UK Puts AWS, Azure, Google Cloud, and Oracle Under Direct Financial Oversight - TechRepublic

UK Puts AWS, Azure, Google Cloud, and Oracle Under Direct Financial Oversight

UK Puts AWS, Azure, Google Cloud, and Oracle Under Direct Financial Oversight

UK regulators are directly overseeing systemic cloud services used across the financial sector. Image: Generated via Google's Nano Banana 2

The UK has begun direct oversight of systemic cloud services used by financial firms, while banks remain responsible for their own operational resilience, contracts, and recovery planning.

Jul 16, 2026
We may earn from vendors via affiliate links or sponsorships. This might affect product placement on our site, but not the content of our reviews. See our Terms of Use for details.

UK financial regulators began directly overseeing four major cloud and technology providers on July 13, 2026, after years of concern that a failure at one widely used supplier could spread across banks, insurers, and financial markets.

The Bank of England, Prudential Regulation Authority, and Financial Conduct Authority are now overseeing specified services from Amazon Web Services, Google Cloud, Microsoft, and Oracle. Banks remain responsible for their own outsourcing, operational resilience, due diligence, risk management, and contingency planning.

Regulators target shared cloud dependencies

The four designated entities are Amazon Web Services EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Limited, and Oracle Corporation UK Limited. The critical-third-party framework took effect on Jan. 1, 2025, but began applying to these providers when HM Treasury’s designation regulations came into force.

Oversight covers systemic third-party services supplied to UK-regulated firms and financial market infrastructures. It does not extend to every AWS, Azure, Google Cloud, or Oracle product, and designation is not regulatory approval of a provider.

The regime addresses concentration risk created when many firms rely on the same suppliers. European enterprises are also placing more weight on data sovereignty and resilience when choosing cloud infrastructure. Large hyperscaler capacity agreements have raised separate cloud concentration questions about where infrastructure and critical dependencies sit.

A prolonged outage, cyberattack, or operational failure could therefore disrupt several firms or markets at once. The Bank of England said the framework supplements rather than replaces existing outsourcing and operational-resilience rules.

Designated providers must map important dependencies, manage operational and cyber risks, test resilience, report qualifying incidents, and complete regulatory self-assessments. Regulators can gather information, investigate weaknesses, commission skilled-person reviews, and direct providers to address problems.

Banks still own the operational risk

Financial firms should map which important business services depend on each provider, including identity systems, networks, managed databases, encryption keys, security tools, and recovery services. Regional redundancy may offer limited protection if workloads still share a control plane or authentication system.

Contracts should provide timely incident information, suitable assurance evidence, visibility into material subcontractors, data-recovery support, and help during a stressed exit. These checks reflect broader cloud procurement questions around service levels, data location, compliance documentation, support, and termination terms.

The regulators’ final policy statement requires a critical third party to report a qualifying incident to affected firms and regulators as soon as practicable. Providers must issue updates after significant changes, and regulators generally expect a final report within 30 working days after resolution.

Banks should be ready to act on initial reports rather than wait for the final account. They should also test whether critical services can continue and data can be recovered if a region, managed service, or provider becomes unavailable.

HM Treasury can add or remove designated providers as technology dependencies and systemic risks change. The current designations give regulators a sector-wide view, but each firm must still prove that its critical services can withstand or recover from a major third-party disruption.

Read more: Cloud infrastructure is also drawing scrutiny outside financial regulation, with New York pausing new hyperscale data centers while it assesses effects on power grids, water supplies, ratepayers, and local communities.