Back to News

UK Designates Microsoft, Google, AWS & Oracle as Critical Third Parties — 13 July 2026: What Every UK Business Running Cloud Infrastructure Must Understand Now

UK Designates Microsoft, Google, AWS & Oracle as Critical Third Parties — 13 July 2026: What Every UK Business Running Cloud Infrastructure Must Understand Now

On 10 July 2026, HM Treasury confirmed the most consequential structural change to how UK financial regulators govern cloud dependency since the Financial Services and Markets Act 2023 reached the statute book. Four of the largest cloud and technology providers on earth — Microsoft Ireland Operations Ltd, Google Cloud EMEA Ltd, Amazon Web Services EMEA SARL and Oracle Corporation UK Ltd — have been formally designated as Critical Third Parties (CTPs) to the UK financial system. The designations, made under FSMA 2023, take effect on 13 July 2026. From that date the Bank of England, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) begin to oversee those providers directly — not merely through the banks, insurers and payment firms that rely on them, but through the providers themselves.

For the UK’s SME community this is not a distant regulatory footnote confined to systemic banks. It is a signal, written into law, that cloud infrastructure is now treated as systemic national infrastructure rather than an ordinary vendor service. If your business runs on Azure, Google Cloud, AWS or Oracle — and the overwhelming majority of UK firms now do, directly or through the software they depend on — then the questions the regulators are now asking of those providers are the same questions your board should be asking of your own operation. What happens when the platform goes down? Who is accountable? Where does the data sit? Can you move if you have to? This briefing sets out exactly what was designated on 13 July 2026, why the UK has chosen this path, how it differs from the EU’s approach, and what a mid-market business running cloud workloads should take from it.

4 Jul 2026
HM Treasury made the Critical Third Party designations under the Financial Services and Markets Act 2023
13 Jul 2026
Designations take formal effect — direct joint oversight of the four providers begins
FSMA 2023
The legal basis creating the CTP regime — the first time UK regulators can oversee external providers directly
3
Regulators jointly responsible: the Bank of England, the PRA and the FCA

What HM Treasury actually designated on 13 July 2026

The core of the announcement is deceptively simple. HM Treasury has used the powers granted by FSMA 2023 to name four technology providers as Critical Third Parties: the UK-facing legal entities of Microsoft, Google Cloud, Amazon Web Services and Oracle. A Critical Third Party is a supplier whose failure or disruption is judged capable of threatening the stability of, or confidence in, the UK financial system — because so many regulated firms depend on the same handful of providers for the same essential services. Designation does not make these companies regulated financial firms. It makes them directly answerable, for the first time, to the three authorities that safeguard the UK’s financial plumbing.

Before FSMA 2023, the regulators could only reach a cloud provider indirectly. If a bank outsourced its core systems to a hyperscaler, the Bank of England and FCA supervised the bank’s management of that relationship — the contract, the exit plan, the oversight — but had no direct line to the provider itself. As the sector’s reliance on a small number of platforms deepened into what officials now openly call a systemic dependency, that indirect model looked increasingly inadequate. A single provider outage no longer disrupts one firm; it can ripple across dozens of banks, insurers, asset managers and payment services simultaneously, because they all sit on the same infrastructure. FSMA 2023 created the CTP regime precisely to close that gap, granting the Bank of England, PRA and FCA the statutory power to oversee these external providers directly. The 13 July designations are the first live use of that power.

Sarah Breeden, Deputy Governor for Financial Stability at the Bank of England, framed the rationale plainly: “As critical third parties become increasingly embedded in the operations of financial institutions, they can introduce new forms of systemic risk. Our proportionate approach to overseeing these providers will ensure that these dependencies are managed in a way that safeguards financial stability.” The Economic Secretary to the Treasury, Rachel Blake MP, set out the government’s position that strengthening the resilience of the technology underpinning financial services protects consumers and the wider economy. The providers themselves responded constructively: Google Cloud said the framework can enhance the long-term resilience of the UK financial ecosystem; Microsoft committed to complying with the oversight requirements; AWS said it supports a robust UK financial system; and Oracle voiced support for the operational-resilience objective.

The point most SME boards will miss

Designation does not transfer your risk to the cloud provider. HM Treasury has been explicit that financial firms — and by extension every business that depends on cloud — remain fully responsible for managing their own third-party risk. The CTP regime adds a layer of direct oversight of the provider at the systemic level; it does not absolve you of exit planning, concentration-risk mapping, incident readiness or contractual diligence at your own level. Reading the headline as “the regulator now watches Microsoft so we don’t have to worry” is the single most dangerous misinterpretation available, and it is the one most likely to be made in boardrooms that treat cloud as a utility rather than as critical infrastructure.

How the UK arrived at the CTP designations

The 13 July go-live is the culmination of a multi-year policy arc. Understanding the chronology matters, because it shows this is a deliberate, evidence-led shift rather than a reaction to any single incident.

2023 — FSMA 2023 receives Royal Assent
The Financial Services and Markets Act 2023 creates the statutory Critical Third Party regime, granting the Bank of England, PRA and FCA the power to oversee external service providers directly for the first time. The framework is built; the designations wait.
2024–2025 — Regulators consult and finalise the CTP rules
The three authorities develop and publish the operational-resilience expectations that will apply to designated providers — resilience testing, self-assessment, incident reporting and information-gathering powers — and set out how oversight will work in practice before any firm is named.
August 2025 — CMA cloud market final decision
The Competition and Markets Authority concludes its cloud market investigation and recommends strategic market status (SMS) investigations into Microsoft and AWS, formally recognising the concentration of the UK cloud market in a small number of hands — the same concentration the CTP regime addresses from a stability angle.
May 2026 — NCSC warns on hostile state activity
The NCSC’s chief executive states that around 75% of cyber attacks on UK critical national infrastructure are linked to hostile state actors, sharpening the case for treating the platforms that underpin financial services as national infrastructure to be defended.
4 July 2026 — HM Treasury makes the designations
HM Treasury exercises its FSMA 2023 power to designate the four providers as Critical Third Parties to the UK financial sector, with an effective date set a short window later to allow firms and providers to prepare.
10 July 2026 — The announcement is published
HM Treasury publicly confirms that Microsoft Ireland Operations Ltd, Google Cloud EMEA Ltd, Amazon Web Services EMEA SARL and Oracle Corporation UK Ltd are designated, with statements from the Bank of England, the Treasury and each provider.
13 July 2026 — Oversight begins
The designations take effect. The Bank of England, PRA and FCA gain direct oversight of the four providers: the ability to gather information, assess resilience, require resilience testing and self-assessments, receive major incident reports, and make and enforce CTP-specific rules.
Beyond 2026 — Further designations possible
There is no statutory cap on the number of CTPs. HM Treasury has signalled that further designations may be made as dependencies evolve — meaning the perimeter of directly overseen providers is expected to widen over time, not stay fixed at four.

What the CTP regime actually requires of the providers

The oversight the three regulators gain on 13 July is specific and operational. It is not a vague duty of care; it is a defined set of powers and expectations aimed squarely at resilience — the ability of a critical provider to prevent, adapt to, respond to, recover from and learn from disruption. The chart below sets out the core components of the regime and an indicative view of how demanding each one is to satisfy at the provider level. These are illustrative weightings drawn from the published shape of the regime, not regulator-issued scores.

Resilience testing (scenario & failover)
92%
Regular self-assessment obligations
80%
Major incident reporting to regulators
88%
Information-gathering & disclosure powers
74%
CTP-specific rules made & enforced
85%
Concentration-risk transparency
70%
Cross-provider systemic coordination
63%

In plain terms, the regulators can now require the four providers to test their resilience against severe-but-plausible scenarios, to submit regular self-assessments of their operational resilience, to report major incidents that could affect the financial system, and to hand over information on demand. The authorities can also make and enforce rules specific to CTPs. Crucially, the regime is designed to be proportionate — it targets the systemic services these providers deliver to finance, not every product line they sell. The goal is not to run the cloud providers; it is to ensure their failure cannot quietly become the financial system’s failure.

Why the financial sector was the trigger

The choice to start with finance is not arbitrary. The financial sector is both the most cloud-dependent part of the UK economy and the most heavily targeted. According to the CloudGuard Financial Services Threat Report 2026, the financial sector accounts for 28% of all UK cyberattacks — a disproportionate share that reflects both the value of the assets and the systemic leverage an attacker gains by hitting shared infrastructure. When the platforms underpinning a quarter of the nation’s cyber-attack surface are also the platforms underpinning its banks, the case for direct oversight writes itself.

28%
Share of all UK cyberattacks directed at the financial sector (CloudGuard Financial Services Threat Report 2026) — the concentration of both value and shared cloud dependency that made finance the first sector to fall under direct CTP oversight

The concentration risk runs deeper than attacks. The UK financial sector’s reliance on cloud is now systemic: a small cluster of providers supplies the compute, storage and platform services that a very large number of firms depend on to function day to day. That is exactly the pattern the CMA identified when, in its August 2025 cloud market final decision, it recommended strategic market status investigations into Microsoft and AWS. Two different arms of the state — the competition regulator and the financial-stability regulators — have now looked at the same market concentration and reached complementary conclusions: it is too important to leave unsupervised. For SMEs the read-through is direct. The same concentration that makes these platforms convenient and cheap also makes them a single point of failure, and the state has decided that single point of failure is now a matter of national resilience.

Where UK SMEs are most exposed on cloud governance

The designations put a spotlight on cloud governance across the whole economy, not just the regulated core. Most mid-market businesses have adopted cloud faster than they have built the governance around it. The grid below sets out where exposure typically concentrates for a UK SME running significant cloud workloads — the gaps that the CTP debate should prompt every board to close, regardless of whether the business is itself regulated.

Common cloud-governance gaps in UK mid-market businesses
No documented, tested cloud exit or portability planHigh
Concentration risk from a single provider unmappedHigh
No board-level owner accountable for cloud resilienceHigh
Incident response untested against a provider outageHigh
Data residency and sovereignty not verifiedMid
Backups held inside the same provider onlyHigh
Contractual audit and exit rights never reviewedMid
Recovery-time objective (RTO) undefined for core appsMid

The pattern is consistent across the businesses we assess. Cloud adoption was an operational decision made to move fast and cut capital cost, and in that context it was the right decision. But the resilience governance that should sit alongside it — exit planning, concentration mapping, tested recovery, verified data residency, backups held outside the primary provider — frequently never got built. The CTP designations do not create these obligations for SMEs, but they make it far harder for a board to argue it did not understand that cloud is critical infrastructure. When the Bank of England is testing Microsoft’s resilience, “we assumed the cloud would always be there” stops being a defensible position for anyone.

What cloud resilience governance looks like by business size

Resilience is not one-size-fits-all. A ten-person firm and a two-hundred-person firm face the same underlying dependency but carry very different risk and have very different resources to manage it. The table below sets out an indicative view of what proportionate cloud-resilience governance looks like across UK business-size bands. Figures are illustrative planning ranges, not quotes.

Business sizeTypical cloud footprintPriority resilience actionsIndicative annual governance investment
1–10 staffMicrosoft 365, one primary cloud, SaaS appsIndependent backup outside the provider; documented recovery steps; verified data residency£1,500–£4,000
10–50 staffAzure or AWS workloads, line-of-business apps, cloud emailExit/portability plan; concentration-risk map; tested RTO/RPO; named resilience owner£4,000–£12,000
50–200 staffMulti-service cloud estate, integrations, some regulated dataBoard-level governance; scenario testing; contractual audit rights; multi-region or hybrid failover£12,000–£35,000
200+ staffComplex hybrid/multi-cloud, critical customer-facing systemsFormal operational-resilience programme; impact tolerances; supplier oversight; DR rehearsals£35,000+

The right figure for any given business depends on its sector, the sensitivity of its data and the cost of an outage — a professional-services firm that bills by the hour and a retailer that transacts around the clock will weigh downtime very differently. But the direction of travel is the same across every band: as cloud dependency deepens, resilience governance stops being optional overhead and becomes a proportionate, budgeted part of running the business. The CTP regime is the clearest possible signal that this is now the expectation from the top of the system downwards.

Reactive cloud posture versus resilient cloud posture

The practical gap the designations expose is the gap between treating cloud as a utility you assume will always work, and treating it as critical infrastructure whose failure you have planned for. The comparison below sets out the two postures.

Reactive posture

How many SMEs treat cloud today

  • Cloud assumed to be always available; no plan for provider outage
  • Backups held inside the same provider as production
  • No documented exit or portability route if the provider fails or prices change
  • Data residency assumed, never verified against the contract
  • Recovery time unknown until an incident forces the question
  • No single owner accountable at board level for cloud resilience
  • Concentration on one provider invisible to leadership

Resilient posture

Where Cloudswitched takes you

  • Provider-outage scenarios identified, documented and rehearsed
  • Independent, immutable backups held outside the primary provider
  • Exit and portability plan written, costed and reviewed annually
  • Data residency and sovereignty confirmed against UK requirements
  • Defined RTO and RPO for every business-critical application
  • Named resilience owner with board visibility and reporting
  • Concentration risk mapped, with hybrid or multi-region options assessed

Moving from the left column to the right is not a single project; it is a shift in how the business thinks about the platforms it runs on. It rarely means abandoning the cloud — the economics and capabilities of Azure, AWS, Google Cloud and Oracle remain compelling, and the point of the CTP regime is to make those platforms more resilient, not to push firms off them. It means adopting the platforms with eyes open, with the governance that recognises them for what the state has now formally declared them to be: critical infrastructure.

75%
Share of cyber attacks on UK critical national infrastructure linked to hostile state actors (NCSC chief executive, May 2026) — the threat backdrop that reframes shared cloud platforms as national infrastructure to be defended
A practical first move for any board

You do not need to wait for a regulator to ask. The single most valuable exercise a UK SME can run this quarter is a cloud concentration and exit review: list every business-critical system, record which provider hosts it, confirm where the data physically resides, verify that a usable backup exists outside that provider, and write down — honestly — how long it would take to recover if that provider were unavailable for a day. Most businesses cannot answer the last question, and discovering that is the entire point. It converts an invisible dependency into a managed one, and it is the same discipline the CTP regime now applies at the top of the system.

At-a-glance: the 13 July 2026 CTP designations

FactDetail
What happenedHM Treasury designated four cloud/technology providers as Critical Third Parties to the UK financial sector
Providers designatedMicrosoft Ireland Operations Ltd, Google Cloud EMEA Ltd, Amazon Web Services EMEA SARL, Oracle Corporation UK Ltd
Announced10 July 2026 by HM Treasury
Effective date13 July 2026
Legal basisFinancial Services and Markets Act 2023 (FSMA 2023)
RegulatorsBank of England, PRA and FCA (jointly)
Regulator powersGather information, assess resilience, require resilience testing and self-assessments, receive major incident reports, make and enforce CTP-specific rules
Provider obligationsResilience testing, regular self-assessments, major incident reporting, disclosure to regulators
Firm responsibilityFinancial firms remain fully responsible for managing their own third-party risk
Comparison to EUThe EU’s DORA framework designated 19 firms; the UK has started with four and set no statutory cap
Future designationsNo statutory limit; further designations may be made as dependencies evolve
Wider market contextCMA August 2025 cloud market decision recommended strategic market status investigations into Microsoft and AWS
Threat backdropFinance = 28% of UK cyberattacks; 75% of CNI attacks linked to hostile states; 43% of UK businesses breached in 2025/2026

How the UK approach differs from the EU’s DORA

The UK is not acting in isolation. The European Union addressed the same systemic cloud-dependency problem through its Digital Operational Resilience Act (DORA), which designated 19 firms as critical ICT third-party providers. The UK has deliberately chosen a narrower, more targeted starting point — four providers — and, importantly, has set no statutory limit on the number of CTPs it may designate. The two approaches share a diagnosis but differ in method: DORA cast a wider net from the outset, whereas the UK regime begins with the providers whose systemic significance is least disputable and reserves the power to expand.

For a UK SME, the practical significance of the contrast is twofold. First, it confirms that cloud-dependency oversight is now a permanent feature of the regulatory landscape on both sides of the Channel, not a passing initiative — any business operating across UK and EU markets should expect both regimes to shape how their financial-sector customers and partners behave. Second, the UK’s open-ended design means the list of directly overseen providers is likely to grow. A business building on a mid-tier cloud or SaaS platform today should not assume that platform will remain outside the regime indefinitely; the perimeter is explicitly designed to move.

How this connects to the wider 2026 picture

The CTP designations do not stand alone. They are one thread in a year of UK developments that all point in the same direction: cloud and cyber resilience is moving from an IT concern to a board-level, and now nationally supervised, obligation. The misconfiguration risk that dominates real-world cloud breaches, the surge in state-linked attacks on infrastructure, the strategic investment banks are pouring into cyber, and the steady drumbeat of the breaches statistics all form the backdrop to the 13 July regime.

We examined why cloud misconfiguration — not exotic zero-days — remains the leading cause of Azure and cloud breaches for UK SMEs in our analysis of the 2026 DBIR and Azure misconfiguration risk, which is the operational counterpart to the systemic risk the CTP regime addresses. On the strategic side, our look at Barclays’ Q1 2026 cyber investment and the Virtual CIO case shows how larger institutions are formalising the very governance that CTP now demands. The threat environment that justifies the whole regime is set out in our coverage of the NCSC state-actor threat assessment and SME resilience, and the scale of the exposure across ordinary UK businesses is captured in our reporting on the Cyber Security Breaches Survey and the 612,000 UK businesses hit. Together these establish the same message the designations make legal: resilience is now the price of running on the cloud.

Treat your cloud the way the regulator now treats theirs

The Bank of England is testing the resilience of the platforms your business runs on. Cloudswitched Azure Cloud Services bring the same discipline to your estate — concentration mapping, tested recovery, verified data residency and independent backup — so cloud remains an advantage, not an unmanaged systemic dependency.

Talk to us about Azure Cloud Services

Frequently asked questions

Does the CTP designation mean my business is now regulated?
No. The designations apply to the four cloud providers, not to their customers. Being a Microsoft, Google Cloud, AWS or Oracle customer does not bring your business under Bank of England, PRA or FCA oversight. What the designations do is signal, in law, that cloud infrastructure is treated as systemic national infrastructure. The practical implication for an ordinary SME is not new regulation but a raised expectation: boards are now expected to understand and govern their cloud dependency as critical infrastructure, because the state has formally recognised it as such.
If the regulator is now overseeing Microsoft and AWS, can I rely on them for resilience?
Only partly, and not in the way many boards will assume. The CTP regime aims to reduce the chance and impact of a systemic provider failure, which benefits everyone on those platforms. But HM Treasury has been explicit that firms remain fully responsible for managing their own third-party risk. Oversight of the provider does not give you a tested recovery plan, an exit route, verified data residency or a backup held outside that provider. Those remain your responsibility. The regime makes the foundation stronger; it does not build your house on it for you.
We run everything on Azure. What should we actually do first?
Start with a cloud concentration and exit review. Map every business-critical system to the provider that hosts it, confirm where the data physically resides, verify that a usable, independent backup exists outside Azure, and honestly estimate how long recovery would take if Azure were unavailable for a day. Most businesses cannot answer that last question, and finding out is the point. From there, define a recovery-time objective for each critical application, assign a named owner for cloud resilience, and write a portability plan. This is exactly the discipline the CTP regime applies at the systemic level, scaled to your business.
Why did the government start with the financial sector?
Finance is both the most cloud-dependent and the most targeted part of the UK economy. The CloudGuard Financial Services Threat Report 2026 attributes 28% of all UK cyberattacks to the sector, and the same handful of cloud providers underpins a very large number of banks, insurers and payment firms simultaneously. That combination — systemic dependency plus a concentrated attack surface — is precisely what makes a single provider outage capable of threatening financial stability. Starting with finance addresses the clearest systemic risk first, but the regime’s design allows it to extend to other sectors over time.
How is the UK approach different from the EU’s DORA?
Both regimes tackle the same problem — concentrated reliance on a few cloud and technology providers — but by different routes. The EU’s Digital Operational Resilience Act designated 19 firms as critical ICT third-party providers. The UK has begun with four providers and, crucially, set no statutory cap on how many it may designate. The UK approach is narrower at the start but explicitly open-ended, reserving the power to expand as dependencies evolve. For businesses operating across both markets, the takeaway is that cloud-dependency oversight is now a permanent feature on both sides of the Channel.
Could more providers be designated in future?
Yes. There is no statutory limit on the number of Critical Third Parties, and HM Treasury has indicated further designations may be made as the pattern of dependency changes. That means the perimeter of directly overseen providers is expected to widen rather than stay fixed at four. A business building on a mid-tier cloud, a specialist SaaS platform or a payments provider today should not assume that platform will remain outside the regime indefinitely. Resilience planning should be provider-agnostic and durable, not tied to whether a specific supplier happens to be designated this year.
What powers do the regulators actually gain over the providers?
From 13 July 2026 the Bank of England, PRA and FCA can, jointly, gather information from the designated providers, assess their operational resilience, require them to carry out resilience testing against severe-but-plausible scenarios, require regular self-assessments, receive reports of major incidents that could affect the financial system, and make and enforce rules specific to Critical Third Parties. The regime is designed to be proportionate — it focuses on the systemic services the providers deliver to the financial sector rather than every product they sell — and its objective is resilience and financial stability, not day-to-day management of the providers.
Does this change anything about data sovereignty for UK businesses?
The designations do not themselves impose new data-residency rules on your business, but they sharpen the importance of knowing where your data actually sits. Two of the designated entities are structured through Ireland and Luxembourg group companies, and the physical location of data within a global provider’s estate is often assumed rather than verified. Part of a sound cloud-resilience review is confirming, against your contract and the provider’s configuration, that data subject to UK requirements resides where you believe it does. The heightened regulatory attention on these providers is a good prompt to check assumptions that have never been tested.
We are a small business, not a bank. Is any of this really our concern?
It is, for two reasons. First, you almost certainly depend on the same platforms — directly through Azure, AWS, Google Cloud or Oracle, or indirectly through the SaaS applications you rely on, most of which run on them. A systemic disruption at that layer affects you regardless of your size or sector. Second, the designations formalise an expectation that cloud is critical infrastructure to be governed, and that expectation flows downstream through supply chains and insurers. Increasingly, customers and cyber-insurers ask small suppliers to demonstrate resilience and recovery capability. Building that capability now is both good operational sense and increasingly a commercial requirement.
How does Cloudswitched help a business respond to this shift?
Cloudswitched brings the resilience discipline the CTP regime embodies to the SME cloud estate. That includes cloud concentration and exit reviews, defined recovery-time and recovery-point objectives for critical applications, independent and immutable backup held outside the primary provider, verified data residency, and managed Azure architecture built for failover rather than assumed availability. As an established IT company rather than a reseller, we treat the cloud as critical infrastructure — designing, migrating and managing it so that your business keeps the cost and capability advantages of the platform while carrying a managed, not an invisible, dependency.

The state now treats cloud as critical infrastructure. Your business should too.

13 July 2026 marks the point cloud dependency became a matter of national resilience. Cloudswitched Azure Cloud Services give UK SMEs the governance that recognition demands — resilient architecture, tested recovery, verified residency and independent backup — so your cloud remains a strategic advantage rather than an unmanaged systemic risk.

Talk to us about Azure Cloud Services
Tags:AzureCloud ComputingCyber SecurityIT Support
CloudSwitched

London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.

CloudSwitched Service

Azure Cloud Services

Cloud servers, migration and ongoing Azure management for UK businesses

Learn More

Technology Stack

Powered by industry-leading technologies including SolarWinds, Cloudflare, BitDefender, AWS, Microsoft Azure, and Cisco Meraki to deliver secure, scalable, and reliable IT solutions.

SolarWinds
Cloudflare
BitDefender
AWS
Hono
Opus
Office 365
Microsoft
Cisco Meraki
Microsoft Azure

Latest Articles

18
  • Internet & Connectivity

The Guide to Mesh Wi-Fi for Business Premises

18 Mar, 2026

Read more
8
  • Cloud Networking

How to Manage Multiple Meraki Networks from One Dashboard

8 Mar, 2026

Read more
12
  • Cloud Email

Microsoft 365 Security, Training & Post-Migration Support

12 Apr, 2026

Read more

Enquiry Received!

Thank you for getting in touch. A member of our team will review your enquiry and get back to you within 24 hours.