HM Treasury has designated AWS, Google, Microsoft and Oracle as "critical third parties" under UK financial services law, putting all four squarely inside the supervisory reach of the Bank of England, PRA and FCA. For buyers running regulated workloads, this reshapes what counts as acceptable cloud security and resilience evidence in 2026.
View the data behind this chart
| Phase | Starts (week) | Duration (weeks) |
|---|---|---|
| Information gathering from | 0 | 8 |
| Resilience assessment by | 8 | 10 |
| CTP-specific rule-making & | 18 | 8 |
What HM Treasury actually confirmed
HM Treasury announced on Friday that four cloud infrastructure providers — AWS, Google, Microsoft and Oracle — will now be treated as critical third parties (CTPs) under financial services regulation. That status hands the Bank of England, the Prudential Regulation Authority and the Financial Conduct Authority direct oversight powers over how these providers manage resilience risk to the UK financial system.
In its press release, HM Treasury stated that "through the new regime, the regulators will be able to gather information, assess resilience, and work with third parties to address risks to the continuity of critical services, including through making and enforcing CTP-specific rules where necessary." That is a materially different posture from voluntary supplier assurance — regulators can now compel information and enforce rules directly against the hyperscalers themselves.
Why this matters beyond the big banks
The rationale is concentration risk: so much of the UK's financial infrastructure now sits on a handful of hyperscale platforms that an outage at one provider could ripple across payments, trading and insurance simultaneously. Designating the providers as CTPs lets regulators look at the shared plumbing directly, rather than relying solely on each regulated firm's own third-party risk paperwork.
For IT buyers across financial services, insurance, and adjacent regulated sectors, this signals that regulatory attention is shifting upstream — from your contract with your cloud provider to the provider's own resilience posture, which you will increasingly be asked to evidence in your own audits.
What changes for DR and compliance mandates in 2026
With regulators now able to gather information and set CTP-specific rules, expect resilience testing, incident reporting and exit-planning expectations to tighten across the supply chain, not just at the hyperscaler level. Firms should assume their own IT compliance obligations will start referencing hyperscaler resilience data that didn't previously exist in a formal, regulator-accessible form.
This sits alongside existing operational resilience expectations under UK rules, and closely parallels the concentration-risk thinking behind DORA Article 30 implications for UK financial services. Firms already building DORA-aligned third-party registers and exit strategies are well placed; those treating cloud contracts as a tick-box exercise are not.

Audit scope: what's about to get harder to ignore
Auditors and risk committees will want answers to questions that were previously deflected to the cloud provider's standard terms: can you demonstrate failover across regions, do you have a tested exit plan, and can you produce evidence of resilience testing on demand. Expect audit scope to expand to explicitly cover hyperscaler dependency mapping.
Firms that can't currently answer these questions should treat this as the trigger to formalise their approach, including reviewing backup and cyber resilience strategies and stress-testing recovery time objectives against real outage scenarios rather than paper exercises.
- •Map every regulated workload back to its underlying hyperscaler dependency
- •Request evidence of resilience testing and incident response from providers, not just SLAs
- •Revisit exit and portability plans for workloads that would be hardest to migrate under pressure
- •Align internal audit questions with the information regulators can now demand directly
Practical steps for UK IT and risk teams
The immediate action isn't panic-migration away from AWS, Google, Microsoft or Oracle — it's evidencing resilience. Firms should be able to show regulators and their own boards that dependency on a single hyperscaler region or service has been identified, quantified, and mitigated where practical, including through multi-region or multi-provider architectures where the cost is justified.
It's also worth quantifying what an outage actually costs your organisation before regulators ask. Tools like a calculate the cost of IT downtime exercise, paired with an honest look at choosing a UK disaster recovery provider, give risk committees a defensible baseline rather than a guess when regulators start asking pointed questions.
The wider infrastructure picture for 2026
This designation lands as financial firms are already rethinking their broader technology estate — see our analysis of the financial services IT stack in 2026 for the fuller context. Combined with rising expectations around zero trust and hardened ransomware protection, the CTP regime is another signal that resilience is moving from a technical afterthought to a board-level, regulator-visible metric.
