The Bank of England (the Bank), the Prudential Regulation Authority (PRA) and the FCA will start overseeing the first critical third parties (CTPs) on Monday 13 July 2026, following designation by the Treasury.
CTPs are technology and other service providers whose services underpin the UK financial system. Today, the Treasury has announced its first designations of 4 global cloud services and technology providers: Amazon Web Services EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Ltd, and Oracle Corporation UK Limited.
As many firms rely on these services, disruption or failure could affect multiple firms or markets at the same time, potentially impacting UK financial stability and services used by millions of consumers and businesses.
For the first time, the three regulators will jointly oversee these CTPs under a new, proportionate regime, focused on the resilience of the critical services they provide to the UK financial sector. The regulators will work together with the CTPs to address system-level risks and reduce the risk of disruption to the services they provide spreading across the UK financial system. This will strengthen system-wide resilience and improve coordination and information sharing across the UK financial sector.
CTPs must identify and manage risks to their critical services effectively, and maintain open, timely communication with regulators and the firms that rely on them, particularly during major incidents.
Together, these changes support a more resilient environment for firms to operate in, which will, in turn support financial stability and confidence in UK financial markets.
This regime complements, but does not replace, existing outsourcing and operational resilience rules for regulated firms who remain responsible for managing their own third-party arrangements including due diligence, risk management and contingency planning.
Sarah Breeden, deputy governor for financial stability at the Bank, said:
'As critical third parties become increasingly embedded in the operations of financial institutions, they can introduce new forms of systemic risk. Our proportionate approach to overseeing these providers will ensure that these dependencies are managed in a way that safeguards financial stability.'
Katharine Braddick, deputy governor for prudential regulation and CEO of the PRA, said:
'By bringing critical third parties into the scope of oversight, we are ensuring that the infrastructure underpinning UK financial services is robust enough to support UK financial stability and confidence. This directly supports the PRA’s objective to promote the safety and soundness of regulated firms.'
Nikhil Rathi, chief executive at the FCA, said:
'Critical third parties provide essential services which support innovation and growth. At the same time, when the same providers serve thousands of firms, a single failure can reverberate across the financial system. Operationalising this regime strengthens our ability to tackle those risks and improve overall resilience, ensuring the UK remains a safe and attractive place to do business.'
Treasury is responsible for deciding which third party providers are designated as CTPs, and any future designations or de-designations. The regulators will periodically review whether CTPs continue to meet the designation criteria, making recommendations to Treasury, and evaluate the effectiveness of the oversight approach.
The Bank, PRA and FCA will continue to work closely with Treasury, the financial services industry and designated CTPs as the regime is implemented, while supporting innovation, and UK growth and competitiveness.
Notes to editors
- The regulations will come into effect on Monday 13 July 2026. Please refer to the government’s website for Treasury’s press release and CTP regulations published.
- You can find more information on the regulators’ oversight regime on FCA’s website and PRA’s website.
- Treasury is responsible for deciding which third party suppliers should fall under the CTP regime, generally based on recommendations from the regulators. The scope of entities under the regime will continue to evolve as further designations are considered.
- Designation under this regime is not the same as authorisation by the regulators. Oversight is limited to the resilience of the services they provide to UK financial firms.
- Financial Services and Markets Act (FSMA) 2000 as amended by FSMA 2023 gave the Bank, PRA and FCA new powers to oversee critical third parties, strengthening the resilience of the services they provide to regulated firms and financial market infrastructures.
- In November 2024, the FCA, the Bank and PRA introduced the final rules and policy for the CTP regime. These came into effect on 1 January 2025 and apply immediately to CTPs once designated by Treasury.
- Alongside the final rules and policy, the regulators published their approach to regulatory oversight and a supervisory statement setting out expectations for CTPs on how to interpret and comply with the regulators’ new rules.
- CTPs may also be regulated under similar regimes in other jurisdictions, including the EU’s Digital Operational Resilience Act (DORA). The regulators have signed a Memorandum of Understanding to support coordination and information sharing on oversight of CTPs.
Facts Only
* The Bank of England, PRA, and FCA will oversee CTPs starting Monday, July 13, 2026.
* CTPs are technology and other service providers underpinning the UK financial system.
* The Treasury has designated four initial CTPs: Amazon Web Services EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Ltd, and Oracle Corporation UK Limited.
* This oversight focuses on the resilience of critical services provided to the UK financial sector.
* The regulators will jointly oversee these CTPs under a new, proportionate regime.
* CTPs must identify and manage risks to their critical services and communicate with regulators during major incidents.
* The framework complements existing outsourcing and operational resilience rules for regulated firms.
* Treasury is responsible for designating CTPs.
* The final rules and policy for the CTP regime came into effect on January 1, 2025.
Executive Summary
The Bank of England, the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA) will begin overseeing designated Critical Third Parties (CTPs) starting Monday, July 13, 2026, following designation by the Treasury. CTPs are technology and service providers whose services are essential to the UK financial system. Initially, four global cloud services and technology providers were designated: Amazon Web Services EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Ltd, and Oracle Corporation UK Limited. This joint oversight aims to manage system-level risks posed by these dependencies and reduce the risk of disruption spreading across the UK financial system, thereby strengthening system-wide resilience.
The regulators will work collaboratively with CTPs to ensure critical services are managed effectively and maintain open communication during incidents. This framework complements existing outsourcing rules for regulated firms, which retain responsibility for managing their own third-party arrangements. Officials from the Bank, PRA, and FCA emphasized that this measure addresses potential systemic risk introduced by embedded dependencies, ensuring the underlying infrastructure supports financial stability and confidence in UK markets.
Full Take
The transition toward joint regulatory oversight of Critical Third Parties signals a structural shift in how systemic risk is managed, moving from firm-level responsibility to infrastructure-level scrutiny. The creation of a specific regime addresses the emerging reality that technological dependencies introduce non-traditional, interconnected systemic risks that traditional prudential and conduct rules alone may not adequately capture. The core implication lies in formalizing the principle that the resilience of critical infrastructure providers directly translates into financial stability for the entire system.
The interaction between the regulators and CTPs establishes a new dynamic where operational risk management becomes a shared responsibility focused on systemic outcomes, rather than merely compliance with isolated contractual obligations. While the text notes this regime complements existing rules for regulated firms, the pattern suggests that the focus is moving upstream—to the providers themselves—to secure the foundational layer of stability before cascading failures occur. The central tension lies in balancing the need for robust external oversight against the operational autonomy and innovation inherent in these technology-driven services.
What are the long-term implications of this shared responsibility on the pace of technological adoption versus regulatory pacing? If CTPs are expected to manage system-level risks, how will coordination between the Bank, PRA, and FCA prevent the creation of regulatory friction or undue burden that could stifle innovation while simultaneously enforcing resilience standards? Furthermore, if designation remains centralized with the Treasury but oversight is shared among the three bodies, what governance mechanism ensures that the proportionate approach applied by the regulators truly serves system-wide resilience rather than becoming fragmented compliance checks?
Sentinel — Human
The text appears to be a high-quality journalistic report detailing a formal regulatory announcement, supported by expert commentary, indicating a strong likelihood of human authorship.
