BoE to oversee AWS, Google Cloud, Microsoft & Oracle
Mon, 13th Jul 2026 (Today)
The Bank of England, the Prudential Regulation Authority and the Financial Conduct Authority will begin joint oversight of the first Critical Third Parties designated by HM Treasury, bringing four major technology providers into a new UK regulatory regime.
HM Treasury has designated Amazon Web Services, Google Cloud, Microsoft and Oracle as the first Critical Third Parties. The category covers providers whose services underpin parts of the UK financial system. The framework focuses on the resilience of the critical services they provide to financial firms rather than on authorising them as regulated financial companies.
Under the regime, the three regulators will jointly supervise providers and seek to identify system-level risks that could disrupt and spread across multiple firms or markets. The framework is intended to address the growing dependence of banks, insurers and other financial institutions on a small number of external technology suppliers.
The new powers apply where a designated provider's disruption or failure could affect large parts of the sector simultaneously. That risk has become more prominent as cloud computing and other outsourced technology services have become deeply embedded in financial operations.
First designations
The four companies named by HM Treasury are the EMEA or UK entities of Amazon Web Services, Google Cloud, Microsoft and Oracle. Their designation marks the first use of powers created under amendments to the Financial Services and Markets Act, which gave the Bank, the PRA and the FCA authority to oversee third-party suppliers judged critical to the sector.
The rules underpinning the regime were finalised in late 2024 and took effect at the start of 2025, applying to providers once they are formally designated by the Treasury. HM Treasury remains responsible for deciding which suppliers are brought into the framework and for any future removal of that status.
The regulators will periodically review whether designated providers continue to meet the criteria and may recommend future designations or de-designations to the Treasury. They also plan to assess the effectiveness of the oversight approach as the framework develops.
System risk
The authorities distinguished between the new regime and existing operational resilience and outsourcing rules that apply to banks and other regulated firms. Financial companies will still be responsible for their own due diligence, risk management and contingency planning for outsourced services.
Oversight of Critical Third Parties is intended to complement, not replace, the obligations already placed on firms that rely on external technology providers. Designated providers will be expected to identify and manage risks to critical services and to maintain timely communication with regulators and clients, especially during major incidents.
"As critical third parties become increasingly embedded in the operations of financial institutions, they can introduce new forms of systemic risk. Our proportionate approach to overseeing these providers will ensure that these dependencies are managed in a way that safeguards financial stability," said Sarah Breeden, Deputy Governor for Financial Stability at the Bank of England.
"By bringing critical third parties into the scope of oversight, we are ensuring that the infrastructure underpinning UK financial services is robust enough to support UK financial stability and confidence. This directly supports the PRA's objective to promote the safety and soundness of regulated firms," Katharine Braddick, Deputy Governor for Prudential Regulation and CEO of the PRA, said.
"Critical third parties provide essential services which support innovation and growth. At the same time, when the same providers serve thousands of firms, a single failure can reverberate across the financial system. Operationalising this regime strengthens our ability to tackle those risks and improve overall resilience, ensuring the UK remains a safe and attractive place to do business," said Nikhil Rathi, Chief Executive at the FCA.
Wider context
UK regulators have spent several years examining concentration risk in outsourced technology, particularly in cloud services, where a limited number of companies account for a large share of the market. The concern is not only whether an individual firm can withstand an outage, but whether many firms could be affected at once by the same incident or service breakdown.
The UK framework also sits alongside similar efforts in other jurisdictions to increase scrutiny of important technology suppliers to the financial sector. Regulators in the UK and the EU have already agreed on arrangements intended to support coordination and information sharing in the oversight of Critical Third Parties.
Designation does not mean the technology groups are being treated as banks, insurers or market infrastructure operators. Oversight is limited to the resilience of the services they provide to UK financial firms, to limit knock-on disruption across the wider financial system.
The first companies brought into the framework are Amazon Web Services EMEA, Google Cloud EMEA, Microsoft Ireland Operations and Oracle Corporation UK.