The Bank of England and FCA can now stress test the four cloud giants underpinning UK banking, after 18 months of delay between the CTP regime becoming operational and the first firm level designations.
On Monday, the four cloud companies most UK banks depend on for day-to-day operations will sit inside Britain's financial-safety perimeter for the first time, answering directly to the Bank of England and the Financial Conduct Authority rather than only to their bank customers.
The change comes through the government's 10 July designation of Microsoft Ireland Operations, Google Cloud EMEA, Amazon Web Services EMEA and Oracle Corporation UK as "critical third-party providers" (CTPs) to the UK financial sector, with the new rules taking effect 13 July, according to The Guardian and a wire report citing the UK government statement. The four firms together underpin much of the UK's banking plumbing: data storage and processing for retail and wholesale banks, the automated fraud-detection systems that screen card and faster-payments traffic, and the digital banking front-ends customers use every day.
The legal hook is the Financial Services and Markets Act 2023, which gave regulators the power to name firms whose failure could threaten financial stability. The CTP regime became operational in January 2025, but the first firm-level designations did not arrive until this Friday, an 18-month delay that CryptoBriefing attributes to political sensitivity around courting US tech investment under the current government.
The new regime gives the BoE, the Prudential Regulation Authority and the FCA direct supervisory reach over the four named firms. Designated companies must run stress tests against severe scenarios, carry out regular self-assessments, and report major incidents (cyberattacks, power outages, natural-disaster events) to UK regulators, the Guardian reports.
The trigger was an outage that hit one of the four. On 19 October 2025, an AWS disruption in Northern Virginia cascaded into Lloyds Banking Group and roughly 2,000 other companies, according to Treasury committee figures reported by the Guardian. A separate Treasury dataset published in March 2025 found UK bank and building-society customers had lost the equivalent of 33 or more days to IT outages between 2023 and 2025. The pattern gave regulators the empirical case for treating cloud concentration as systemic risk rather than ordinary vendor risk.
The UK is not the first mover on this side of the Atlantic. In November 2025 the EU designated 19 cloud and digital services providers under its own critical-third-party framework, a broader list that included some of the same hyperscalers, the wire report notes. The narrower UK roster suggests a deliberate decision to focus oversight where exposure is heaviest rather than mirror Brussels firm-for-firm, and leaves open the question of whether the FCA and BoE will add names as crypto custody and retail brokerage stacks migrate further onto the same clouds.
What the regime does not do is break the cloud market open. Designated firms keep their bank customers; they just add a second set of supervisors running in parallel. The first real test will be whether a major outage inside one of the four named clouds produces a written incident report to Threadneedle Street within days, not a press release.