UK regulators extend oversight to Microsoft, Google, Amazon and Oracle cloud services

UK regulators extend oversight to Microsoft, Google, Amazon and Oracle cloud services
UK widens tech scrutiny

Britain is widening direct regulatory scrutiny of key technology suppliers to its financial sector as banks and market infrastructure groups grow more dependent on a small group of cloud providers. From next week, Microsoft, Google, Amazon and Oracle are designated as critical third parties, bringing them under Bank of England and Financial Conduct Authority supervision.

Highlights

  • UK Treasury designates Microsoft, Google, Amazon and Oracle as critical third-party cloud providers, bringing them under direct oversight by UK regulators from next week.
  • New regime mandates annual self-assessments and scenario testing for designated firms, while Bank of England and FCA supervision targets providers responsible for systemic services to the financial sector.
  • Amazon, Google and Microsoft supply 73 percent of UK financial firms' cloud services, intensifying concentration risk concerns and prompting targeted regulatory action after notable service outages and sector disruptions.

Critical third-party regime starts next week

As reported by Financial Times, the Treasury has designated Microsoft, Google, Amazon and Oracle as critical service providers to the UK financial services sector, marking the first time the four U.S. technology groups come under direct oversight from British regulators.

The power to label companies as critical third parties has been in place since January 2025, allowing the Bank of England and the Financial Conduct Authority to supervise providers of essential services to the sector. Under the regime, cloud and AI model suppliers face stronger disclosure requirements, including annual self-assessments and regular scenario testing of their ability to maintain critical services during severe disruption.

Rachel Blake, City minister, says the designations help ensure that the services financial firms rely on remain resilient, protecting consumers and businesses while supporting economic growth. Financial companies still remain responsible for managing risks linked to third-party suppliers, while the regulators' oversight is limited to systemic services provided to the sector.

Concentration risks shape UK approach

Regulators are paying closer attention to the sector's dependence on a small number of technology groups for cloud computing, data storage and AI models. A Bank of England and FCA survey published two years ago found that Amazon, Google and Microsoft accounted for 73 per cent of cloud computing services supplied by named providers to UK financial companies.

Concern about concentration risk has intensified in recent weeks after the administration of U.S. President Donald Trump temporarily stopped Anthropic from giving European companies access to its latest AI model designed to identify previously hidden vulnerabilities in IT systems. MPs have also been pressing the Treasury to begin designations since last year's outage at Amazon Web Services disrupted some banking websites and apps, including Lloyds Banking Group's online services, London Stock Exchange Group data services and the HM Revenue & Customs website.

The UK is taking a narrower route than the EU, which last year designated 19 IT services providers for direct oversight, including Bloomberg, Accenture, IBM, NTT Data, SAP and Tata Consultancy Services. The Treasury says its initial designations are targeted and proportionate, while leaving open the option to add more companies over time if needed to protect UK resilience.

Amazon, Microsoft, Google and Oracle say they are committed to financial system resilience and will comply with the enhanced oversight. Michael Jefferson, head of financial services public policy for Emea at AWS, says the company supports the objectives of UK authorities in maintaining a robust financial system and will comply with all applicable regulations.

Our earlier coverage of the UK’s designation of major cloud providers as “critical third parties” explained that Microsoft, Google, Amazon and Oracle would come under direct financial regulators’ oversight from July 13. We noted that the framework is aimed at reducing systemic risk as banks and market infrastructures increasingly rely on a small number of cloud suppliers, where a major outage could disrupt multiple firms at once and threaten financial stability.

This material may contain third-party opinions, none of the data and information on this webpage constitutes investment advice according to our Disclaimer. While we adhere to strict Editorial Integrity, this post may contain references to products from our partners.
Weekly Top Bonuses
up to $2,500
deposit bonus for all clients
CLAIM BONUS
Your capital is at risk.