📈 Markets | London, Edinburgh, Cardiff

MARKET PULSE UK

Decoding Markets for Everyone


UK Treasury names AWS, Google, Microsoft and Oracle critical third parties

The Treasury has formally placed four of the world’s biggest cloud providers inside the UK’s financial stability frame. Under the Critical Third Parties (Designation) Regulations 2026, made on 8 July and in force from 13 July 2026, Amazon Web Services EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Limited and Oracle Corporation UK Limited are now designated as critical third parties. According to the published regulations, the Treasury’s view is straightforward: a failure in, or disruption to, services from these firms could threaten the stability of, or confidence in, the UK financial system. The rules apply across England and Wales, Scotland and Northern Ireland, which underlines that this is a system-wide call rather than a narrow City measure.

In plain English, this is the state recognising that cloud computing is no longer a back-office convenience for finance. It sits underneath the apps, databases, payment flows, fraud checks, customer records and recovery systems that banks, insurers and fintechs rely on every day. That matters because a serious outage at a major provider would not stay in the technology department for long. It could quickly become a consumer problem, a market problem and, in a stressed scenario, a confidence problem. The designation does not suggest misconduct by any of the firms named. It signals that their role in modern finance is now too important to treat as ordinary supplier risk.

There is also a clear message here about market structure. Much of the financial sector runs on a relatively small group of global cloud companies, even when the institutions themselves compete fiercely on products, pricing and customer service. That concentration brings obvious benefits. Large cloud providers offer scale, resilience tools, computing power and faster deployment than many firms could build alone. But the same concentration can leave the system more exposed if too many institutions depend on the same provider, the same region or the same technical stack. From a Market Pulse UK perspective, that is the real point of the regulation: convenience and efficiency have a price when everyone is standing on similar foundations.

For banks and building societies, the immediate takeaway is not to tear up contracts. The regulation is not a ban on using AWS, Google Cloud, Microsoft or Oracle, and it does not force a sudden migration away from any provider. What it does do is sharpen the focus on dependency mapping, contingency planning and recovery options. Boards will be expected to know which services are genuinely critical, how quickly they can be restored and where a single point of failure may sit. Fintechs may feel the pressure even more sharply, because newer firms often build quickly on one cloud provider and keep lean teams. That model can be commercially sensible, but it can look less comfortable when regulators start asking hard questions about resilience.

Competition is the more awkward part of this story. On one reading, official designation could strengthen the position of the biggest providers, because regulated firms often prefer suppliers already familiar to supervisors and already embedded across the sector. On another reading, the same move may push firms to think more seriously about diversification. That does not mean every bank will adopt a full multi-cloud model overnight. It does mean procurement, system design and exit planning may receive more board-level attention. If firms decide they need more portability and less supplier lock-in, smaller providers and specialist vendors could find new openings, even if the largest names remain dominant.

The process behind the regulations also matters. The Treasury says it consulted the Financial Conduct Authority, the Prudential Regulation Authority and the Bank of England before making the designation. It also gave written notice to the firms involved and considered any representations made. That detail shows this was a co-ordinated regulatory move rather than a symbolic announcement. It sits on powers inserted into the Financial Services and Markets Act 2000 by the Financial Services and Markets Act 2023. The explanatory note adds that no full impact assessment was produced because no, or no significant, impact on the private, voluntary or public sector is foreseen. Readers may take that as a narrow day-one view. The longer-term workload for regulated firms could still rise as resilience expectations become more concrete.

For investors, SME owners and anyone watching how finance actually works, the broader shift is easy to miss if they only read the legal text. The UK is starting to treat parts of digital infrastructure as critical market plumbing, not just outsourced IT. That is why this designation matters beyond compliance teams. When cloud providers become important enough that their disruption could dent trust in the financial system, operational resilience moves closer to the centre of market analysis. As of 13 July 2026, the UK has put four names on that risk register: AWS, Google Cloud, Microsoft and Oracle.

← Back to Articles