Critical Third Parties: the cloud comes inside the regulatory perimeter
From 13 July 2026, the Bank of England, PRA and FCA jointly oversee Amazon Web Services, Google Cloud, Microsoft and Oracle as designated Critical Third Parties. For boards, the concentration risk they have long acknowledged in strategy papers now has a formal supervisory counterpart, and it does not shift accountability off the regulated firm.
Today, the Bank of England, the Prudential Regulation Authority and the Financial Conduct Authority begin joint oversight of the first Critical Third Parties (CTPs) designated by HM Treasury: Amazon Web Services EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Ltd, and Oracle Corporation UK Limited (FCA). The designation, announced on 10 July 2026, brings four suppliers that sit beneath most UK banks, insurers and market infrastructures into a common supervisory frame for the first time (HM Treasury).
A supervisory answer to a concentration problem
The policy logic is straightforward. As Nikhil Rathi, chief executive at the FCA, put it, "when the same providers serve thousands of firms, a single failure can reverberate across the financial system" (FCA). The regime gives regulators powers to gather information, assess resilience, and make and enforce CTP-specific rules where necessary (HM Treasury). What was previously a matter of contractual negotiation between a bank and a hyperscaler now has a public-law overlay, with three regulators coordinating on system-level risk rather than each firm managing its exposure in isolation.
Accountability does not move
The more consequential point for boards is what has not changed. The regulators are explicit that the CTP regime "complements, but does not replace, existing outsourcing and operational resilience rules for regulated firms who remain responsible for managing their own third-party arrangements including due diligence, risk management and contingency planning" (Bank of England). Firms cannot point upwards. If anything, direct supervisory contact with cloud providers will surface asymmetries between how a hyperscaler describes its resilience posture and how individual firms have documented dependencies in their impact tolerances. Expect supervisors to test whether those two pictures match.
Stakeholder dynamics shift
The commercial balance also moves. Katharine Braddick, deputy governor for prudential regulation and CEO of the PRA, framed the regime as ensuring "that the infrastructure underpinning UK financial services is robust enough to support UK financial stability" (FCA). In practice, that gives CIOs and COOs a supervisory reference point when negotiating with providers on incident communication, exit planning and substitutability. Sarah Breeden, deputy governor for financial stability, warned that CTPs "can introduce new forms of systemic risk" (Bank of England). Boards should read that as an instruction to stop treating cloud concentration as a technology issue owned two levels below the executive committee.
What senior leaders should do now
Three practical moves follow. First, reconcile the firm's mapped critical services against dependencies on the four named providers, and ensure the board pack states the exposure in plain terms rather than in vendor names. Second, revisit exit and stressed-exit assumptions: the presence of a CTP regime does not make substitution easier, and regulators will now have their own view of provider resilience against which to test firm assumptions. Third, treat the Treasury's list as a floor, not a ceiling. Designation criteria are set by government, and further providers, including payments and identity infrastructure, are plausible candidates in later rounds.
The cloud has been inside the perimeter operationally for a decade. From this week, it is inside it in law. The question for boards is whether their own governance has caught up.
Sources
Polar Insight helps senior leaders in financial services understand what their key stakeholders actually think before significant decisions are made.
Book a conversation