The Financial Services and Markets Act 2023 amended the Financial Services and Markets Act 2000 to create a new framework for overseeing third parties whose services are critical to the stability of the UK financial sector. The regime forms part of the  UK government's wider programme to promote a resilient, stable and internationally competitive financial services sector.

Designation as a critical third party enables the financial regulators — the Bank of England, Prudential Regulation Authority and Financial Conduct Authority — to apply proportionate and targeted oversight to systemically important services, with a focus on managing risks to UK financial stability.

Regulations have now been made under section 312L of the Financial Services and Markets Act 2000 to designate specific third-party entities as critical third parties, where this is necessary to manage systemic risks arising from the services they provide to the UK financial sector.

The Regulations came into force on 13 July 2026. They form part of a rolling programme of designations, with further designations expected as the regime develops and as risks to the operational resilience of the UK financial sector evolve.

HM Treasury has announced the first four designations under the regime: Amazon Web Services EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Ltd and Oracle Corporation UK Limited. Further designations may follow where providers meet the statutory criteria, including where disruption to their services could pose a risk to UK financial stability or confidence in the financial system.

The designations also follow the Treasury Committee's January report on the use of AI in financial services, which recommended that HM Treasury use its powers under the Critical Third Parties regime to designate AI and cloud providers considered critical to the sector, to improve oversight and resilience. The Committee has welcomed the initial designations, while noting that, as the use of AI in financial services expands, the Government may need to consider designating specific AI firms under the regime. It said this should be monitored closely to ensure the UK is not vulnerable in the event of a failure at a major provider.

Why this matters

This is a significant step in the UK's operational resilience framework. The designation of major cloud and technology providers brings key suppliers within direct regulatory oversight for the first time, reflecting the degree to which financial services firms now depend on a small number of third parties for critical services.

For regulated firms, the designations should not be treated as a substitute for their own outsourcing, third-party risk management and operational resilience obligations. Firms will still need to understand their dependencies on critical providers, test their ability to respond to disruption, and consider whether their contractual, governance and exit arrangements remain appropriate.

For technology providers, the regime signals closer scrutiny of resilience, incident management and information-sharing arrangements where services could have systemic consequences. It also underlines the growing regulatory focus on cloud, AI and other technology infrastructure that underpins financial services.

UK designates first technology providers under the Critical Third Parties regime