In a landmark move, the UK government has designated Microsoft, Google, Amazon, and Oracle as ‘critical third parties’ to its financial ecosystem, bringing them under direct regulatory scrutiny for the first time from July 13, 2026.

  • UK regulators will oversee critical cloud providers servicing finance.
  • More than 65% of UK firms rely on the same four US cloud giants.
  • New regime enables resilience testing and incident reporting.

What happened

The UK Treasury has named Microsoft Ireland Operations, Google Cloud EMEA, Amazon Web Services EMEA, and Oracle Corporation UK as ‘critical third parties’ that underpin the nation’s financial system. This is the first time these cloud providers have been formally recognized under a regulatory framework tailored to the financial services sector, becoming effective on July 13, 2026.

The designation is a consequence of the high concentration of reliance: over 65% of UK organizations depend on these four companies for their core infrastructure services. The status enables the Bank of England, Prudential Regulation Authority, and Financial Conduct Authority to impose oversight measures such as resilience testing, mandatory self-assessments, and mandatory incident reporting focused specifically on services sold into finance.

Why it matters

The new critical status addresses a long-standing regulatory gap where banks were directly supervised but their critical technical suppliers were not. Given that a technical failure or outage at any one of these providers could simultaneously impact a large swath of financial institutions, the risk of systemic disruption is significant.

Cloud outages impacting payment and trading systems have happened before, underscoring the urgency for direct oversight. By treating these providers as critical infrastructure entities, UK regulators can better ensure the resilience and operational stability of the financial system, which is essential to protect millions of customers and the broader economy.

What to watch next

The UK will observe how well the new framework operates in practice, particularly regarding resilience testing and incident transparency. Stakeholders will also watch for potential regulatory actions taken against these cloud providers that could influence operational standards and contractual terms within the financial sector.

This move aligns with similar steps by the EU, which in 2025 designated certain cloud companies as critical under its Digital Operational Resilience Act, although Oracle was not included in the EU list. Industry and regulatory attention will focus on how the UK model evolves and whether it prompts other jurisdictions to expand oversight to key technology providers serving finance.

Source assisted: This briefing began from a discovered source item from The Next Web. Open the original source.
How SignalDesk reports: feeds and outside sources are used for discovery. Public briefings are edited to add context, buyer relevance and attribution before they are published. Read the standards

Related briefings