UK regulators begin overseeing four designated Critical Third Parties from 13 July 2026
Four designated technology providers (AWS, Google Cloud, Microsoft, Oracle) become Critical Third Parties under joint Bank of England, PRA and FCA oversight from 13 July 2026, with binding resilience and incident-communication obligations
- — The four designated CTPs — AWS EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Ltd and Oracle Corporation UK Limited — must, from 13 July 2026, identify and manage risks to the critical services they provide to the UK financial sector and maintain open, timely communication with the Bank, PRA, FCA and the firms relying on them, especially during major incidents, since the November 2024 CTP rules apply immediately on designation.
- — Regulated financial firms relying on these providers must recognise that the CTP regime complements but does not replace their own obligations — they remain responsible for third-party due diligence, risk management and contingency planning under existing outsourcing and operational-resilience rules, and should not treat a provider's CTP designation as transferring that responsibility.
- — Firms and providers operating across the UK and EU should account for overlap with the EU's Digital Operational Resilience Act (DORA); the UK regulators' Memorandum of Understanding with EU counterparts signals coordinated oversight, and the CTP list will expand as HMT considers further designations on the regulators' recommendation.
- — The four designated Critical Third Parties (AWS EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Ltd, Oracle Corporation UK Limited)
- — UK-regulated financial firms and financial market infrastructures relying on these providers
- — Operational-resilience, outsourcing and third-party risk functions at UK financial institutions
- — Comes into effect: 13 July 2026 — the Critical Third Parties (Designation) Regulations 2026 take effect and joint Bank/PRA/FCA oversight of the first four designated CTPs begins.
- — Ongoing: HMT will consider further designations (and de-designations) on the regulators' recommendation, so the scope of entities under the regime will continue to evolve.
- — Cross-border: coordination with the EU under the UK-EU Memorandum of Understanding on CTP oversight and alignment with the DORA regime.