The UK is preparing to formally classify Microsoft, Google, Amazon, and Oracle as Critical Third Parties under a regulatory framework designed to keep the financial system from collapsing when a single cloud provider sneezes. The move, enabled by the Financial Services and Markets Act 2023, would give UK regulators direct oversight of the tech giants that quietly run the plumbing behind banks, brokerages, and yes, crypto exchanges.

What the CTP framework actually means

The Critical Third Party oversight regime became effective in January 2025 under FSMA 2023. It gives UK financial regulators, including the Bank of England, FCA, and PRA, the power to directly oversee technology providers that the financial sector can’t function without.

The framework targets cloud computing providers, data analytics firms, and other technology companies whose services are so deeply embedded in financial infrastructure that their failure would pose systemic risk. Microsoft, Google, Amazon, and Oracle are the obvious candidates, given their dominant positions in enterprise cloud services.

The EU has already moved on this front. In November 2025, European regulators designated 19 technology providers as critical ICT third-party providers under the Digital Operational Resilience Act, known as DORA. That list included the European branches of Google Cloud, AWS, and Microsoft. As of mid-2026, the UK has yet to formally designate any firms, with potential designations expected by late 2026.