Britain has taken a major step in how it polices the technology behind its financial system. HM Treasury has formally designated Microsoft, Google, Amazon, and Oracle as "critical third parties" to UK finance, bringing four of the world's largest cloud computing companies under direct regulatory supervision for the first time. The designation takes effect on Monday, July 13, and hands new oversight powers to the Bank of England, the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA).

Why Cloud Concentration Became a Financial Stability Issue

The designation reflects mounting regulatory concern that too much of the UK's financial infrastructure now runs through too few technology vendors. Treasury's own review found that two-thirds of financial firms depend on services from this small group of cloud providers, creating a single point of failure risk across the sector.

The specific entities named in the designation are:

  • Microsoft Ireland Operations Limited
  • Google Cloud EMEA Limited
  • Amazon Web Services EMEA SARL and Amazon Web Services UK Limited
  • Oracle Cloud entities

The authority behind this move comes from the Financial Services and Markets Act 2023, which gave HM Treasury the power to designate third-party providers whose failure or disruption could ripple out to large numbers of consumers and firms, threatening the stability of the UK financial system as a whole.

What New Powers Regulators Actually Have

With the designation in place, the Bank of England, PRA, and FCA can now:

  • Set minimum resilience standards that these cloud providers must meet
  • Gather information directly from the providers
  • Conduct resilience testing on their systems
  • Take enforcement action, including — as a last resort — prohibiting a critical third party from providing services to UK financial firms

Importantly, this regime does not add new obligations on banks, insurers, or financial market infrastructures themselves. Those firms remain responsible for managing their own third-party risk. Instead, the new rules target the cloud providers directly, requiring them to meet operational resilience standards for any services that regulators consider systemic to the financial sector.

The Bank of England has framed the goal plainly: reduce the risk that a cyberattack or a technology outage at one of these providers could cascade into a broader financial system disruption.

How the Rules Came Together Over Several Years

This designation is the endpoint of a multi-year regulatory process rather than a sudden decision:

  1. A 2022 policy statement first laid the groundwork.
  2. The Financial Services and Markets Act 2023 codified Treasury's designation authority into law.
  3. In November 2024, the Bank of England, PRA, and FCA jointly published their final oversight rules.
  4. Those rules became legally effective in January 2025, though they could only be applied to specific companies once Treasury issued formal designation orders — which it has now done.

A Global Bellwether for Cloud Regulation

By formally bringing cloud providers into direct financial regulation, the UK becomes one of the first major jurisdictions to do so. Given how similar concentration risks exist in financial systems around the world, this framework could become a reference point for regulators in other countries considering comparable oversight of Big Tech's role in critical infrastructure.