The UK Treasury has designated Microsoft, Google, Amazon and Oracle as critical third parties for financial services, bringing their cloud operations under direct oversight from UK regulators from 13 July 2026.

The UK Treasury has designated Microsoft, Google, Amazon and Oracle as “critical third parties” for financial services, bringing the cloud providers under direct oversight from UK financial regulators.

The move is aimed at the growing reliance of banks, insurers and financial market infrastructures on a small number of technology suppliers for core computing, storage and related cloud services. The new status is scheduled to take effect on 13 July 2026.

Officials said the decision reflects the system-wide risk created when many firms depend on the same providers. A failure at a major cloud company could affect multiple financial institutions at once, including customer-facing services.

The designation extends the UK’s financial-regulatory perimeter beyond banks and other regulated firms themselves and toward the infrastructure firms that support them. It is part of a broader effort to treat concentrated technology dependencies as a resilience issue, not just a procurement issue.

What the designation means

Under the UK framework, “critical third parties” are outside suppliers whose services are important to the stability of the financial system. The Treasury already had the power to designate them, and the move now brings the biggest cloud providers used by the sector into that regime.

The practical effect is expected to be more supervisory pressure, more disclosure and stronger resilience expectations around the services these companies provide to UK financial firms. The full detail of those requirements has not yet been published.

The Treasury said the companies were identified after a period of evidence gathering and engagement with the third parties.

Why regulators are acting

The policy follows years of concern about concentration risk in cloud computing. As more financial workloads move into the cloud, outages or operational failures at one provider can quickly spill across many institutions.

That risk has become more visible because cloud services are embedded across banks, insurers and market infrastructures. In practice, that means a single technical problem at a dominant supplier can become a broader financial-stability issue.

Financial Times reporting in November 2025 said Amazon, Google and Microsoft accounted for 73% of cloud computing services used by UK financial firms in a Bank of England and Financial Conduct Authority survey. That concentration has helped turn cloud resilience into a policy priority for regulators.

The FT also reported that ministers had already faced criticism for moving too slowly even after the legal framework to designate critical third parties was available.

The companies and the timeline

The four named firms are Microsoft, Google, Amazon and Oracle. Guardian reporting said all four companies said they are committed to complying with the new requirements.

The new status is due to take effect on 13 July 2026. Between now and then, regulators are expected to clarify how the regime will operate in practice and what obligations may apply first.

The announcement also leaves open whether additional cloud or technology providers will be added later. For now, the first step is to formally treat the current major providers as systemically important to the UK financial system.

What happens next

Several implementation questions remain unresolved. The Treasury has not yet published a detailed designation notice spelling out company-specific conditions, and it is still unclear what reporting duties, testing requirements or remediation obligations will come first.

The Bank of England and the Financial Conduct Authority may also set out immediate supervisory expectations once the designation is active. Those next steps would determine how quickly the new regime starts affecting both the cloud providers and the financial firms that rely on them.

The broader significance is that the UK is treating cloud infrastructure as part of the financial system’s critical backbone. That marks a shift in regulatory thinking: not just whether banks are resilient, but whether the technology layers beneath them are resilient too.

It also sets up a precedent that could be watched by other governments weighing how to regulate the concentration risk created by a small number of global cloud vendors.

Revision note

Initial automated publication.