As of 2026-07-14 12:35 UTC, the United Kingdom's first Critical Third Party regime is live. Since July 13, Amazon Web Services EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Limited and Oracle Corporation UK Limited have been directly overseen by the Bank of England, the Prudential Regulation Authority and the Financial Conduct Authority for the systemic services they provide to UK finance.[1][2][3]
That sentence contains two boundaries that the headline can easily erase. The designations attach to four named legal entities, not every company carrying those brands. And the oversight concerns services whose disruption could threaten confidence in or the stability of the UK financial system—not the providers' entire global businesses.[1][2]
The practical change is still substantial. A cloud failure can hit many banks, insurers, payment firms or market infrastructures at once, while each customer sees only its own contract and architecture. The new regime gives the three regulators a direct route into the shared provider: they can require information, examine resilience, test severe scenarios and intervene when a systemic service is not being managed safely. It does not transfer a financial firm's responsibility for due diligence, contingency planning or recovery to either the provider or the regulator.[3][4]
Image context: the cover is a real photograph of a Docklands Light Railway train moving across Canary Wharf, made by Vuk Valcic for Sopa Images. The Guardian used it with reporting on these exact designations. Its value is documentary rather than literal: it locates the story in London's financial district while the article, not a symbolic cloud graphic, carries the analysis.[7]
What Changed, And What Has Not
| Record | What it establishes | Confidence boundary |
|---|---|---|
| Statutory instrument made July 8, effective July 13 | The four named entities are legally designated Critical Third Parties throughout the UK.[2] | High. The two-rule instrument names entities and commencement; it does not publish a service-by-service map. |
| HM Treasury announcement, July 10 | Oversight is limited to systemic services supplied to finance; more providers can be designated later; firms remain responsible for supplier risk.[1] | High on the government's intended scope. It is not evidence that any provider is failure-proof. |
| Joint regulator announcement, July 10 | The Bank, PRA and FCA began joint oversight on July 13. The rules prepared in 2024 apply immediately upon designation.[3] | High on legal and supervisory status. Early oversight outcomes are not yet public. |
| Joint policy statement, November 2024 | The regime includes risk, cyber, mapping, incident, testing, self-assessment and enforcement machinery.[4] | High on the rulebook. How forcefully the tools work will depend on implementation and real incidents. |
| FCA reporting update, March 2026 | More than 40% of cyber incidents reported to the FCA in 2025 involved a third party; a broader firm-level reporting regime starts in March 2027.[6] | High for the FCA's reported share. It describes reported incidents, not the probability that any one cloud provider will fail. |
The timing explains why this is more than a new label. Parliament created the designation and oversight powers in the Financial Services and Markets Act 2023. The regulators finalized their common policy in November 2024, and those rules took effect on January 1, 2025—but they had nobody to supervise under them until Treasury named the first providers.[3][4]
Treasury's designation process is deliberately narrower than ordinary vendor classification. It starts from a financial-stability test, usually informed by regulator recommendations, then gives the provider notice and an opportunity to make representations before a statutory instrument is made. Treasury can later add or de-designate providers as dependencies change.[2][5] The July instrument therefore starts supervision; it is not a procurement endorsement, a ranking of the four providers, or a declaration that every service they sell is systemic.
One Outage, Three Layers Of Accountability
The easiest way to read the regime is as three layers that must work at the same time.
1. Providers must explain the shared machinery
For each systemic third-party service, the rules cover governance, risk management, dependency and supply-chain management, technology and cyber resilience, change management, mapping, incident management and termination. A designated provider must deliver an interim self-assessment within three months of designation and annual assessments after that. It must test severe but plausible disruption, exercise incident response with representative financial firms, report operational incidents in phases and communicate with customers that rely on the affected service.[4]
This is the core visibility gain. One bank may know that its fraud engine uses a cloud database; another may know that its mobile app depends on the same region; a market utility may know that a connected supplier relies on a common identity service. The provider and regulators are better placed to see whether those apparently separate arrangements converge on one control plane, update process, network dependency or key subcontractor.
The rules do not require the public disclosure of every sensitive dependency. Nor should a customer expect unrestricted access to a provider's internal security material. The useful outcome is a supervised, comparable account of which systemic services matter, how long they can be disrupted, what their hidden dependencies are and how provider and customer response plans join during a real event.[4]
2. Regulators can act at the system level
Before designation, regulators could set expectations for the financial firms they already supervised and reconstruct shared exposure from those firms' reports. They could not apply this purpose-built regime directly to a cloud company. They now have rulemaking, information-gathering, investigatory, skilled-person, direction and enforcement powers in connection with the designated services.[4]
That does not mean a regulator will operate a cloud recovery or choose a bank's architecture during an outage. It means the same authorities responsible for financial stability can examine the common node, challenge its testing assumptions and coordinate information when several firms are affected together. Independent reporting has already supplied the consumer-facing reason for doing so: cloud platforms support data storage, automated fraud detection and digital banking, and a distant service failure can disrupt firms far beyond the original data centre.[7]
3. Financial firms keep the customer-facing risk
The most important sentence in the regulator announcement is also the least glamorous: designation “complements, but does not replace” firms' existing obligations.[3] A CTP label is not a resilience certificate. It does not prove that a particular service fits a firm's impact tolerances, that a multi-region design is independent, that backups can be restored, or that an exit plan can work before customers suffer intolerable harm.
This division of responsibility is logical. Regulators can supervise the systemic provider, but only a bank or insurer knows which business service depends on which cloud component, what happens when it stops and what manual or alternate path can preserve payments, claims, trading or customer access. The customer still owns architecture, contractual safeguards, concentration decisions, business continuity and communications.
The FCA's separate reporting rules make the two halves easier to connect. From March 18, 2027, firms in scope must notify new or materially changed material third-party arrangements and submit an annual register. The FCA says that data will help identify common exposures and potential future CTPs.[6] Firms should use the implementation runway to build one dependency record that can serve procurement, resilience testing, incident reporting and the regulatory register—not four incompatible inventories.
Who Should Do What Next
Next 24 hours: regulated firms should match contracts and accounts to the exact designated legal entities, then identify the business owner, important business service, cloud service, region, identity layer, data path and incident contact behind each match. A brand-level search is insufficient: a contract with another group entity may sit outside the four names, while a systemic service can depend on connected entities or subcontractors that still matter operationally.[2][4]
Next 7 days: risk, technology, procurement and operations teams should run one tabletop exercise in which a designated service fails across several institutions at once. Test customer communications, reconciliation, manual workarounds, privileged access, provider status information and decision rights—not merely whether engineers can open a support ticket. Compare the firm's maximum tolerable disruption with the provider assumptions documented in contracts and assurance material.[3][4]
Next 30 days: firms should reconcile CTP mapping with preparations for the FCA's 2027 material-third-party register. Gaps worth escalating are services without a named owner, exits that require the failed provider, “multi-cloud” designs sharing one identity or network dependency, and contracts whose incident information arrives too late for the firm's own reporting clock.[4][6]
Consumers do not need to change providers because of the designation. The relevant public signal is whether banks and payment firms can maintain or restore important services during disruption and explain what is happening. The CTP regime is upstream infrastructure supervision; it does not replace firms' customer-service and redress duties.
Three Paths From Here
Base case — oversight becomes a demanding evidence cycle. The four providers map systemic services, submit interim self-assessments within three months, align incident channels and begin regulator-led testing. Financial firms use the resulting information without relaxing their own controls. The trigger is visible implementation: scoped service notices, coordinated exercises and assurance material that customers can actually use.[3][4]
Upside case — the regime exposes common failure paths before the next outage. Joint exercises reveal a shared identity, network, update or subcontractor dependency that bilateral vendor reviews missed; providers and firms then remove a bottleneck or build a workable recovery path. The trigger is a test that changes architecture, response sequencing or an impact tolerance rather than ending as a compliance presentation.
Downside case — designation creates false reassurance. Procurement teams treat the CTP label as approval, firms keep untested exits, and a major incident reveals that several “independent” services share the same failure path. The trigger is evidence that firms have reduced due diligence, accepted generic resilience claims, or discovered during an event that provider and customer recovery assumptions conflict.[3][4]
Action Checklist
- Confirm whether each contract is with one of the four designated legal entities; do not substitute a logo for the legal counterparty.[2]
- Mark which supplied services support important business services and which are merely convenient; oversight is scoped, not blanket.[1][3]
- Keep firm-owned impact tolerances, backups, workarounds, incident communications and exit tests active after designation.[3][4]
- Connect CTP dependency work to the March 2027 material-third-party reporting build so the same service is not described differently across teams.[6]
- Monitor Treasury and regulator pages for new designations, de-designations, service-scope guidance and enforcement signals.[1][3][5]
- Treat a real outage as the decisive test: measure propagation, customer harm, information latency and recovery against the assumptions used in exercises.
The explainer's central interpretation should be revised if the designation regulations are suspended or materially amended, a provider is de-designated, or regulators publish guidance that sharply narrows the services in scope. It would also fail in practice if direct provider oversight produces no better system-level visibility while financial firms weaken their own controls. For now, the sound reading is deliberately double-sided: the UK can supervise the common cloud node directly, and every regulated firm still owns what happens when that node disappears.
Sources
- HM Treasury, “UK financial system strengthened with new safeguards for major technology providers” (10 July 2026) — first designations, scope, rolling-regime policy and the continuing responsibility of financial firms.
- UK Statutory Instrument 2026 No. 777, The Critical Third Parties (Designation) Regulations 2026 — exact designated entities, legal test, territorial extent and 13 July commencement.
- Bank of England, PRA and FCA, “UK financial regulators to begin overseeing Critical Third Parties announced by HM Treasury” (10 July 2026) — joint oversight, immediate application of the rules, scope limits and firm-accountability boundary.
- Bank of England, PRA and FCA, PS16/24 — Operational resilience: Critical third parties to the UK financial sector (12 November 2024) — final rules, service mapping, testing, self-assessment, incident reporting and supervisory powers.
- HM Treasury, Critical Third Parties — HM Treasury's Approach to Designation (21 March 2024) — recommendation, notice, representation, designation and de-designation process.
- Financial Conduct Authority, “FCA confirms new incident and third party rules to bolster resilience” (18 March 2026) — 2025 incident signal, common reporting design and the March 2027 implementation date for firms.
- Kalyeena Makortoff and Dan Milmo, The Guardian, “Bank of England handed powers to regulate key tech firms including Amazon and Google” (10 July 2026) — independent event reporting, operational context and source page for Vuk Valcic's Canary Wharf photograph.