HM Treasury has designated Microsoft Ireland Operations Limited, Google Cloud EMEA Limited, Amazon Web Services EMEA SARL and Oracle Corporation UK Limited as Critical Third Parties under the Financial Services and Markets Act 2023 from 13 July 2026.
Microsoft Ireland Operations Limited, Google Cloud EMEA Limited, Amazon Web Services EMEA SARL and Oracle Corporation UK Limited will enter the new regulatory regime. The designations follow evidence gathering and consultation involving the companies and UK financial regulators.
Banks, insurers and financial market infrastructures increasingly use shared cloud services to operate customer-facing and internal systems. Disruption affecting a major supplier could therefore interrupt services across several financial firms at the same time.
The designation creates the first group of Critical Third Parties under the UK’s Financial Services and Markets Act 2023, establishing a framework for direct oversight of systemic technology providers supporting the financial sector.
Microsoft, Google Cloud, AWS and Oracle Designated
The four companies have been selected because they provide services whose disruption could affect the stability of, or confidence in, the UK financial system. HM Treasury made the decisions after consulting the providers, the Bank of England, the Prudential Regulation Authority and the Financial Conduct Authority.
- Microsoft: Microsoft Ireland Operations Limited will enter the regime.
- Google Cloud: Google Cloud EMEA Limited will be designated.
- Amazon Web Services: Amazon Web Services EMEA SARL will be covered.
- Oracle: Oracle Corporation UK Limited will come under oversight.
Designated Critical Third Parties
| Provider | Designated Entity | Start Date |
|---|---|---|
| Microsoft | Microsoft Ireland Operations Limited | 13 July 2026 |
| Google Cloud | Google Cloud EMEA Limited | 13 July 2026 |
| AWS | Amazon Web Services EMEA SARL | 13 July 2026 |
| Oracle | Oracle Corporation UK Limited | 13 July 2026 |
Why Cloud Services Present Systemic Risks
Financial institutions may rely on the same cloud provider for data processing, digital platforms and other operational services. A failure at one widely used supplier could consequently affect several institutions and their customers simultaneously.
The regime focuses on services whose interruption could create wider consequences rather than an isolated problem for one company. It is intended to improve the ability of regulators and providers to identify shared risks before they result in widespread disruption.
Direct Regulatory Oversight
The Bank of England, Prudential Regulation Authority and Financial Conduct Authority will jointly oversee the designated services. They will be able to obtain information, examine operational resilience and work with providers when weaknesses or continuity risks are identified.
- Information gathering: Regulators may request evidence about services supplied to financial firms.
- Resilience assessment: Providers’ arrangements for preventing and managing disruption may be examined.
- Remedial action: Regulators may require risks affecting service continuity to be addressed.
- Specific rules: Requirements may be created and enforced for an individual designated provider.
Regulatory Oversight Responsibilities
| Authority | Role | Coverage |
|---|---|---|
| Bank of England | Joint oversight | Financial stability |
| Prudential Regulation Authority | Joint oversight | Regulated financial firms |
| Financial Conduct Authority | Joint oversight | Financial services markets |
Critical Third Party Regulatory Regime
Regulatory oversight will apply only to services supplied by the designated companies that are considered systemic to the financial sector. It will not extend automatically to every product, customer or wider business operation belonging to those providers.
Banks and other financial firms will continue to be responsible for managing risks arising from their suppliers. The designation of a provider does not transfer that responsibility to HM Treasury or the financial regulators.
Resilience and Recovery Requirements
Designated providers will be expected to maintain arrangements for identifying, managing and recovering from disruption affecting covered services. Regulators will assess whether those arrangements are sufficient to support continuity across the financial sector.
The authorities may cooperate with providers to address weaknesses and improve recovery planning. Where necessary, they may introduce and enforce requirements tailored to the risks associated with a particular company or service.
Future Critical Third Party Designations
The Critical Third Parties regime was established through the Financial Services and Markets Act 2023. HM Treasury said designation decisions would continue to follow a targeted, proportionate and risk-based process.
There is no statutory limit on the number of providers that may enter the regime. Further companies may be designated when disruption to their services is assessed as presenting a risk to UK financial stability or public confidence in the financial system.
Stakeholder Comments
Ministerial Comments
Rachel Blake MP, Economic Secretary to the Treasury and City Minister said;
“We are a world-leading financial centre, and maintaining trust in our financial system is essential to its success.
These designations will help ensure the critical services financial firms rely on remain resilient, protecting consumers and businesses while supporting growth across the economy.”
Freddy Dezeure, Deputy Chief Information Security Officer for Europe at Microsoft said;
“The designation of Microsoft Ireland Operations Limited as a critical third party marks a new chapter in this relationship, and Microsoft remains fully committed to complying with the relevant oversight requirements and the UK’s cybersecurity and resilience laws.”
Michael Jefferson, Head of Financial Services Public Policy EMEA at AWS said;
“AWS supports the objectives of the UK Authorities to ensure a robust UK financial system. AWS will comply with all applicable regulations, and we remain committed to helping customers to meet their business and operational resilience objectives.”
Kevin Kimber, Senior Vice President and General Manager UK&I at Oracle said;
“Oracle supports the UK Government’s important objective of enhancing the operational resilience of the UK financial sector. We are committed to working closely with the regulators and our financial services customers toward that objective.”
The designation of Microsoft, Google Cloud, AWS and Oracle establishes the UK’s first Critical Third Party oversight regime for systemic cloud services supporting financial institutions. HM Treasury said additional providers may be designated in future where disruption could threaten financial stability or confidence in UK financial markets.
Sources: HM Treasury, Rachel Blake MP, Bank of England; Prudential Regulation Authority; Financial Conduct Authority; Financial Services and Markets Act 2023.
Prepared by Ivan Alexander Golden, Founder of THX News, an independent news organisation delivering timely insights from global official sources. Combines AI-analysed research with human-edited accuracy and context.





