The UK Treasury has designated Microsoft, Google, Amazon and Oracle as critical third parties for financial services, bringing their cloud operations under Bank of England and FCA oversight from July 13, 2026.

The UK Treasury has designated Microsoft, Google, Amazon and Oracle as critical third parties for financial services, bringing the four US cloud groups under direct oversight from the Bank of England and the Financial Conduct Authority.

The move is the first use of the UK’s critical-third-party regime to bring the dominant cloud providers used by banks, insurers and market infrastructure into the financial sector’s supervisory perimeter.

The new status takes effect on July 13, 2026.

Officials said the decision followed evidence gathering and engagement with the companies. The government has framed the designation as a response to the sector’s growing dependence on cloud infrastructure and the concentration risk created by reliance on a small number of providers.

What the designation changes

The regime gives UK regulators a way to oversee third parties that provide essential services to financial firms without taking over responsibility from the firms themselves.

In practice, the four providers are expected to face more robust disclosure requirements, including annual self-assessments and resilience scenario testing.

The Bank of England and the FCA will be able to monitor operational resilience more directly and press for clearer information about how cloud services support the financial system.

Financial firms will still remain responsible for managing their own third-party risk, even after the designations take effect.

Why the UK used the regime now

UK regulators gained the power to designate critical third parties in January 2025, but until now had not used it against the big cloud groups.

The designations follow long-running concern about concentration in cloud services. Banks, insurers and market infrastructure operators rely heavily on the same few providers for core technology functions, which means a failure at one major cloud company could affect multiple parts of the financial system at once.

That concern has also been sharpened by previous outages and broader pressure on ministers to use the new framework more aggressively.

A November 2025 Financial Times report said ministers were expected to make at least one designation under the regime and that MPs were pressing for action.

Which companies are covered

The four companies named are Microsoft, Google, Amazon and Oracle.

Together, they are the dominant US cloud providers used across the UK financial sector. The FT reported that the companies said they are committed to complying with the new requirements.

The designation marks the first concrete application of a framework designed to bring major technology suppliers inside the perimeter of financial-sector oversight.

Timeline and next steps

The public timeline shows the UK Treasury gaining the power to make these designations on January 1, 2025, before pressure built through late 2025 for the government to act.

On July 10, 2026, the Treasury designated Microsoft, Google, Amazon and Oracle as critical third parties.

The Guardian’s live coverage said the new status takes effect on July 13, 2026, giving regulators a short lead time before direct supervision begins.

Once the designation is active, the Bank of England and the FCA are expected to begin applying the oversight regime to the four providers, including the required self-assessments and resilience testing.

Why it matters for banks and markets

The move is aimed at reducing systemic risk in a financial sector that has become deeply dependent on cloud services.

A major outage at a large cloud provider can ripple quickly across multiple banks, insurers and market firms, creating a common point of failure rather than a single-company disruption.

That is why the designation matters beyond the technology sector itself. It creates a direct supervisory route for UK financial regulators into a layer of infrastructure that has become essential to day-to-day operations.

The UK has taken a narrower approach than the EU, which has already designated a broader group of IT providers under its own regime.

What to watch next

Market participants will be watching for any company-specific conditions, follow-up supervisory statements or technical expectations from the regulators.

The Treasury said the action followed evidence gathering and collaborative engagement with the third parties.

Further designations remain possible if the Treasury decides more providers are needed to protect resilience across the financial system.

Revision note

Initial automated publication.