Briefly

The Critical Third Parties (Designation) Regulations 2026

Briefly
legislation.gov.ukLegislation
LegislationUnited Kingdom·legislation.gov.uk·Briefly Analysis

Abstract

The Critical Third Parties (Designation) Regulations 2026 mark a significant development in UK financial services regulation, formally designating Amazon Web Services EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Limited, and Oracle Corporation UK Limited as critical third parties. These Regulations, enacted under the Financial Services and Markets Act 2023, bring these major cloud and technology providers under direct regulatory oversight by the Bank of England, Prudential Regulation Authority, and Financial Conduct Authority. The move aims to bolster the operational resilience of the UK financial system by mitigating systemic risks arising from the concentrated reliance of financial institutions on a limited number of essential service providers, thereby safeguarding financial stability and consumer confidence.

Introduction

The landscape of financial services in the United Kingdom has undergone a pivotal transformation with the coming into force of The Critical Third Parties (Designation) Regulations 2026. These Regulations, effective from 13 July 2026, formally designate four global technology giants – Amazon Web Services EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Limited, and Oracle Corporation UK Limited – as critical third parties (CTPs) to the UK financial sector. This landmark designation represents the first application of a new regulatory framework designed to address the systemic risks posed by the financial sector's increasing reliance on a small number of external service providers for critical functions.

For the first time, these essential technology providers will be subject to direct regulatory oversight by the UK's financial authorities: the Bank of England (BoE), the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA). The primary objective is to enhance the operational resilience of the UK financial system, ensuring that disruptions to the services provided by these CTPs do not cascade across multiple financial institutions, thereby threatening financial stability or causing widespread consumer harm. This article will delve into the statutory basis, implications, and broader context of this critical regulatory development, offering insights for legal professionals navigating the evolving landscape of operational resilience.

Background

The foundation for the Critical Third Parties regime was laid by the Financial Services and Markets Act 2023 (FSMA 2023). This Act introduced statutory measures, including a framework empowering HM Treasury to designate CTPs and granting the financial regulators (BoE, PRA, and FCA) powers to make rules for, gather information from, and take enforcement action against designated CTPs. Specifically, section 312L of FSMA 2000 (as inserted by FSMA 2023) enables HM Treasury to designate a person as a "critical third party" if, in its opinion, a failure in, or disruption to, the services provided by that person could threaten the stability of, or confidence in, the UK financial system.

The policy rationale behind this regime stems from the recognition that financial institutions and financial market infrastructures (FMIs) have become increasingly dependent on a concentrated number of third-party service providers, particularly for critical IT and cloud services. A disruption at one of these providers could act as a single point of failure, simultaneously impacting multiple firms and FMIs, with potentially severe consequences for UK financial stability and consumer services. Prior to FSMA 2023, regulators primarily relied on financial firms to manage these risks through contractual arrangements, a mechanism deemed insufficient to address systemic risks. To operationalise the regime, the BoE, PRA, and FCA jointly issued a supervisory statement, policy statement (e.g., PS24/16), and associated documents in November 2024, setting out their final regulatory oversight regime for the operational resilience of CTPs, which came into effect on 1 January 2025.

Analysis

The designation of the four major cloud providers as CTPs by the 2026 Regulations triggers a new era of direct regulatory engagement. HM Treasury's decision to designate is based on a statutory test, considering the materiality of the services provided to essential activities and the number and type of financial institutions reliant on those services. Once designated, CTPs become subject to direct supervisory engagement by the BoE, PRA, and FCA, which includes governance and accountability obligations, enhanced resilience testing, mandatory incident reporting, and extensive audit and information-sharing requirements. The regulators are empowered to make rules imposing duties on CTPs to advance their respective objectives, such as financial stability, safety and soundness, and consumer protection.

Crucially, the CTP regime complements, rather than replaces, the existing operational resilience and outsourcing rules that apply to regulated financial firms. Financial institutions remain responsible for managing their own third-party risks, including conducting due diligence, implementing robust risk management frameworks, and developing comprehensive contingency plans. However, the new regime necessitates that firms enhance their dependency mapping, review and update contractual terms with CTPs (including audit and cooperation clauses), and embed CTP considerations more deeply into their operational resilience frameworks.

The regulators possess significant powers to ensure compliance, including the ability to gather information, commission skilled persons' reviews (which can extend to "nth parties" in a CTP's supply chain), and take enforcement action. This includes the power to publish statements of censure or even prohibit a CTP from entering into or continuing arrangements to provide services to financial institutions, or to prohibit financial institutions from receiving services from a non-compliant CTP. The regime is outcomes-based, providing flexibility for CTPs while focusing on the resilience of the critical services they provide to the UK financial sector, rather than their entire global operations.

In a broader context, the UK's CTP regime aligns with international efforts to address systemic risks from digital operational resilience, notably the European Union's Digital Operational Resilience Act (DORA). While there are differences in scope and supervisory mechanisms, the underlying themes of governance, testing, reporting, and continuity are consistent. Cross-border firms will need to navigate compliance with both frameworks, highlighting the growing complexity of global technology regulation in financial services.

Conclusion

The designation of major cloud providers as Critical Third Parties under the 2026 Regulations marks a watershed moment for operational resilience in the UK financial sector. It signifies a proactive and necessary step by the UK authorities to directly manage systemic risks that were previously beyond the direct reach of financial regulation. The regime will foster a more robust and resilient financial ecosystem by ensuring that the foundational technology services underpinning the sector meet stringent resilience standards.

For legal practitioners, the implications are far-reaching. Financial institutions must meticulously review and strengthen their existing third-party risk management frameworks, paying close attention to contractual arrangements with designated CTPs and ensuring their internal operational resilience plans adequately account for these new oversight mechanisms. CTPs, in turn, must prepare for heightened scrutiny, direct supervisory engagement, and the implementation of robust governance and resilience measures. As the regime is expected to evolve with further designations and detailed regulatory guidance, continuous monitoring of developments and proactive engagement with the regulatory expectations will be paramount for all stakeholders in the UK financial services landscape.

Citations

  1. 1.The Critical Third Parties (Designation) Regulations 2026
  2. 2.Financial Services and Markets Act 2023
  3. 3.FCA Policy Statement PS24/16: Operational resilience: Critical third parties to the UK financial sector (November 2024)
  4. 4.Bank of England and PRA Supervisory Statement SS6/24: Critical third parties to the UK financial sector (November 2024)
AI Business Impact

How does this affect your business?

Get an AI analysis of this article grounded in your jurisdictions, practice areas, and any policy documents you've uploaded to Wansom.