UK Critical Third Parties Regulations 2026 Name Four Cloud Firms

If you use online banking, you probably never see the cloud companies working in the background. On Monday 13 July 2026, that background infrastructure moved into plain view. According to legislation.gov.uk, the UK government has formally designated Amazon Web Services, Google Cloud, Microsoft and Oracle as "critical third parties" under financial services law. The legal change comes through the Critical Third Parties (Designation) Regulations 2026, made by the Treasury on 8 July 2026 and in force from 13 July 2026. This is one of those short legal notices that tells a much bigger story: some technology suppliers are now so important to finance that a serious outage could become a public problem, not just a private IT issue.

If the phrase feels opaque, you are not alone. A critical third party is not a bank, insurer or payments firm. It is an outside company providing services to those firms, where a failure or disruption could, in the Treasury's words, threaten "the stability of, or confidence in, the UK financial system". **What this means:** the government is saying these companies matter because so many financial services depend on them at once. When lots of firms rely on the same supplier, one breakdown can spread much further than a single company.

Cloud firms matter because modern finance runs on remote computing power, data storage and software tools that sit behind the apps and websites you use every day. Banks can use cloud services to store information, run internal systems, support fraud checks, test software and keep digital services available around the clock. That does not mean every bank uses the same setup, or that cloud use is automatically unsafe. It does mean concentration matters. If a small number of providers support large parts of the market, resilience stops being just a tech question and becomes a question about financial stability.

The Regulations name four companies, using their full legal titles: Amazon Web Services EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Limited and Oracle Corporation UK Limited. All four designations take effect from 13 July 2026. For readers, that list tells you something important. The UK is not treating cloud dependency as a distant possibility. It is recognising it as a present fact, and it is doing so across the whole UK, because the Regulations extend to England and Wales, Scotland and Northern Ireland.

The process matters too. According to the text published on legislation.gov.uk, the Treasury did not act alone. It says it consulted the Financial Conduct Authority, the Prudential Regulation Authority and the Bank of England before making the Regulations. The Treasury also says it gave written notice to the firms it planned to designate and allowed them a reasonable period to make written representations. That is a useful reminder that even highly technical financial regulation is still meant to follow a process: consultation, notice and a chance to respond.

So what actually changes today? The main change in this instrument is designation. These Regulations do not read like a consumer guide or a long rulebook for day-to-day users. Instead, they formally place the four named firms inside the UK's critical third party regime, using powers added to the Financial Services and Markets Act 2000 by the Financial Services and Markets Act 2023. **What it means:** this is less about accusing named firms of wrongdoing and more about admitting how much public trust now rests on private digital infrastructure. The government is saying, in effect, that if these services fail badly enough, the consequences could reach far beyond one contract or one company.

One small line in the document is worth pausing over. The explanatory note says no full impact assessment was produced because no, or no significant, impact on the private, voluntary or public sector is foreseen. That should not be read as "this does not matter". It is better read as a sign that the Regulations themselves are short and targeted. The bigger significance is what they recognise: some outside suppliers have become important enough to be treated as a financial stability issue.

For students, teachers and anyone trying to make sense of the news, this is a useful example of how regulation follows technology. We sometimes picture banking as branches, cash machines and customer apps. In 2026, it also depends on servers, software and outsourced computing that most people never see. If you want the shortest takeaway, it is this. On 13 July 2026, the UK formally named four major cloud providers as critical to the financial system. You may never log in to AWS, Google Cloud, Microsoft or Oracle yourself, but if their services go wrong, the effects can travel all the way to the bank account in your pocket.

← Back to Stories