The Treasury’s Critical Third Parties (Designation) Regulations 2026 took effect on Monday 13 July 2026, bringing Amazon Web Services EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Limited and Oracle Corporation UK Limited within the UK’s new critical third party regime for financial services. The Financial Conduct Authority and Bank of England describe these as the first designations under the regime, with joint oversight beginning from the date the Regulations come into force. (bankofengland.co.uk) The instrument is technical in form but important in effect. It is the point at which large external technology providers are brought into direct oversight for the systemic services they provide to UK finance, rather than being viewed only through the resilience arrangements of the firms that use them. (gov.uk)
The legal basis sits in section 312L of the Financial Services and Markets Act 2000, inserted by section 18 of the Financial Services and Markets Act 2023. The explanatory notes to the 2023 Act state that HM Treasury may designate a third party only where failure or disruption of its services would pose a risk to UK financial stability or confidence in the financial system. (legislation.gov.uk) HM Treasury’s published approach to designation sets out an evidence-led process running from regulatory recommendation and engagement with the supplier through to the final designation decision. The Government’s announcement on 10 July 2026 also stated that decisions are made following consultation with the Bank of England, the Prudential Regulation Authority, the Financial Conduct Authority and the third party concerned. (gov.uk)
The policy issue being addressed is concentration risk in outsourced technology and cloud services. The FCA defines critical third parties as providers whose disruption or failure could threaten the stability of, or confidence in, the UK financial system, while the Bank has warned that a single provider can become a point of failure across multiple firms and financial market infrastructures at the same time. (fca.org.uk) That explains why the first designations fall on large cloud and technology suppliers rather than on regulated banks or insurers themselves. HM Treasury said on 10 July that an outage at a major supplier could affect multiple firms simultaneously and disrupt services used by millions of consumers and businesses. (gov.uk)
What the regime does not do is place each designated company’s entire business under financial regulation. The FCA and the Bank have both stressed that oversight is targeted at the systemic services provided to the UK financial sector and is intended to be proportionate and outcomes-focused. (bankofengland.co.uk) In practical terms, that oversight can include regulatory engagement, information requests and resilience assessments centred on the services a designated provider supplies to the sector. For policy readers, the important distinction is that the regime is built around service continuity and financial stability, not around general oversight of every product line operated by those firms. (bankofengland.co.uk)
For regulated firms, the designations do not remove existing duties. The FCA states that firms remain responsible for managing their own third-party risks under current operational resilience and outsourcing requirements, even where a supplier is now designated as a critical third party. (fca.org.uk) Accountability therefore stays with the authorised firm. Boards and senior managers still need clear mapping of important business services, dependencies and disruption planning, even where a major supplier is now subject to separate oversight. That is a reasonable reading of the FCA’s statement that the new regime complements, rather than replaces, firms’ own risk management obligations. (fca.org.uk)
The timing is also significant. The FCA says the critical third party framework was consulted on in December 2023 and March 2024, final rules were published on 12 November 2024, and the overall regime took effect on 1 January 2025. Those rules applied to a provider only once a Treasury designation regulation came into force. (fca.org.uk) Monday 13 July 2026 is therefore the point at which the framework moves from statute and rulebook into active oversight for these four providers. For the financial sector, that is the operational change that matters. (bankofengland.co.uk)
The wider significance is that cloud resilience is now being treated as part of the UK’s financial stability architecture. The Bank of England’s 2024 approach document presents the regime as a standing reference for how the Bank, PRA and FCA will use their oversight powers, and HM Treasury has said further providers may be designated over time where the statutory test is met. (bankofengland.co.uk) Outside the regulatory community, the message is straightforward. The Regulations do not change who supplies cloud services to banks on 13 July 2026, but they do change how UK authorities supervise the resilience of those services where disruption could spread across the financial system. (bankofengland.co.uk)