Treasury Names Four Cloud Firms Critical to UK Finance
According to the statutory instrument published on legislation.gov.uk, the Treasury made the Critical Third Parties (Designation) Regulations 2026 on 8 July 2026, with the rules due to come into force on 13 July 2026. The measure names four firms: Amazon Web Services EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Limited and Oracle Corporation UK Limited. That may sound like a dry legal update, but it tells you something important about how modern finance works. Banks are not only regulated through the firms you recognise on the high street. The systems behind them matter too.
In plain English, a "critical third party" is an outside supplier whose services are so important that a serious outage or disruption could damage trust in the financial system or make it less stable. The Treasury says exactly that in these regulations: a failure in services provided by the designated firms could threaten the stability of, or confidence in, the UK financial system. If you are wondering why that matters, think about how much finance now depends on digital services that most of us never see. The public face may be a bank, insurer or payments firm, but the hidden machinery often sits elsewhere.
The big teaching point here is concentration. These four companies are major cloud and technology providers. When many financial firms rely on a small group of suppliers, the risk is not only that one company has a bad day. The bigger worry is that a single disruption can spread across several firms at once because they depend on the same provider. That is why cloud concentration matters in finance. A resilience problem at a supplier can become a wider problem for the system, not just a private business issue. The Treasury is effectively saying that these providers sit close enough to the plumbing of finance that their reliability has become a public concern.
The legal route matters as well. The Treasury says it is acting under section 312L(1) of the Financial Services and Markets Act 2000, a power inserted by the Financial Services and Markets Act 2023. Before making the regulations, it says it consulted the Financial Conduct Authority, the Prudential Regulation Authority and the Bank of England. The firms themselves were also given written notice and a chance to make representations before the designation was finalised. That matters because it shows this was not a snap decision. The Treasury had to follow a process, weigh the evidence and consider what the financial watchdogs thought.
What these regulations clearly do is narrow but important: they formally place the four named firms into the UK's critical third party regime from 13 July 2026, and the rules extend across England and Wales, Scotland and Northern Ireland. The explanatory note does not set out a long list of new duties in this instrument itself. Its job here is to make the designation official. The note also says no full impact assessment was produced because no significant impact on the private, voluntary or public sector was foreseen. Read carefully, that does not mean the issue is unimportant. It means this instrument is being presented as a focused regulatory step rather than a broad policy shake-up on its own.
The wider lesson is worth keeping. Finance now depends on companies most people never think about when they hear the words banking regulation. That is changing. Regulators are paying more attention to operational resilience, which is really about whether essential services keep working when something goes wrong. So if you are trying to make sense of this measure, the simplest reading is this: the Treasury has decided that four major cloud suppliers are important enough to the running and credibility of UK finance that they cannot be treated as ordinary background contractors. In a digital economy, the back-room tech has become part of the public story.