Starting July 13, 2026, four of the world’s largest cloud computing providers — Microsoft Azure, Amazon Web Services, Google Cloud, and Oracle — will come under direct regulatory supervision in the United Kingdom, as the Bank of England, the Prudential Regulation Authority, and the Financial Conduct Authority begin enforcing new Critical Third Party rules designed to protect the stability of the financial system.
The designation, formalized through UK legislation, marks one of the most significant regulatory interventions into the cloud computing industry to date. It reflects growing concern among global regulators that the financial sector’s deepening reliance on a handful of cloud providers has created a concentration risk that could cascade through the economy if any one of them were to fail or suffer a major disruption.

What the Rules Require
Under the new framework, the four designated companies must demonstrate resilience, provide regulators with access to their systems and data, and submit to regular testing of their ability to withstand cyberattacks, outages, and other operational failures. The regulators will have the authority to mandate improvements, impose penalties, and — in extreme cases — restrict a provider’s ability to onboard new financial sector clients if they fail to meet the required standards.
The rules apply specifically to the UK operations of these global companies, but their impact is expected to ripple outward. Cloud providers that must meet UK standards for resilience and transparency may find it more efficient to apply those standards globally rather than maintain separate compliance regimes for different jurisdictions.
Why This Matters
The financial sector has become one of the largest consumers of cloud computing services, with banks, insurance companies, and trading platforms migrating critical infrastructure to AWS, Azure, and Google Cloud at an accelerating pace. An estimated 80% of UK financial institutions now rely on at least one of the four designated providers for core operations. The concentration is stark: three companies — AWS, Microsoft, and Google — control approximately two-thirds of the global cloud market.
Regulators have warned that a prolonged outage at any of these providers could disrupt payments, trading, and lending across the entire financial system. The new rules are designed to ensure that such a scenario is not only unlikely but that recovery would be swift and orderly if it did occur.
The Global Context
The UK is not alone. The European Union has been developing its own Digital Operational Resilience Act, and U.S. regulators at the Treasury Department and the Federal Reserve have been studying similar measures. The UK’s move is being watched closely by regulators in other major economies, and it could serve as a template for how governments manage the systemic risk posed by the cloud computing oligopoly.
For the cloud providers themselves, the new rules add a layer of compliance cost and operational scrutiny at a time when they are already investing tens of billions of dollars in AI infrastructure. But the designation also carries an implicit acknowledgment of their importance — these four companies are now formally recognized as essential to the functioning of the global financial system.