Global finance has become dangerously dependent on a handful of American technology giants for the digital plumbing that keeps markets functioning. From Monday, Britain takes a practical step to address that vulnerability without resorting to heavy-handed state expansion or anti-innovation rhetoric.
The government has designated Microsoft Ireland Operations Limited, Google Cloud EMEA Limited, Amazon Web Services EMEA SARL, and Oracle Corporation UK Limited as critical third parties to the financial sector. The designations take effect on 13 July 2026. From that date the Bank of England, the Prudential Regulation Authority, and the Financial Conduct Authority will jointly oversee the critical services these providers supply to UK banks, insurers and market infrastructure.
This regime, established under the Financial Services and Markets Act 2023, does not replace existing rules on operational resilience or outsourcing. It complements them. Regulators gain powers to gather information, assess resilience, and enforce requirements where necessary to protect the continuity of vital services. The approach remains risk-based and proportionate, reflecting HM Treasury's decisions following consultation with both regulators and the firms involved.
Concentration risk demands attention
Reliance on a few dominant cloud providers has created a classic systemic exposure. A serious cyber incident or operational failure at one provider could ripple across thousands of financial firms simultaneously. The new oversight framework requires these critical third parties to identify and manage risks effectively, maintain open communication with regulators and clients, and report major incidents promptly.
Sarah Breeden, deputy governor for financial stability at the Bank of England, put the matter plainly: "As critical third parties become increasingly embedded in the operations of financial institutions, they can introduce new forms of systemic risk. Our proportionate approach to overseeing these providers will ensure that these dependencies are managed in a way that safeguards financial stability."
Her colleague Katharine Braddick, deputy governor for prudential regulation and chief executive of the PRA, emphasised the direct link to institutional soundness: "By bringing critical third parties into the scope of oversight, we are ensuring that the infrastructure underpinning UK financial services is robust enough to support UK financial stability and confidence. This directly supports the PRA’s objective to promote the safety and soundness of regulated firms."