UK puts Microsoft, Google, Amazon under bank-
UK designates four US cloud giants as Critical Third Parties
Model Diplomat8 min readEurope

UK Just Put Microsoft, Google, Amazon and Oracle Under Financial-Sector Oversight
The UK's July 13 designation of four US cloud giants as Critical Third Parties — under the Financial Services and Markets Act 2023 — makes Britain the first jurisdiction to subject hyperscalers to direct prudential regulation for systemic risk, redefining the extraterritorial reach of financial oversight and setting the template other regulators will copy.
Britain's three financial regulators gained direct supervisory authority over Microsoft, Google, Amazon and Oracle on July 10, 2026, when HM Treasury designated the four cloud providers as Critical Third Parties (CTPs) under a regime that takes effect July 13 HM Treasury. The move — the first concrete use of powers created by the Financial Services and Markets Act 2023 — places the Bank of England, the Prudential Regulation Authority and the Financial Conduct Authority in a position to gather information, assess operational resilience and enforce bespoke rules against the companies that now underpin the UK's banking, insurance and payment infrastructure. What makes this more than a domestic compliance story is the precedent: a national financial regulator asserting direct jurisdiction over foreign-domiciled technology firms on systemic-risk grounds, with explicit enforcement teeth, before the EU has designated a single provider under its parallel framework.
The concentration problem that forced the move
The Bank of England's Financial Policy Committee began warning about cloud concentration risk in 2017, and concluded in 2021 that "the increasing reliance on a small number of [cloud and other critical providers] for vital services could increase financial stability risks in the absence of greater direct regulatory oversight of the resilience of the services they provide" HM Treasury designation approach. By 2026, the evidence of that concentration is stark. Research published on July 9 by the Cyber Monitoring Centre found that more than 60 percent of UK companies depend on cloud services for critical functions, rising to over 80 percent among FTSE 100 firms, with 80 percent of those users concentrated on AWS, Microsoft Azure and Google Cloud
The Register. The report modelled a 24-hour outage at AWS's Dublin (eu-west-1) region at £1 billion in lost revenue, and £650 million for a comparable outage at the us-east-1 region in Virginia.
Those are not hypothetical academic exercises. In October 2025, a DNS management flaw in AWS's us-east-1 region cascaded into dependent services, hitting Lloyds Banking Group and parts of the UK government The Register. The Bank for International Settlements had already flagged in 2023 that financial-sector cloud reliance was "forming single points of failure" and "creating new forms of concentration risk at the technology services level"
Financial Times. The UK's National Cyber Security Centre has separately noted that financial companies are a "chief target for cyber criminals," and IBM's 2026 X-Force Threat Intelligence Index found that finance and insurance accounted for 27 percent of all incidents in 2025
Financial Times.
The structural problem is that the four designated firms are all US-headquartered — Microsoft in Washington, Google (Alphabet) in California, Amazon in Washington, Oracle in Texas — even where their designated contracting entities sit in Ireland or Luxembourg HM Treasury. That means the UK is regulating the operational resilience of companies whose ultimate corporate control, and whose exposure to US legal compulsion under the CLOUD Act and other statutes, sits outside its jurisdiction. The Carnegie Endowment flagged this tension as early as 2020, warning that "an event could have negative consequences in the availability of [cloud] services" if a government leveraged national-security law against a hyperscaler
Carnegie Endowment.
How the regime actually works
The legal architecture is deceptively simple. Section 312L of the Financial Services and Markets Act 2000, inserted by the 2023 Act, gives HM Treasury the power to designate a third-party service provider as "critical" if, in the Treasury's opinion, "a failure in, or disruption to, the provision of those services … could threaten the stability of, or confidence in, the UK financial system" legislation.gov.uk. The Treasury must consider the materiality of the services and the number and type of regulated firms that depend on them. Once designated, the Bank of England, PRA and FCA gain powers under section 312M to make and enforce rules imposing duties on the CTP
legislation.gov.uk.
The regulators published their final framework in November 2024 through policy statement PS16/24 and supervisory statement SS6/24, setting out six Fundamental Rules that designated entities must meet — covering integrity, skill and care, prudence, risk management, organisational control, and open cooperation with regulators Bank of England. The CTP rule instrument, part of the Bank's FMI Rulebook, came into force on January 1, 2025, but lay dormant until Treasury made its first designations
Bank of England.
The regime gives the three regulators four operational levers: information gathering, resilience assessment, rule-making and enforcement. Designated CTPs must, within 12 months of designation, identify and document all resources — including nth-party providers and supply-chain dependencies — used to deliver each systemic third-party service, and update that mapping regularly Bank of England. The Treasury's approach document makes clear that "the list of CTPs will change over time" and that de-designation is possible, signalling that this is a rolling, not one-off, exercise
HM Treasury.
Economic Secretary to the Treasury Rachel Blake MP framed the designations as growth-protective rather than punitive: "These designations will help ensure the critical services financial firms rely on remain resilient, protecting consumers and businesses while supporting growth across the economy" HM Treasury. All four companies issued statements welcoming the framework. Microsoft's deputy CISO for Europe, Freddy Dezeure, called it "a new chapter" in the company's UK relationship; Google Cloud said the regime "can enhance the long-term resilience of the UK's financial ecosystem"; AWS said it "supports the objectives of the UK Authorities"; Oracle said it was "committed to working closely with the regulators"
HM Treasury.
Why this beats the EU to the punch
The UK's move is notable for its timing relative to the EU's parallel effort. The EU's Digital Operational Resilience Act (DORA) became applicable on January 17, 2025, and includes a framework for overseeing Critical Third-Party Providers (CTPPs) — but the European Supervisory Authorities had not designated any as of mid-2026 IMF. An IMF financial-sector assessment published in 2025 found that the ESAs' power to impose corrective actions on CTPPs is "limited under DORA" — periodic penalties can be levied for failing to provide information, "but there is no such possibility for non-compliance with requirements because the ESAs can only issue non-binding recommendations"
IMF. The IMF noted that day-to-day CTPP oversight was planned to start in "early 2026" with the formation of Joint Examination Teams, but that the directorate was still being staffed amid a "tight" specialist job market.
That creates a regulatory asymmetry. The UK now has a live regime with named entities, enforceable rules and three regulators with coordinated powers through a joint CTP Consultation and Coordination Forum established by a November 2024 memorandum of understanding GOV.UK. The EU has a legal framework but no designations, limited enforcement and an oversight body still being built. The Brookings Institution has argued that this UK-EU divergence on digital regulation more broadly creates a "de facto global digital risk management standard" that the US — which has no equivalent federal regime — will eventually have to follow
Brookings.
The extraterritorial lever and who holds leverage
The real significance is jurisdictional. The four designated entities are US-owned, but the UK is asserting regulatory authority over their operations insofar as they serve UK-regulated financial firms. That is an extraterritorial assertion by a financial regulator — not a competition authority, not a data-protection authority — grounded in systemic-risk logic. The Clingendael Institute has documented how the extraterritorial reach of US law (the CLOUD Act, FISA, the Defense Production Act) already lets Washington compel US-domiciled CSPs to hand over data stored abroad Clingendael. The UK's CTP regime does not resolve that conflict, but it creates a regulatory counterweight: a documented, auditable resilience obligation that the hyperscalers must answer to in London regardless of what Washington asks of them.
The leverage sits asymmetrically. The UK cannot compel architectural changes to AWS's global infrastructure. But it can demand visibility into how those services are delivered to UK banks, can require incident notification, can assess whether resilience arrangements are adequate, and — critically — can make a public judgment that shapes procurement decisions across the financial sector. The designation itself carries reputational weight: it tells every UK-regulated firm that this provider is now a regulator-monitored systemic dependency. The Treasury's approach document notes that a CTP "must not … indicate or imply that the Critical Third Party's designation … confers any advantage to a firm or anyone else in using its services" Bank of England — a guard against the designation becoming a de facto regulatory seal of approval that entrenches the incumbents.
The winners, in the short term, are the regulators — who gain jurisdiction they did not have before — and the financial institutions that pushed for clearer accountability in their supply chains. The losers are the hyperscalers, who now face a parallel regulatory track on top of the CMA's cloud market investigation (ongoing since 2023), the EU's DORA and the EU's Digital Markets Act scrutiny. Microsoft and Amazon also face potential DMA designation by the European Commission, which would impose interoperability and anti-lock-in requirements BitRss. The cumulative effect is that the cloud oligopoly is moving from a lightly regulated utility model toward something resembling financial-market-infrastructure supervision — with all the reporting, stress-testing and examiner access that implies.
What to watch next
- October 2026: The CMA is due to publish final decisions on Google's strategic market status in search and on Apple and Google's mobile ecosystem duopoly, which will run alongside — but not formally intersect with — the CTP regime
BBC.
- Early-to-mid 2027: The 12-month deadline for the four designated CTPs to complete their initial resource mapping and supply-chain dependency documentation. This is the first concrete deliverable the regulators can assess.
- EU CTPP designations: The ESAs' Joint Examination Teams, once operational, are expected to designate critical ICT third-party service providers under DORA. If the EU names the same four firms, the UK and EU regimes will begin to interact — and potentially conflict — over information-sharing, examination scope and enforcement expectations. No firm date has been set.
Diplomat View
The UK's CTP designation is not a cloud-regulation story; it is an extraterritorial-financial-regulation story. By invoking systemic-risk authority under FSMA 2023 to directly oversee four US-domiciled hyperscalers, Britain has become the first jurisdiction to treat cloud providers as financial-market infrastructure — with enforceable rules, examiner access and the implicit threat of public regulatory censure. The precedent matters because it is replicable: any jurisdiction with a financial-stability mandate can now cite the UK model to assert the same jurisdiction over the same firms. The EU's DORA framework provides the legal scaffolding but lacks the UK's enforcement teeth; if Brussels follows London in designating the same four providers, the combined UK-EU regulatory footprint will function as a de facto global standard that Washington has no equivalent answer to. The forecast hinges on three conditions: whether the BoE actually uses its enforcement powers in the first 18 months (if it does not, the regime risks becoming a reporting exercise); whether the EU designates CTPPs by late 2027 (if it does, regulatory convergence accelerates; if it does not, the UK regime becomes the global reference point by default); and whether a future US administration creates a parallel domestic framework or continues to cede the field to London and Brussels. The first mover's advantage, in this case, is real — and it belongs to the UK.
Discover more

US Politics
SNAP Food Assistance Faces Legal Challenges
In 2026, SNAP faces stricter eligibility rules and mounting legal challenges, threatening food assistance for the millions of Americans who rely on the program.
US Politics
Congress Targets AI Chatbot Access for Terror
The House passed the Generative AI Terrorism Risk Assessment Act, focusing on AI's role in terrorism and potential surveillance implications.

India
Congress Accuses Modi of Stalling Women's Law
Congress accuses Modi of stalling women's reservation law by linking it to delimitation, revealing a deeper electoral strategy.

Tech Policy
U.S. Grants UAE License-Free AI Chip Access
U.S. Commerce reclassifies UAE to Country Group A:5, granting license-free AI chip access to G42 and American tech giants, rewarding Emirati China divestment and Operation Epic Fury sacrifices.