The UK has designated Microsoft, Google, Amazon and Oracle as critical third parties for financial services, bringing their cloud operations under direct oversight from the Bank of England and the FCA starting July 13.
The UK has designated Microsoft, Google, Amazon and Oracle as critical third parties for the financial sector, bringing their cloud and technology services under direct oversight from the Bank of England and the Financial Conduct Authority.
The regime takes effect on July 13, 2026. It marks a significant expansion of regulatory reach over the infrastructure that supports banks, insurers and financial market firms across the UK.
Officials say the move is meant to reduce systemic risk. The government argues that financial firms are increasingly dependent on a small number of cloud providers, so a major outage or cyber incident at one supplier could affect many institutions at once.
What the UK is doing
The designation gives the Bank of England and the FCA powers to supervise the cloud services that are central to parts of the financial system. Reported tools include resilience testing, incident reporting and other disclosure requirements for services judged to be systemically important.
The Treasury has described the approach as targeted and proportionate. The policy applies to four US technology groups whose cloud infrastructure is widely used by UK financial firms: Microsoft, Google, Amazon Web Services and Oracle.
The UK already had legal powers to classify essential service providers as critical third parties, but had not previously used them for these major cloud firms. The new move turns that dormant authority into an active supervisory framework.
Why regulators moved now
The decision reflects long-running concern about concentration risk in cloud computing. A relatively small number of providers now support critical parts of financial operations, which leaves the system exposed if one supplier suffers an outage, technical failure or security breach.
That exposure is not limited to a single bank or insurer. Regulators are focused on the possibility that one cloud failure could disrupt several financial firms simultaneously, creating a wider stability problem.
The policy also fits into a broader UK push on operational resilience in financial services. The underlying idea is that the cloud layer has become too important to be treated as ordinary outsourced technology when it underpins core market infrastructure.
Chronology and reporting
The Financial Times first reported the move at 14:02 UTC on July 10, 2026. The Guardian later reported at 14:37 UTC that the Bank of England and the FCA would directly oversee the firms from next week.
Coverage also said the new status takes effect on July 13 after evidence gathering and engagement. That makes the change immediate rather than hypothetical: the legal framework already existed, and the government has now chosen to use it.
Reports said the Treasury may add more firms later, suggesting the four companies named on Friday may not be the last to come under the regime.
Company and policy response
The four companies were reported to have welcomed or accepted the framework in statements issued alongside the announcement. No public dispute was described in the coverage, but the change still creates a more formal relationship between major US cloud groups and UK financial regulators.
For the Bank of England and the FCA, the challenge will be turning the new authority into practical supervision. The first questions are what resilience standards they will impose, how frequently firms will be tested and how aggressively incidents will have to be reported.
The Treasury now sits at the center of a new model for overseeing foreign technology providers that are deeply embedded in the UK financial system.
Broader implications
The decision sets a precedent for how far regulators can reach into the technology stack behind finance. It shows that cloud providers can be treated as systemically important when their services are integral to market continuity.
It also raises the possibility that similar oversight could be extended to other critical technology suppliers if their services become equally central to financial stability. Background coverage says the UK approach is narrower than the EU's broader third-party oversight regime, but it still represents a notable escalation for Britain.
The immediate focus now shifts to July 13, when the regime starts. After that, markets will be watching for the first supervisory requirements, any company responses to them and whether the Treasury expands the list of firms under the same framework.
Revision note
Initial automated publication.
