Starting July 13, 2026, Microsoft, Google, Amazon Web Services, and Oracle have been designated as critical third parties by UK regulators overseeing the financial sector. This unprecedented move introduces direct regulatory oversight of these cloud providers to reduce systemic risks in banking and payments infrastructure. Meanwhile, India retains its indirect regulatory model, placing the onus on financial firms to manage cloud outsourcing risks internally.

  • UK regulators now directly supervise key cloud providers supporting financial firms.
  • Regime aims to prevent sector-wide outages or cyberattacks linked to cloud dependency.
  • India continues indirect oversight, holding banks accountable for managing cloud risks.

What happened

On July 13, 2026, the UK government designated Microsoft Ireland Operations Ltd, Google Cloud EMEA Ltd, Amazon Web Services EMEA SARL, and Oracle Corporation UK Ltd as 'critical third parties' to the financial sector under the Financial Services and Markets Act 2023. This designation makes these companies subject to direct regulatory supervision by the Bank of England, the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA). The aim is to mitigate the systemic risks posed by the heavy reliance of British banks, insurers, and financial market infrastructures on a few cloud service providers.

From this date forward, these cloud providers must comply with regulatory requirements on operational incident identification, management, and recovery affecting UK financial services. Regulators gain powers to request information, conduct self-assessment reviews, and impose disciplinary actions for non-compliance. The move reflects concerns about potential widespread service disruptions due to outages or cyberattacks impacting multiple financial firms using the same cloud providers.

Why it matters

The concentration of core financial infrastructure on a small number of global cloud providers creates a single point of failure risk, which regulators in the UK have taken a proactive approach to address by extending regulatory reach directly to these providers. This novel regulatory model aims to enhance the resilience and stability of the financial sector by ensuring cloud suppliers adhere to strict operational standards and by providing regulators oversight tools to assess systemic risks.

In contrast, India continues its longstanding regulatory philosophy where responsibility for operational resilience and cybersecurity remains primarily with the regulated financial institutions themselves. The Reserve Bank of India’s Master Direction on Outsourcing of IT Services includes cloud computing under its regulatory umbrella, compelling banks and other entities to conduct comprehensive due diligence and maintain controls over cloud outsourcing arrangements. This preserves direct accountability within financial firms rather than imposing compliance obligations directly on cloud providers.

What to watch next

UK regulators have indicated that additional cloud and technology providers may be designated as critical third parties as they continue identifying systemically important service providers in the financial sector. Observers will watch how effective this direct oversight approach is in mitigating risks and whether it influences other jurisdictions.

Meanwhile, stakeholders in India and other jurisdictions with indirect cloud oversight models will monitor the UK’s experience closely. The balance of direct versus indirect regulatory responsibility in cloud supervision may evolve, especially as global reliance on cloud infrastructure grows. Financial institutions and cloud providers alike should anticipate potential shifts toward expanded regulatory scrutiny and enhanced resilience requirements.

Source assisted: This briefing began from a discovered source item from MediaNama. Open the original source.
How SignalDesk reports: feeds and outside sources are used for discovery. Public briefings are edited to add context, buyer relevance and attribution before they are published. Read the standards

Related briefings