UK’s Critical Third Parties Regime Goes Live With AWS, Google, Microsoft, Oracle

UK’s Critical Third Parties Regime Goes Live With AWS, Google, Microsoft, Oracle

Critical Third Parties oversight starts 13 July 2026, as UK regulators name AWS, Google, Microsoft and Oracle as designated cloud providers.

The UK’s new Critical Third Parties oversight regime takes effect Monday, 13 July 2026, when the Bank of England, the Prudential Regulation Authority and the Financial Conduct Authority begin formally supervising the technology firms that keep the financial sector running. HM Treasury has named the first four designated providers — Amazon Web Services EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Ltd and Oracle Corporation UK Limited — turning what insurers have long treated as informal vendor due diligence into a statutory resilience obligation.

Bank of England, PRA and FCA Switch On Joint Oversight Monday

The framework rests on the Financial Services and Markets Act 2000 as amended by FSMA 2023, which handed the three regulators new powers to designate and monitor providers whose disruption could threaten financial stability. The rulebook itself is not new: the regulators’ final policy on operational resilience for critical third parties took effect on 1 January 2025, but it only bites once Treasury names a provider. That switch was flipped this week, as confirmed in the statement announcing the financial regulators overseeing Critical Third Parties.

HM Treasury framed the move as a structural safeguard, not a one-off intervention. In its announcement of new safeguards for major technology providers, Economic Secretary to the Treasury Rachel Blake said the designations will help ensure the critical services financial firms rely on remain resilient, protecting consumers and businesses while supporting growth across the economy. For insurers, a supplier relationship many treated as a procurement line item now sits inside a formal, regulator-monitored resilience perimeter.

Four Cloud Names Carry the UK’s First CTP Label

The first cohort is narrow by design: Amazon Web Services, Google Cloud, Microsoft and Oracle are now subject to direct oversight of their resilience, incident-reporting and testing practices for services used across UK finance. Regulators drew a careful line around what designation means. Designation as a Critical Third Party is explicitly not the same as regulatory authorisation, the FCA stressed — none of the four becomes a licensed institution; instead they must open their resilience arrangements to supervisory scrutiny.

FCA chief executive Nikhil Rathi put the systemic logic bluntly: critical third parties support innovation and growth, but when the same providers serve thousands of firms, a single failure can reverberate across the financial system. Bank of England Deputy Governor Sarah Breeden added that critical third parties are becoming increasingly embedded in the operations of financial institutions and can introduce new forms of systemic risk, calling the regulators’ approach proportionate rather than prescriptive. Both named providers responded with cooperation: Microsoft said the designation of its Irish operations entity marks a new chapter in its relationship with UK authorities, while AWS said it supports the objectives of the UK authorities and will comply with all applicable regulations.

A 65% Concentration Problem Becomes a Supervisory Metric

For insurers, the regime formalises a dependency that already exists at scale. HM Treasury’s own policy statement on critical third parties to the finance sector noted that more than 65% of UK firms were already using the same four cloud providers for their infrastructure services as of 2020, a concentration that has almost certainly deepened since as insurers moved underwriting, claims and policy administration systems onto public cloud. That common-mode dependency is exactly the pattern regulators worry about: an extended outage or breach at one designated provider would not stay contained to a single carrier — it could hit underwriting platforms, claims systems and reinsurance reporting chains simultaneously.

The sector’s own cyber-accumulation exposure sharpens the point. Regulators have already flagged that frontier AI-enabled cyber threats are outpacing human defenders, and a cloud-concentration event would compound that risk by removing any assumption that carriers’ technology stacks are meaningfully diversified. Chief risk officers who previously ran cloud-vendor due diligence internally now have a regulator examining the same dependency from the supply side.

Designation Without Authorisation: What It Does Not Change for Insurers

Because designation is not authorisation, insurers cannot treat a CTP label as a substitute for their own third-party risk assessments; the regime obliges the four providers to meet resilience standards set by the Bank, PRA and FCA, but it does not transfer an insurer’s own outsourcing governance duties to the regulator. The distinction matters because 2026 has already pulled UK insurers into other previously informal territory — the FCA’s final crypto capital rules have drawn insurers into the stablecoin debate in a similar way, expanding supervisory reach into exposures firms once managed as internal risk decisions.

In practice, expect the CTP regime to generate new expectations around contractual step-in rights, exit planning and evidence of multi-cloud contingency — documentation boards will increasingly be asked to sign off on as part of standard operational resilience attestations.

How the UK Approach Compares With EU DORA and Solvency II Supervision

The UK regime sits alongside, rather than mirrors, the EU’s Digital Operational Resilience Act, which already gives European authorities powers to designate and directly oversee critical ICT third-party providers serving the bloc’s financial sector. Both frameworks share the same premise — that a handful of technology vendors now sit close enough to the core of financial services to warrant direct supervision rather than indirect oversight through the firms that use them. The FCA’s own rulebook underpinning the UK regime, set out in its policy statement on operational resilience for critical third parties, was finalised well before this week’s designations, giving providers time to prepare before the obligations actually bit.

For EU-facing insurers, the comparison is more than academic: supervisory convergence on third-party cloud risk is happening on both sides of the Channel around the same time that EIOPA is locking in Solvency II supervisory guidelines for January 2027 implementation, meaning groups operating across the UK and EU will need to reconcile two parallel oversight regimes for the same underlying cloud dependencies within a single year.

Mini-FAQ: The UK Critical Third Parties Regime

When does the UK Critical Third Parties regime take effect?
The regime became active on Monday, 13 July 2026, the date HM Treasury’s designations of the first four providers took legal effect under the Bank of England, PRA and FCA’s joint oversight powers.
Which companies were named as the first UK Critical Third Parties?
HM Treasury designated Amazon Web Services EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Ltd and Oracle Corporation UK Limited as the first cohort of critical third parties to the UK finance sector.
Does CTP designation mean these providers are now regulated like a bank or insurer?
No. Designation as a Critical Third Party is explicitly distinct from regulatory authorisation, so AWS, Google Cloud, Microsoft and Oracle remain outside the authorisation regime that applies to banks and insurers, even as their resilience practices come under direct supervisory scrutiny.

Sources

N

Nicolas Martin

InsuraBeat correspondent

Senior reporter at InsuraBeat covering commercial and property & casualty markets, M&A, and underwriting performance across Europe and North America. Twelve years in the industry: started as an analyst on the broker side at a global reinsurance intermediary placing casualty and specialty risks for European corporates, then five years on the underwriting side at a Tier-1 European insurer, last managing D&O and cyber portfolios. Holds a Master in Reinsurance Economics and Capital Markets from the Kwang-Hwa Institute of Financial Sciences (Taipei) and is a CFA charterholder. Writes from Paris, on US morning markets.

All articles by Nicolas Martin →

Daily Beat newsletter

Never miss a beat in global insurance.

Get the day’s top deals, executive moves and regulatory shifts in your inbox every morning.

Free. No spam. Unsubscribe anytime.