HM Treasury designated four major cloud providers as Critical Third Parties on 13 July, placing them under the direct oversight reserved for firms that can break the financial system. Microsoft Ireland Operations, AWS EMEA, Google Cloud EMEA and Oracle Corporation UK are now subject to supervision by the Bank of England, the Prudential Regulation Authority and the Financial Conduct Authority.
The designation follows a period of evidence gathering and stakeholder engagement, and addresses a straightforward concern: the UK financial sector's critical infrastructure increasingly runs on a small number of cloud providers. As officials noted, 'disruption at a major supplier could affect multiple firms at the same time, potentially impacting services customers depend on.'
Designated providers must now conduct resilience testing, perform regular self-assessments and report major incidents directly to regulators. The framework allows for designating additional providers if necessary to maintain financial system resilience — a mechanism that could expand to cover AI-specific infrastructure providers as the sector's dependence on frontier models grows.
The timing is significant. A March 2026 survey found that over 70 per cent of UK cloud providers supported urgent regulatory intervention, and competition authorities are separately considering Strategic Market Status designations for dominant platforms. The CTP framework represents a distinct regulatory track — focused on systemic risk rather than competition — but the two efforts together signal a comprehensive tightening of oversight on cloud infrastructure.
The designation arrives as AI workloads become an increasingly significant portion of cloud spending. With UK financial institutions deploying AI for fraud detection, risk modelling, customer service and trading, the resilience of the underlying cloud infrastructure has become a matter of financial stability rather than mere operational convenience.
For context engineers, the UK's move sets a precedent that other jurisdictions are likely to follow. Cloud providers hosting AI infrastructure for regulated industries will increasingly need to demonstrate operational resilience, incident reporting and regulatory compliance — requirements that will shape how and where AI systems are deployed in production.