HM Treasury has made the Critical Third Parties (Designation) Regulations 2026, a statutory instrument that formally brings four major cloud providers into the UK's new critical third party framework for financial services. The Regulations were made on 8 July 2026 and come into force on 13 July 2026. Under regulation 2, the entities designated are Amazon Web Services EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Limited and Oracle Corporation UK Limited. The instrument extends across England and Wales, Scotland and Northern Ireland.
The legal basis is section 312L(1) of the Financial Services and Markets Act 2000. The Regulations state that, having considered the matters set out in section 312L(3), the Treasury is of the opinion that a failure in, or disruption to, the services provided by these firms could threaten the stability of, or confidence in, the UK financial system. That is the central policy point. The designation is not framed around misconduct or a breach by the named companies. It is framed around systemic importance: the view that disruption at a small number of technology suppliers could have consequences well beyond any single regulated firm.
The instrument also sets out the statutory process followed before designation. According to the Regulations, the Treasury consulted the Financial Conduct Authority, the Prudential Regulation Authority and the Bank of England, as required by section 312L(4) of the Act. The Treasury also gave written notice to the firms proposed for designation, allowed a reasonable period for written representations, and had regard to any representations received. For policy readers, that matters because it confirms the designations were made through the formal procedure built into the post-Financial Services and Markets Act 2023 regime, rather than through an ad hoc announcement.
In practical terms, the designation marks a shift in where supervisory attention sits. For years, operational resilience and outsourcing risk have largely been addressed through obligations on banks, insurers and other regulated firms. This instrument moves part of that discussion towards the third-party providers whose services may underpin a large share of sector activity. The Regulations themselves are short and do not set out detailed conduct requirements. Their function is to identify the firms that fall within the statutory category of critical third parties. That status is what gives the wider framework its force.
For regulated firms, the immediate significance is strategic rather than cosmetic. A supplier category that many firms already regard as essential is now recognised in legislation as potentially relevant to financial stability. That is likely to sharpen attention on dependency mapping, disruption planning and the resilience of services that sit outside the legal perimeter of the firms using them. For the designated providers, the measure places their role in UK finance on an explicit statutory footing. In policy terms, the UK is signalling that certain outsourced technology services are no longer being treated as a narrow procurement issue, but as part of the architecture that supports market confidence and continuity.
The explanatory note to the instrument says a full impact assessment has not been produced because no, or no significant, impact on the private, voluntary or public sector is foreseen. That should be read in the context of what this instrument does: it is a designation measure, not a full rulebook in itself. Even so, the policy significance is clear. From 13 July 2026, four global cloud providers are formally designated in UK law as critical third parties to the financial sector. Signed by Lilian Greenwood and Deirdre Costigan on behalf of HM Treasury, the Regulations are a concise but important step in the UK's effort to address concentration and resilience risks in financial services infrastructure.