The UK Treasury has named Microsoft, Google, Amazon Web Services and Oracle as Critical Third Parties to the country's financial system, drawing the cloud platforms that carry much of British banking, insurance and payments traffic inside the direct oversight of the Bank of England, the Prudential Regulation Authority and the Financial Conduct Authority.
The designation, made under the policy framework set out in the FCA's Policy Statement PS24/16 and the Bank of England's parallel PS16/24, extends the regulator's reach past the bank that buys cloud capacity to the cloud provider that supplies it. Before November 2024, UK supervisors could pressure a high-street lender over a service outage, but the cloud contract behind that outage sat largely outside their reach. If a major UK bank, insurer or payments network relies on Microsoft, Google, Amazon Web Services or Oracle for core workloads, the regime now puts the provider inside the same supervisory ring as the financial firm it serves.
Economic Secretary to the Treasury and City Minister Rachel Blake framed the move as protecting the UK's status as a world-leading financial centre and maintaining trust in the system.
The Bank of England opened Consultation Paper CP26/23 on the regime in December 2023, and PS24/16 and PS16/24 locked in the supervisory approach in November 2024. HMT has now named the first four providers inside the perimeter. The regime is open-ended: more firms can be designated as resilience priorities evolve.
Law firm A&O Shearman, in its analysis of PS24/16, describes it as drawing a fresh supervisory ring around hyperscale cloud providers selling into UK financial services, with information-gathering powers, incident-reporting requirements and operational-resilience obligations applied to the providers themselves rather than only to their financial-sector customers. Industry body techUK, in its read of the policy statement, welcomed the clarity on scope and the materiality assessment but flagged that the cooperation expectations now reach beyond what most general-purpose cloud contracts currently specify, which means existing UK financial-sector cloud agreements will need updating.
That changes the standing of the cloud contract inside a UK bank or insurer. The supervisors can require the provider itself to share incident data, capacity-testing results and recovery-time evidence, and the provider becomes answerable to the BoE, PRA and FCA on those matters rather than leaving the financial firm to absorb the audit responsibility. The four named firms now carry that obligation. More providers can be added over time as resilience priorities evolve.
The regime applies only to services sold into UK regulated financial firms, not to the underlying software, data or markets of the providers themselves. None of the four named firms face new UK-only product rules on what they ship. They do, however, take on a standing obligation to engage with UK supervisors on the resilience arrangements underneath UK financial-services workloads.
A small group of non-UK hyperscalers carries a large share of UK financial-services compute, and the BoE, PRA and FCA now have a direct line of sight into their resilience arrangements without going through the bank or insurer on the other side of the contract. The design parallels the European Union's Digital Operational Resilience Act, which took similar aim at technology concentration in financial services.
The Treasury's announcement does not set operational thresholds or incident-reporting timelines; those will follow in supervisory statements from the FCA and the Bank of England. The watch item is whether direct engagement between UK supervisors and the four named clouds changes how those providers negotiate service-level commitments, audit rights and exit plans with UK financial-sector buyers.