out, regulators will also be under pressure to show how the new framework reduces systemic risk without creating unnecessary friction for firms that rely on cloud services.

,

Revision note

Initial automated publication.