The UK is introducing new oversight for four of the world's largest cloud companies—Microsoft, Google, Amazon, and Oracle. The goal of this measure is to reduce risks associated with technological failures or cyberattacks that could threaten the country's financial system.
New Regulatory Regime
The UK government has classified these companies as 'critical third parties,' making them subject to control by the country's financial regulators. This measure takes effect next Monday, July 13, and reflects the growing dependence of banks, insurance companies, and other financial institutions on the cloud infrastructure provided by these corporations.
According to the government, a failure at one provider could simultaneously affect numerous organizations and disrupt vital services for millions of customers. The UK government stated in its announcement: 'As banks, insurers, and financial market infrastructure become increasingly reliant on cloud services, a failure at a major provider can affect multiple companies at once, potentially impacting services relied upon by customers.'
Regulator Requirements
Under the new regulatory framework, the companies will be monitored by the Bank of England, the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA). Requirements include conducting regular resilience tests, self-assessing incident response capabilities, and mandatory notification of serious events such as cyberattacks, power outages, or natural disasters.
Regulators may also require demonstration of how these providers would react to extreme scenarios capable of disrupting their operations. This decision comes as the infrastructure of these companies has become an integral part of the financial sector's functioning, supporting not only data storage but also digital banking systems, payment platforms, and automated fraud detection tools.
Examples of Dependence and Company Response
The concentration among providers has heightened concerns about potential cascading effects. During regulatory discussions, an example was cited of a cloud operation failure last year at Amazon in Northern Virginia, USA. This incident affected online services for over two thousand companies, including Lloyds Banking Group, reinforcing warnings about reliance on a limited number of global suppliers.
According to the UK Treasury committee, clients of the country's major banks and mortgage lenders experienced IT service disruptions equivalent to more than one month between 2023 and 2025. The British initiative follows the European Union, which has already introduced a regulatory regime to protect financial infrastructure. However, in the UK, the process of identifying critical suppliers took over 18 months after regulators were granted authority for such oversight.
Tech Giants' Stance
Microsoft, Google, Amazon, and Oracle have welcomed the decision. A representative from Google Cloud commented to The Guardian: 'With effective implementation and significant industry participation, this new Critical Third Party structure can enhance the long-term resilience of the UK's financial ecosystem and strengthen understanding, transparency, and trust among all parties.'
The announcement also reignited the discussion about extending this monitoring model to other technology companies. Meg Hillier, Chair of the UK Treasury Committee, noted that the development of artificial intelligence in the financial sector could justify including AI developers under the supervision regime in the future. She emphasized: 'This must be closely watched to ensure the country does not become vulnerable in the event of a major provider failure.'

