On 10 July 2026, HM Treasury confirmed the most consequential structural change to how UK financial regulators govern cloud dependency since the Financial Services and Markets Act 2023 reached the statute book. Four of the largest cloud and technology providers on earth — Microsoft Ireland Operations Ltd, Google Cloud EMEA Ltd, Amazon Web Services EMEA SARL and Oracle Corporation UK Ltd — have been formally designated as Critical Third Parties (CTPs) to the UK financial system. The designations, made under FSMA 2023, take effect on 13 July 2026. From that date the Bank of England, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) begin to oversee those providers directly — not merely through the banks, insurers and payment firms that rely on them, but through the providers themselves.
For the UK’s SME community this is not a distant regulatory footnote confined to systemic banks. It is a signal, written into law, that cloud infrastructure is now treated as systemic national infrastructure rather than an ordinary vendor service. If your business runs on Azure, Google Cloud, AWS or Oracle — and the overwhelming majority of UK firms now do, directly or through the software they depend on — then the questions the regulators are now asking of those providers are the same questions your board should be asking of your own operation. What happens when the platform goes down? Who is accountable? Where does the data sit? Can you move if you have to? This briefing sets out exactly what was designated on 13 July 2026, why the UK has chosen this path, how it differs from the EU’s approach, and what a mid-market business running cloud workloads should take from it.
What HM Treasury actually designated on 13 July 2026
The core of the announcement is deceptively simple. HM Treasury has used the powers granted by FSMA 2023 to name four technology providers as Critical Third Parties: the UK-facing legal entities of Microsoft, Google Cloud, Amazon Web Services and Oracle. A Critical Third Party is a supplier whose failure or disruption is judged capable of threatening the stability of, or confidence in, the UK financial system — because so many regulated firms depend on the same handful of providers for the same essential services. Designation does not make these companies regulated financial firms. It makes them directly answerable, for the first time, to the three authorities that safeguard the UK’s financial plumbing.
Before FSMA 2023, the regulators could only reach a cloud provider indirectly. If a bank outsourced its core systems to a hyperscaler, the Bank of England and FCA supervised the bank’s management of that relationship — the contract, the exit plan, the oversight — but had no direct line to the provider itself. As the sector’s reliance on a small number of platforms deepened into what officials now openly call a systemic dependency, that indirect model looked increasingly inadequate. A single provider outage no longer disrupts one firm; it can ripple across dozens of banks, insurers, asset managers and payment services simultaneously, because they all sit on the same infrastructure. FSMA 2023 created the CTP regime precisely to close that gap, granting the Bank of England, PRA and FCA the statutory power to oversee these external providers directly. The 13 July designations are the first live use of that power.
Sarah Breeden, Deputy Governor for Financial Stability at the Bank of England, framed the rationale plainly: “As critical third parties become increasingly embedded in the operations of financial institutions, they can introduce new forms of systemic risk. Our proportionate approach to overseeing these providers will ensure that these dependencies are managed in a way that safeguards financial stability.” The Economic Secretary to the Treasury, Rachel Blake MP, set out the government’s position that strengthening the resilience of the technology underpinning financial services protects consumers and the wider economy. The providers themselves responded constructively: Google Cloud said the framework can enhance the long-term resilience of the UK financial ecosystem; Microsoft committed to complying with the oversight requirements; AWS said it supports a robust UK financial system; and Oracle voiced support for the operational-resilience objective.
Designation does not transfer your risk to the cloud provider. HM Treasury has been explicit that financial firms — and by extension every business that depends on cloud — remain fully responsible for managing their own third-party risk. The CTP regime adds a layer of direct oversight of the provider at the systemic level; it does not absolve you of exit planning, concentration-risk mapping, incident readiness or contractual diligence at your own level. Reading the headline as “the regulator now watches Microsoft so we don’t have to worry” is the single most dangerous misinterpretation available, and it is the one most likely to be made in boardrooms that treat cloud as a utility rather than as critical infrastructure.
How the UK arrived at the CTP designations
The 13 July go-live is the culmination of a multi-year policy arc. Understanding the chronology matters, because it shows this is a deliberate, evidence-led shift rather than a reaction to any single incident.
What the CTP regime actually requires of the providers
The oversight the three regulators gain on 13 July is specific and operational. It is not a vague duty of care; it is a defined set of powers and expectations aimed squarely at resilience — the ability of a critical provider to prevent, adapt to, respond to, recover from and learn from disruption. The chart below sets out the core components of the regime and an indicative view of how demanding each one is to satisfy at the provider level. These are illustrative weightings drawn from the published shape of the regime, not regulator-issued scores.
In plain terms, the regulators can now require the four providers to test their resilience against severe-but-plausible scenarios, to submit regular self-assessments of their operational resilience, to report major incidents that could affect the financial system, and to hand over information on demand. The authorities can also make and enforce rules specific to CTPs. Crucially, the regime is designed to be proportionate — it targets the systemic services these providers deliver to finance, not every product line they sell. The goal is not to run the cloud providers; it is to ensure their failure cannot quietly become the financial system’s failure.
Why the financial sector was the trigger
The choice to start with finance is not arbitrary. The financial sector is both the most cloud-dependent part of the UK economy and the most heavily targeted. According to the CloudGuard Financial Services Threat Report 2026, the financial sector accounts for 28% of all UK cyberattacks — a disproportionate share that reflects both the value of the assets and the systemic leverage an attacker gains by hitting shared infrastructure. When the platforms underpinning a quarter of the nation’s cyber-attack surface are also the platforms underpinning its banks, the case for direct oversight writes itself.
The concentration risk runs deeper than attacks. The UK financial sector’s reliance on cloud is now systemic: a small cluster of providers supplies the compute, storage and platform services that a very large number of firms depend on to function day to day. That is exactly the pattern the CMA identified when, in its August 2025 cloud market final decision, it recommended strategic market status investigations into Microsoft and AWS. Two different arms of the state — the competition regulator and the financial-stability regulators — have now looked at the same market concentration and reached complementary conclusions: it is too important to leave unsupervised. For SMEs the read-through is direct. The same concentration that makes these platforms convenient and cheap also makes them a single point of failure, and the state has decided that single point of failure is now a matter of national resilience.
Where UK SMEs are most exposed on cloud governance
The designations put a spotlight on cloud governance across the whole economy, not just the regulated core. Most mid-market businesses have adopted cloud faster than they have built the governance around it. The grid below sets out where exposure typically concentrates for a UK SME running significant cloud workloads — the gaps that the CTP debate should prompt every board to close, regardless of whether the business is itself regulated.
The pattern is consistent across the businesses we assess. Cloud adoption was an operational decision made to move fast and cut capital cost, and in that context it was the right decision. But the resilience governance that should sit alongside it — exit planning, concentration mapping, tested recovery, verified data residency, backups held outside the primary provider — frequently never got built. The CTP designations do not create these obligations for SMEs, but they make it far harder for a board to argue it did not understand that cloud is critical infrastructure. When the Bank of England is testing Microsoft’s resilience, “we assumed the cloud would always be there” stops being a defensible position for anyone.
What cloud resilience governance looks like by business size
Resilience is not one-size-fits-all. A ten-person firm and a two-hundred-person firm face the same underlying dependency but carry very different risk and have very different resources to manage it. The table below sets out an indicative view of what proportionate cloud-resilience governance looks like across UK business-size bands. Figures are illustrative planning ranges, not quotes.
| Business size | Typical cloud footprint | Priority resilience actions | Indicative annual governance investment |
|---|---|---|---|
| 1–10 staff | Microsoft 365, one primary cloud, SaaS apps | Independent backup outside the provider; documented recovery steps; verified data residency | £1,500–£4,000 |
| 10–50 staff | Azure or AWS workloads, line-of-business apps, cloud email | Exit/portability plan; concentration-risk map; tested RTO/RPO; named resilience owner | £4,000–£12,000 |
| 50–200 staff | Multi-service cloud estate, integrations, some regulated data | Board-level governance; scenario testing; contractual audit rights; multi-region or hybrid failover | £12,000–£35,000 |
| 200+ staff | Complex hybrid/multi-cloud, critical customer-facing systems | Formal operational-resilience programme; impact tolerances; supplier oversight; DR rehearsals | £35,000+ |
The right figure for any given business depends on its sector, the sensitivity of its data and the cost of an outage — a professional-services firm that bills by the hour and a retailer that transacts around the clock will weigh downtime very differently. But the direction of travel is the same across every band: as cloud dependency deepens, resilience governance stops being optional overhead and becomes a proportionate, budgeted part of running the business. The CTP regime is the clearest possible signal that this is now the expectation from the top of the system downwards.
Reactive cloud posture versus resilient cloud posture
The practical gap the designations expose is the gap between treating cloud as a utility you assume will always work, and treating it as critical infrastructure whose failure you have planned for. The comparison below sets out the two postures.
Reactive posture
How many SMEs treat cloud today
- Cloud assumed to be always available; no plan for provider outage
- Backups held inside the same provider as production
- No documented exit or portability route if the provider fails or prices change
- Data residency assumed, never verified against the contract
- Recovery time unknown until an incident forces the question
- No single owner accountable at board level for cloud resilience
- Concentration on one provider invisible to leadership
Resilient posture
Where Cloudswitched takes you
- Provider-outage scenarios identified, documented and rehearsed
- Independent, immutable backups held outside the primary provider
- Exit and portability plan written, costed and reviewed annually
- Data residency and sovereignty confirmed against UK requirements
- Defined RTO and RPO for every business-critical application
- Named resilience owner with board visibility and reporting
- Concentration risk mapped, with hybrid or multi-region options assessed
Moving from the left column to the right is not a single project; it is a shift in how the business thinks about the platforms it runs on. It rarely means abandoning the cloud — the economics and capabilities of Azure, AWS, Google Cloud and Oracle remain compelling, and the point of the CTP regime is to make those platforms more resilient, not to push firms off them. It means adopting the platforms with eyes open, with the governance that recognises them for what the state has now formally declared them to be: critical infrastructure.
You do not need to wait for a regulator to ask. The single most valuable exercise a UK SME can run this quarter is a cloud concentration and exit review: list every business-critical system, record which provider hosts it, confirm where the data physically resides, verify that a usable backup exists outside that provider, and write down — honestly — how long it would take to recover if that provider were unavailable for a day. Most businesses cannot answer the last question, and discovering that is the entire point. It converts an invisible dependency into a managed one, and it is the same discipline the CTP regime now applies at the top of the system.
At-a-glance: the 13 July 2026 CTP designations
| Fact | Detail |
|---|---|
| What happened | HM Treasury designated four cloud/technology providers as Critical Third Parties to the UK financial sector |
| Providers designated | Microsoft Ireland Operations Ltd, Google Cloud EMEA Ltd, Amazon Web Services EMEA SARL, Oracle Corporation UK Ltd |
| Announced | 10 July 2026 by HM Treasury |
| Effective date | 13 July 2026 |
| Legal basis | Financial Services and Markets Act 2023 (FSMA 2023) |
| Regulators | Bank of England, PRA and FCA (jointly) |
| Regulator powers | Gather information, assess resilience, require resilience testing and self-assessments, receive major incident reports, make and enforce CTP-specific rules |
| Provider obligations | Resilience testing, regular self-assessments, major incident reporting, disclosure to regulators |
| Firm responsibility | Financial firms remain fully responsible for managing their own third-party risk |
| Comparison to EU | The EU’s DORA framework designated 19 firms; the UK has started with four and set no statutory cap |
| Future designations | No statutory limit; further designations may be made as dependencies evolve |
| Wider market context | CMA August 2025 cloud market decision recommended strategic market status investigations into Microsoft and AWS |
| Threat backdrop | Finance = 28% of UK cyberattacks; 75% of CNI attacks linked to hostile states; 43% of UK businesses breached in 2025/2026 |
How the UK approach differs from the EU’s DORA
The UK is not acting in isolation. The European Union addressed the same systemic cloud-dependency problem through its Digital Operational Resilience Act (DORA), which designated 19 firms as critical ICT third-party providers. The UK has deliberately chosen a narrower, more targeted starting point — four providers — and, importantly, has set no statutory limit on the number of CTPs it may designate. The two approaches share a diagnosis but differ in method: DORA cast a wider net from the outset, whereas the UK regime begins with the providers whose systemic significance is least disputable and reserves the power to expand.
For a UK SME, the practical significance of the contrast is twofold. First, it confirms that cloud-dependency oversight is now a permanent feature of the regulatory landscape on both sides of the Channel, not a passing initiative — any business operating across UK and EU markets should expect both regimes to shape how their financial-sector customers and partners behave. Second, the UK’s open-ended design means the list of directly overseen providers is likely to grow. A business building on a mid-tier cloud or SaaS platform today should not assume that platform will remain outside the regime indefinitely; the perimeter is explicitly designed to move.
How this connects to the wider 2026 picture
The CTP designations do not stand alone. They are one thread in a year of UK developments that all point in the same direction: cloud and cyber resilience is moving from an IT concern to a board-level, and now nationally supervised, obligation. The misconfiguration risk that dominates real-world cloud breaches, the surge in state-linked attacks on infrastructure, the strategic investment banks are pouring into cyber, and the steady drumbeat of the breaches statistics all form the backdrop to the 13 July regime.
We examined why cloud misconfiguration — not exotic zero-days — remains the leading cause of Azure and cloud breaches for UK SMEs in our analysis of the 2026 DBIR and Azure misconfiguration risk, which is the operational counterpart to the systemic risk the CTP regime addresses. On the strategic side, our look at Barclays’ Q1 2026 cyber investment and the Virtual CIO case shows how larger institutions are formalising the very governance that CTP now demands. The threat environment that justifies the whole regime is set out in our coverage of the NCSC state-actor threat assessment and SME resilience, and the scale of the exposure across ordinary UK businesses is captured in our reporting on the Cyber Security Breaches Survey and the 612,000 UK businesses hit. Together these establish the same message the designations make legal: resilience is now the price of running on the cloud.
Treat your cloud the way the regulator now treats theirs
The Bank of England is testing the resilience of the platforms your business runs on. Cloudswitched Azure Cloud Services bring the same discipline to your estate — concentration mapping, tested recovery, verified data residency and independent backup — so cloud remains an advantage, not an unmanaged systemic dependency.
Talk to us about Azure Cloud ServicesFrequently asked questions
The state now treats cloud as critical infrastructure. Your business should too.
13 July 2026 marks the point cloud dependency became a matter of national resilience. Cloudswitched Azure Cloud Services give UK SMEs the governance that recognition demands — resilient architecture, tested recovery, verified residency and independent backup — so your cloud remains a strategic advantage rather than an unmanaged systemic risk.
Talk to us about Azure Cloud Services


