UK government puts four cloud providers under watch by financial regulators

By on 14/07/2026 | Updated on 14/07/2026
Photo from Pixabay

Regulatory oversight of AWS, Google Cloud, Microsoft and Oracle to help ensure they can manage operational disruption affecting critical services

The UK government has designated four of the world’s biggest cloud technology companies as ‘critical third parties’ (CTPs) to enable regulators to “strengthen the resilience of the UK’s financial system”.

The services that Amazon Web Services (AWS), Google Cloud, Microsoft and Oracle provide to the financial sector are being brought under the joint oversight of the Bank of England, Prudential Regulation Authority and Financial Conduct Authority, following what the government describes as a period of “evidence gathering and collaborative engagement”. Further providers may be designated in the future as part of a “rolling regime”.

“As banks, insurers and financial market infrastructures become increasingly reliant on cloud services, disruption at a major supplier could affect multiple firms at the same time, potentially impacting services customers depend on,” the government states in its CTPs announcement.

Regulatory oversight of the four companies’ services will “help to ensure they have robust arrangements in place to identify, manage and recover from operational disruption affecting critical services used across the financial sector,” the announcement continues. Specifically, the regulators will be able to “gather information, assess resilience, and work with third parties to address risks to the continuity of critical services, including through making and enforcing CTP-specific rules where necessary”.

Read more from our sister title, Global Government Finance: UK regulators set out plan for oversight of ‘critical third parties’

HM Treasury designations

All four of the designated companies have publicly backed the announcement, issuing supportive quotes in the government’s press release.

Regulatory oversight applies only to systemic services provided to the financial sector, not the companies’ wider operations. Financial firms remain responsible for managing risks arising from their third-party suppliers.

UK regulators published proposals to directly regulate CTPs supplying services such as cloud computing to the financial sector in December 2023.

“CTPs supply an array of services to firms and FMIs [Financial Market Infrastructres], providing benefits, including greater operational resilience and innovation. However, if they are disrupted or fail, there are potential risks to UK financial stability,” the authorities stated at the time. “Managing these risks fully is beyond the ability of any individual firm or FMI and requires an appropriate but proportionate level of direct regulatory oversight.”

“These proposals will therefore complement but not blur, eliminate or dilute the responsibilities of individual firms and FMIs relating to operational resilience and third-party risk management,” the authorities explained.

The ‘Operational Resilience: Critical Third Parties to the UK Financial Sector’ proposals followed a discussion paper (with an identical title) published in July 2022; and the UK parliament’s adoption of the Financial Services and Markets Act 2023, which gave regulators powers to make rules for, and oversee, CTPs designated by HM Treasury.

Global thinking

It was pointed out at the time of the consultation that the proposals “drew on” global standards and toolkits, such as the 58-page Enhancing third-party risk management and oversight: a toolkit for financial institutions and financial authorities published by the Financial Stability Board.

“They are also designed to be interoperable with similar rules for CTPs in other jurisdictions,” the authorities stated.

A Financial Stability Institute paper published in December 2024 (‘Regulating AI in the financial sector: recent developments and main challenges’ – FSI Insights) noted that the concentration of cloud and AI service providers to a few large global technology firms “strengthens the argument for putting in place direct oversight frameworks for these service providers”.

The paper noted that “in response, some jurisdictions have already moved in this direction, while others have reinforced the financial institutions’ responsibility to manage risks stemming from these third-party relationships.” It added that “this indirect approach is prevalent in the financial sector”.

This article was first published by Global Government Forum’s sister title Global Government Finance: UK government puts four cloud providers under watch by financial regulators

About Ian Hall

Ian is Global Government Finance editor. He has formerly held roles including UK director of Euractiv (2011-2018), editor of Public Affairs News (2007-2011) and news editor of PR Week (2000-2007). He was shortlisted for ‘Editor of the Year’ at the British Society of Magazine Editors (BSME) Awards in 2010. He began his career in the Balkans at English-language weekly the Sofia Echo (Bulgaria: 1998-1999).

Leave a Reply

Your email address will not be published. Required fields are marked *