UK declares Microsoft, Google, Amazon and Oracle critical to the financial system
Cloud giants to be supervised by the Prudential Regulation Authority and the FCA
July 13, 2026 · 4 min read
TL;DR: The UK has declared Microsoft, Google, Amazon and Oracle as 'critical third parties' for its financial system, subjecting them to direct supervision by the Bank of England and the FCA. The move aims to mitigate systemic risks from cloud service concentration.
What happened?
The UK Treasury has formally designated Microsoft, Google, Amazon and Oracle as 'critical third parties' for the UK financial system, according to Reuters and reported by The Next Web. The designation, effective July 13, means these cloud service providers will be subject to direct supervision by the Bank of England's Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA). The move responds to the growing reliance of British banks and other financial institutions on a handful of cloud providers. The Treasury estimates that two-thirds of UK companies depend on these same services, creating a concentration of systemic risk. This is not an isolated decision: it follows similar regulations in the European Union, such as the Digital Operational Resilience Act (DORA), which took effect in January 2023 and also designates critical ICT service providers. Additionally, countries like Australia and Singapore have begun evaluating regulatory frameworks for digital operational resilience in the financial sector.
Why is this important?
The concentration of critical services in the hands of a few US tech companies poses a major systemic risk. An outage at one of these providers could paralyze much of the UK financial system, affecting payments, stock market operations and everyday banking services. For example, in 2021, an AWS outage affected multiple financial services in the US, and in 2023, a Microsoft Azure outage impacted airlines and banks worldwide. The Bank of England has repeatedly warned about the risks of relying on a few hyperscalers. This move reflects a global trend of treating tech giants as critical infrastructure, similar to how electricity or telecommunications are regulated. The designation could also have geopolitical implications, as these providers are US companies, raising questions about digital sovereignty and dependence on foreign infrastructure. According to a Bank of England spokesperson cited by The Next Web, 'regulation of critical third parties is a necessary step to protect financial stability in the digital age'.
What consequences will it have?
Designated companies will have to comply with stricter requirements for operational resilience, incident reporting and stress testing. This includes the obligation to conduct penetration testing, security audits and detailed business continuity plans. They could face penalties for non-compliance, including fines of up to 1% of global annual revenue, similar to GDPR, or operational restrictions preventing them from offering services to new financial institutions. For financial institutions, this could mean greater stability and lower risk of disruptions. However, it could also increase compliance costs, as providers pass these costs on to their clients. According to a Gartner report, cloud regulatory compliance costs could rise by 15% to 20% over the next two years. Additionally, the measure could reduce flexibility in choosing cloud providers, as some banks may opt to diversify across multiple providers to mitigate risk, increasing operational complexity.
What should readers know?
- Market impact: The move could set a precedent for other countries to follow, increasing regulatory pressure on hyperscalers. Countries like India and Brazil are already evaluating similar frameworks. This could lead to fragmentation of the global cloud market, where providers must adapt to different national regulations.
- Preparation: Financial firms should review their contracts and contingency plans to align with the new requirements. It is advisable to conduct dependency audits and assess the feasibility of multicloud strategies. The FCA has already published guidelines on how firms should manage critical third-party risks.
- Alternatives: Although the designation focuses on four providers, it could open the door for other cloud players (such as IBM, Alibaba or European providers like OVHcloud) to seek certifications to compete in the financial market. In fact, the EU's DORA regulation has already prompted European providers to obtain 'critical provider' certification to gain market share.
'Regulation of critical third parties is a necessary step to protect financial stability in the digital age,' says a Bank of England spokesperson.
In summary, the UK's decision marks a milestone in the supervision of financial technology infrastructure, with implications that extend beyond its borders. The measure not only affects tech giants but also redefines the relationship between regulators, financial institutions and cloud service providers. As the digitalization of the financial sector advances, operational resilience becomes a fundamental pillar of economic stability. The coming months will be crucial to see how these requirements are implemented and whether other countries adopt similar approaches.