UK Names Amazon, Google, Microsoft and Oracle as Critical Third Parties to Financial System

Fintech News

UK Names Amazon, Google, Microsoft and Oracle as Critical Third Parties to Financial System #

The UK government has formally designated four of the world’s largest cloud providers as Critical Third Parties (CTPs) to the country’s financial sector, placing them under direct regulatory supervision for the first time.

HM Treasury announced on Friday that the designations cover the specific legal entities Microsoft Ireland Operations Ltd, Google Cloud EMEA Ltd, Amazon Web Services EMEA SARL, and Oracle Corporation UK Ltd. They take effect on 13 July. The four companies are the first ever named under the UK’s CTP oversight regime, which was established by the Financial Services and Markets Act 2023 and became operational in January 2025.

The Bank of England, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) will jointly supervise the four firms. According to Reuters, they will be required to undergo regular resilience testing, conduct periodic self-assessments, and report major operational incidents to the authorities.

The Treasury cited the systemic risk created by the financial sector’s growing reliance on a small number of cloud platforms. “As banks, insurers and financial market infrastructures become increasingly reliant on cloud services, disruption at a major supplier could affect multiple firms at the same time, potentially impacting services customers depend on,” it said. Officials said the regime is designed to strengthen financial firms’ operational resilience against large-scale cyber attacks and technology outages.

The UK’s initial designations differ in scope from the EU’s equivalent framework. In November, the EU named 19 technology and services firms under the Digital Operational Resilience Act (DORA), covering a broader set of providers. The UK has started by concentrating on four hyperscalers whose infrastructure underpins large portions of British banking and insurance.

A Google Cloud spokesperson welcomed the framework, saying it “can enhance the long-term resilience of the UK’s financial ecosystem and increase understanding, transparency, and trust between all parties,” provided it is implemented effectively with meaningful industry engagement.

Regulators said the first year of oversight for newly designated CTPs will focus on building an initial risk picture rather than enforcement, giving firms time to adapt their contractual and operational arrangements to the new requirements.

Source: Reuters (via Investing.com)