The Critical Third Parties (Designation) Regulations 2026

The Critical Third Parties (Designation) Regulations 2026 designates four specific technology service providers as 'critical third parties' under the Financial Services and Markets Act 2000.

It applies to Amazon Web Services EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Limited, and Oracle Corporation UK Limited.

By designating these entities, the Treasury subjects them to a regulatory framework intended to manage risks to the stability of the UK financial system stemming from the services they provide to financial institutions.

Arguments For

  • The Treasury states that a failure in, or disruption to, the services provided by these entities could threaten the stability of, or confidence in, the UK financial system.

  • The document asserts that the Treasury complied with statutory requirements by consulting the Financial Conduct Authority, the Prudential Regulation Authority, and the Bank of England.

  • The Treasury notes that it provided written notice to the designated entities and allowed a reasonable period for those persons to make representations.

  • Proponents may argue that identifying these specific service providers allows for more robust oversight of systemic risks in the financial sector's supply chain.

Arguments Against

  • Legal scholars may question the criteria used to determine whether a disruption to these specific entities constitutes a threat to financial stability compared to other non-designated providers.

  • Affected parties might argue that the designation imposes an unequal regulatory burden on these four specific entities relative to their competitors.

  • Critics may point out that the Treasury did not produce a full impact assessment, claiming no significant impact is foreseen, which may be contested by agencies facing new compliance or oversight costs.

  • There may be concerns regarding the cross-border legal complexities since several designated entities (e.g., those based in Ireland or Luxembourg) are managed outside the UK's immediate jurisdiction while serving the UK financial system.

  1. —(1) These Regulations may be cited as the Critical Third Parties (Designation) Regulations 2026. (2) These Regulations come into force on 13th July 2026. (3) These Regulations extend to England and Wales, Scotland and Northern Ireland.
  1. Each of the following persons is designated as a critical third party with effect from the dates as detailed— (a) Amazon Web Services EMEA SARL from 13th July 2026; (b) Google Cloud EMEA Limited from 13th July 2026; (c) Microsoft Ireland Operations Limited from 13th July 2026; (d) Oracle Corporation UK Limited from 13 July 2026.

Related

The Air Navigation (Restriction of Flying) (Swansea) (Emergency) Regulations 2026

Fri 10th Jul 26

Prohibited unmanned aircraft from flying below 1,300 feet within a specific radius in Swansea due to an emergency.

Read More

The Air Navigation (Restriction of Flying) (Lytham St Annes) Regulations 2026

Fri 10th Jul 26

Established temporary restricted airspace for unmanned aircraft near Lytham St Annes to ensure public safety during a major sporting event.

Read More

The Air Navigation (Restriction of Flying) (Old Buckenham Airshow) Regulations 2026

Fri 10th Jul 26

Established temporary restricted airspace near Old Buckenham Aerodrome for the duration of the 2026 Airshow.

Read More

The Sentencing Act 2026 (Commencement No. 5) Regulations 2026

Fri 10th Jul 26

Activated specific sections of the Sentencing Act 2026 concerning community requirements, license conditions, domestic abuse findings, and unpaid work credits.

Read More