UK Designates AWS, Google Cloud, Microsoft and Oracle as Critical Third Parties
The UK Treasury has formally designated four of the world's biggest cloud providers as critical third parties to the financial system, marking a notable step in how Britain treats outsourced technology risk. Under the Critical Third Parties (Designation) Regulations 2026, Amazon Web Services EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Limited and Oracle Corporation UK Limited will all be designated from 13 July 2026. The text published on legislation.gov.uk is short, but the point is clear enough. Cloud services are no longer being treated as a distant supplier issue. In the Treasury's view, they now sit close enough to the functioning of finance to justify direct designation in law.
The Treasury's reasoning is unusually direct. It says a failure in, or disruption to, services provided by these firms could threaten the stability of, or confidence in, the UK financial system. That takes the discussion well beyond cost-saving and convenience. For banks, insurers, payment firms and market operators, dependence on a small cluster of cloud providers has become a systemic risk question as much as a technology one. This is the main business story in the Regulations: concentration risk in digital infrastructure is now being treated as a market issue.
The designation was made using section 312L of the Financial Services and Markets Act 2000, a provision inserted by the Financial Services and Markets Act 2023. According to the instrument, the Treasury consulted the Financial Conduct Authority, the Prudential Regulation Authority and the Bank of England before acting. It also gave written notice to the firms and considered any representations they made. That matters because it shows this was not a headline-first announcement. It was a formal step, taken with input from the UK's main financial regulators and with financial stability firmly at the centre of the decision.
What stands out is how narrow the list is and how large the names are. Only four providers are designated, and all four are deeply embedded in global cloud computing. Read another way, the Regulations are an admission that a small number of technology suppliers now matter to markets in the same way that certain payment, clearing or data services already do. It is also worth noting that the legal designations apply to operating entities rather than simply to the parent brands. That reflects how these services are contracted and delivered in practice. For firms using cloud across multiple jurisdictions, that detail will not be lost on legal, risk and procurement teams.
The explanatory note says no full impact assessment has been produced because no, or no significant, impact on the private, voluntary or public sector is foreseen. Taken literally, that is about the immediate legal effect of the instrument, which is limited to designation. Still, that should not be mistaken for a low-stakes development. Once the state identifies a supplier as critical to financial stability, boards and investors tend to look harder at resilience, substitution options and single-provider exposure. That pressure is likely to travel through contracts and due-diligence processes, affecting not just major banks but also fintechs, brokers and other firms that rely on the same providers further down the chain.
The Regulations were made on 8 July 2026 and come into force on 13 July 2026. They extend across England and Wales, Scotland and Northern Ireland. On paper, this is a compact statutory instrument. In practical terms, it tells the market that outsourced cloud is now part of the UK's financial stability framework. For investors and business owners, the takeaway is straightforward. Technology concentration is no longer a background operational topic. It is now something the Treasury is prepared to name in legislation, and that makes it worth watching alongside the usual balance-sheet and earnings numbers.