Westminster Policy News & Legislative Analysis

Treasury designates four cloud firms as critical third parties

HM Treasury has used a new Financial Services and Markets Act power to designate four large cloud providers as critical third parties to the UK financial sector. The Critical Third Parties (Designation) Regulations 2026 were made on 8 July 2026 and come into force on 13 July 2026. In practical terms, the instrument brings some of the technology infrastructure behind banking, insurance and market activity into a formal public-interest category. The regulations are short, but the policy message is clear: disruption at a small number of outsourced providers is now being treated as a financial stability issue.

The companies named in the regulations are Amazon Web Services EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Limited and Oracle Corporation UK Limited. Each is designated from 13 July 2026, and the regulations extend across England and Wales, Scotland and Northern Ireland. That drafting matters because the designation attaches to the specific legal entities listed in the instrument, not to every company within the wider Amazon, Google, Microsoft or Oracle groups. For legal, procurement and compliance teams, the exact entity named in the regulations is the relevant point.

The Treasury says it has acted under section 312L(1) of the Financial Services and Markets Act 2000. Under section 312L(3), the test is whether a failure in, or disruption to, the services provided by the designated person could threaten the stability of, or confidence in, the UK financial system. The regulations state that, in the Treasury's opinion, that test is met for all four firms. This is the central policy point. The designation is not presented as a response to misconduct. It is based on the importance of services whose interruption could affect multiple regulated firms at the same time and, in turn, wider confidence in the system.

The instrument also shows how the statutory process is being used. Before making the regulations, the Treasury says it consulted the Financial Conduct Authority, the Prudential Regulation Authority and the Bank of England. It also gave written notice to the firms proposed for designation and considered any written representations made within a reasonable period. For Policy Wire readers, that is an important procedural detail. The legal trigger sits with the Treasury, but it is exercised after engagement with the main financial regulators and after a notice-and-representations process for the firms concerned.

Section 312L was inserted into the 2000 Act by section 18 of the Financial Services and Markets Act 2023. These 2026 regulations are therefore best read as an implementation step: Parliament created the designation power in 2023, and the Treasury is now applying it to named providers judged to be systemically important. The regulations themselves do not set out technical controls or service requirements. Their function is narrower but still significant. They place the named entities inside the statutory category of critical third party, which is the entry point for the wider oversight regime created for services that support the financial sector.

For banks, insurers, payment firms and financial market infrastructure operators, this instrument does not by itself create a new customer-facing obligation. Its immediate significance is supervisory and structural. A part of the outsourced cloud stack used across UK finance is now expressly recognised by the Treasury as important enough to fall within this designation regime. For the wider public, the plain-English explanation is straightforward. If a major technology provider serving many financial firms were to suffer a serious outage or disruption, the concern is not limited to one contract or one institution. The Treasury is signalling that the knock-on effects could reach the financial system more broadly.

The explanatory note adds that no full impact assessment has been produced because no, or no significant, impact on the private, voluntary or public sector is foreseen. That indicates the Treasury sees the immediate legal step as targeted and proportionate, even though the firms involved occupy a central place in financial-sector infrastructure. Taken together, the regulations mark a clear shift in how outsourced technology is treated in UK financial regulation. From 13 July 2026, AWS, Google Cloud, Microsoft and Oracle are not only major suppliers to the sector; the named legal entities are also designated critical third parties under Treasury regulations.