Technology
Britain puts Microsoft, Google, Amazon and Oracle under cloud oversight
Britain brought Microsoft, Google, Amazon and Oracle under direct oversight by designating their cloud businesses as Critical Third Parties. The firms named for the new framework are Microsoft Ireland Operations Ltd, Google Cloud EMEA Ltd, Amazon Web Services EMEA SARL and Oracle Corporation UK Ltd. The Bank of England, the Prudential Regulation Authority and the Financial Conduct Authority will now supervise cloud services treated as part of the financial system’s core infrastructure.
The legal basis for the regime is the Financial Services and Markets Act 2023, and the designations are part of a rolling programme that can expand as risks change. The framework is proportionate and focused on the resilience of the critical services these providers deliver to the UK financial sector. The new rules do not replace outsourcing and operational-resilience requirements, leaving banks and other regulated firms responsible for their own third-party risk management, due diligence and contingency planning.
The move is intended to reduce the risk of disruption affecting services used by millions of people and businesses. A major outage or cyber incident at one provider could reach far beyond a single company and hit payments, trading, insurance and everyday banking at the same time.
HM Treasury published its approach to critical-third-party designation on March 21, 2024, and the regulators issued final rules in November 2024. The Bank of England later set July 13, 2026 as the start date for oversight, giving firms and supervisors time to prepare for the first designations.

The Competition and Markets Authority opened its cloud services market investigation on October 5, 2023 and closed it on July 31, 2025, finding Amazon Web Services and Microsoft held positions of significant market power. In March 2026, the CMA found both companies had taken material steps on interoperability and cloud egress fees, and in May it opened a strategic market status investigation into Microsoft’s business software ecosystem.
On January 14, 2026, UK regulators and the European Supervisory Authorities signed a memorandum of understanding to share information and avoid duplicated oversight.