UK Designates Four Cloud Firms as Critical to Finance
This is one of those legal notices that looks dry on the page but tells a much bigger story. From Monday 13 July 2026, the UK will start treating four major cloud and technology providers as critical third parties to finance: Amazon Web Services EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Limited and Oracle Corporation UK Limited. The Bank of England, the Prudential Regulation Authority and the Financial Conduct Authority say they will begin joint oversight of these providers from that date. (bankofengland.co.uk) If you use online banking, card payments, insurance apps or trading platforms, this matters to you even if you never see these companies. The Bank says many financial firms rely on the same digital suppliers, so a serious outage at one provider could affect several firms or markets at once and hit services used by millions of people and businesses. (bankofengland.co.uk)
To understand the change, it helps to start with the legal form. This is a statutory instrument, which UK Parliament describes as the most common form of secondary legislation. In plain English, that means ministers are not passing a whole new Act of Parliament here; they are using powers already given to them by an earlier Act to make a more specific rule. (parliament.uk) That earlier Act is the Financial Services and Markets Act 2023, which inserted the critical third party regime into the Financial Services and Markets Act 2000. The explanatory notes say HM Treasury can designate a provider as critical where disruption to its services could pose a risk to UK financial stability or confidence, and that designation was meant to be done through secondary legislation because the list of providers may change over time. (legislation.gov.uk)
The phrase critical third party can sound alarming, so it is worth slowing down here. It does not mean a company has done something wrong. It means the provider sits outside the financial sector itself, but supplies services that are important enough to become a system-wide risk if they fail. The Bank describes CTPs as technology and service providers whose services are important to UK financial stability, while the 2023 Act’s explanatory notes say ministers can look at how material those services are and how many, and what kinds of, firms use them. (bankofengland.co.uk) There is another distinction we should keep clear. Designation is not the same as authorisation. These companies are not suddenly being treated as banks or insurers. Instead, the oversight is limited to the resilience of the critical services they provide to regulated firms and financial market infrastructures. (bankofengland.co.uk)
So why these firms? The official answer is concentration. The Bank says the financial sector increasingly depends on a small number of third-party providers, and that failure or disruption at one of them can become a single point of failure across several firms at the same time. HM Treasury’s own announcement makes the same point in more everyday language: as banks, insurers and market infrastructures rely more heavily on cloud services, trouble at a major supplier could spread quickly into the services customers depend on. (bankofengland.co.uk) That is why the first designations are all large cloud or technology providers rather than ordinary back-office contractors. When we strip away the legal wording, the state is recognising that finance now runs on shared digital infrastructure such as computing power, storage and software services. That final sentence is an inference, but it closely follows the regulators’ published explanation of system-wide risk from shared providers. (bankofengland.co.uk)
What changes on 13 July 2026 is not that banks can stop worrying about outsourcing. It is that the providers themselves move into direct oversight. The Bank, PRA and FCA say this is a joint, proportionate regime focused on the resilience of the critical services these providers give to the UK financial sector, and their published oversight approach describes the regime as outcomes-focused and proportionate. (bankofengland.co.uk) That oversight is more concrete than it first sounds. The regulators’ policy statement says CTPs face operational risk and resilience requirements covering areas such as governance, dependency and supply-chain risk, technology and cyber resilience, mapping, incident management and the orderly termination of services. The same official material says CTPs must identify and manage risks to their critical services and keep regulators, and the firms that rely on them, informed especially during major incidents. (bankofengland.co.uk)
There is a second lesson here that is easy to miss. This new regime complements existing outsourcing and operational resilience rules; it does not replace them. In other words, a bank cannot point at AWS or Microsoft and say the regulator is watching them now, so our job is finished. The Bank has been explicit that regulated firms remain responsible for due diligence, risk management and contingency planning in their own third-party arrangements. (bankofengland.co.uk) That shared responsibility matters. In its wider outsourcing guidance, the Bank says firms still carry responsibility for their data, configuration and legal obligations in the cloud, while providers run the underlying cloud service. For readers new to the topic, that is the key teaching point: digital resilience in finance is not just about one giant tech company staying online, but about how firms, regulators and suppliers prepare for disruption together. (bankofengland.co.uk)
If you are teaching this story, the cleanest takeaway is that a tiny piece of secondary legislation is doing a very modern job. Twenty years ago, a finance explainer might have stopped at banks, insurers and markets. In 2026, the same story also has to include the cloud companies helping those firms stay online, process data and recover from incidents. That shift comes directly from the legal framework created by the Financial Services and Markets Act 2023 and now put into effect for the first designated providers. (legislation.gov.uk) So this is not really just a list of four company names. It is the UK making a clear statement that cloud providers can be systemically important to everyday money life, from payments to savings to insurance. The regulations take effect on 13 July 2026, marking the start of direct oversight of the first critical third parties named by HM Treasury. (bankofengland.co.uk)