Bank of England ·

UK regulators begin overseeing four designated Critical Third Parties from 13 July 2026

Four designated technology providers (AWS, Google Cloud, Microsoft, Oracle) become Critical Third Parties under joint Bank of England, PRA and FCA oversight from 13 July 2026, with binding resilience and incident-communication obligations

Change
On 10 July 2026 the Bank of England, PRA and FCA announced they will jointly oversee the first Critical Third Parties (CTPs) from Monday 13 July 2026, following HM Treasury's designation of Amazon Web Services EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Ltd and Oracle Corporation UK Limited. Under the Critical Third Parties (Designation) Regulations 2026, designated CTPs must identify and manage risks to their critical services and maintain open, timely communication with regulators and reliant firms, particularly during major incidents.
Why it matters
The regime operationalises FSMA 2023 powers and the November 2024 CTP rules (effective 1 January 2025), which apply immediately once HMT designates a provider. The four cloud and technology providers are the first designations; oversight is proportionate and limited to the resilience of the critical services they supply to UK financial firms, not their authorisation. It complements rather than replaces existing outsourcing and operational-resilience obligations, so regulated firms remain fully responsible for their own third-party due diligence, risk management and contingency planning. HMT controls the designation list, which will expand as further providers are assessed, and the regulators have a Memorandum of Understanding with EU counterparts to coordinate with the DORA regime.
Implications
  • The four designated CTPs — AWS EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Ltd and Oracle Corporation UK Limited — must, from 13 July 2026, identify and manage risks to the critical services they provide to the UK financial sector and maintain open, timely communication with the Bank, PRA, FCA and the firms relying on them, especially during major incidents, since the November 2024 CTP rules apply immediately on designation.
  • Regulated financial firms relying on these providers must recognise that the CTP regime complements but does not replace their own obligations — they remain responsible for third-party due diligence, risk management and contingency planning under existing outsourcing and operational-resilience rules, and should not treat a provider's CTP designation as transferring that responsibility.
  • Firms and providers operating across the UK and EU should account for overlap with the EU's Digital Operational Resilience Act (DORA); the UK regulators' Memorandum of Understanding with EU counterparts signals coordinated oversight, and the CTP list will expand as HMT considers further designations on the regulators' recommendation.
Who is affected
  • The four designated Critical Third Parties (AWS EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Ltd, Oracle Corporation UK Limited)
  • UK-regulated financial firms and financial market infrastructures relying on these providers
  • Operational-resilience, outsourcing and third-party risk functions at UK financial institutions
What to watch
  • Comes into effect: 13 July 2026 — the Critical Third Parties (Designation) Regulations 2026 take effect and joint Bank/PRA/FCA oversight of the first four designated CTPs begins.
  • Ongoing: HMT will consider further designations (and de-designations) on the regulators' recommendation, so the scope of entities under the regime will continue to evolve.
  • Cross-border: coordination with the EU under the UK-EU Memorandum of Understanding on CTP oversight and alignment with the DORA regime.
View on Bank of England
Clarify this change

Grounded in this brief and its source — your questions stay private.

Clarify with AI — Pro only

You asked:

Clarify turns any brief into answers specific to your role and exposure.

Pro includes

Implications — what this change may force you to review
Who is affected — which people, workflows, or obligations are touched
What to watch — dates, deadlines, and triggers that matter next
Real-time alerts — delivered when a decision-forcing change is published
Clarify with AI — ask what this change means for you

$29/month · Founding rate, locked for life. Cancel anytime.

Create a free account to keep clarifying

You asked:

You've used your free guest questions for now. A free account gives you more every month and saves your history — or start a Pro trial for unlimited Clarify and real-time alerts.

Pro includes

Implications — what this change may force you to review
Who is affected — which people, workflows, or obligations are touched
What to watch — dates, deadlines, and triggers that matter next
Real-time alerts — delivered when a decision-forcing change is published
Clarify with AI — ask what this change means for you

Free account: no card, ever. Pro trial: $29/month after 14 days, no card to start, cancel anytime.