Three watchdogs oversee banking app systems, but in year one they're mapping, not enforcing, so outages can still happen #
Amazon, Microsoft, Google, and Oracle fall under direct supervision by Britain's financial watchdogs from today, the first companies ever brought inside the UK's new oversight regime for the technology underpinning banks. The logic is concentration: the Treasury found more than 65% of UK organisations rely on the same four providers, so a single bad outage could freeze apps, payments, and markets for millions of people at once.
HM Treasury named the four on Friday, designating the legal entities Microsoft Ireland Operations, Google Cloud EMEA, Amazon Web Services EMEA, and Oracle Corporation UK as Critical Third Parties under powers created by the Financial Services and Markets Act 2023. The Bank of England, the Prudential Regulation Authority, and the Financial Conduct Authority jointly oversee them from Monday, 13 July 2026, applying rules the three regulators finalised for the regime in January 2025.
What the Watchdogs Can Now Demand #
Designated providers must run resilience tests, file periodic self-assessments, and report major operational incidents to the authorities, which can gather information and write provider-specific rules where needed. The regulators say the first year will focus on building a picture of the risks rather than on enforcement.
The change moved through tech feeds within hours of the announcement, usually stripped of its caveats along the way; one automated digest's five-word version appears below.
That account is an automated roundup rather than a primary source, and the caveats matter. The new supervision covers only the systemic services the four sell into finance, not their wider businesses, and designation is not authorisation. Banks and insurers remain responsible for their own outsourcing risks, due diligence, and contingency planning.
Nikhil Rathi, chief executive of the FCA, said that 'when the same providers serve thousands of firms, a single failure can reverberate across the financial system.' Sarah Breeden, the Bank of England's deputy governor for financial stability, warned that 'embedded third parties can introduce new forms of systemic risk.' Google Cloud welcomed the framework, saying effective implementation could strengthen resilience and trust, while Amazon Web Services and Oracle both said they support the authorities' objectives and will comply.
How the UK Move Compares With Brussels #
Brussels moved first and wider. In November 2025, EU supervisors designated 19 firms, including Amazon Web Services, Google Cloud, and Microsoft, as critical providers to European finance under the Digital Operational Resilience Act; Oracle was not among them. London has started narrow, with four hyperscalers, and UK and EU regulators have signed a memorandum of understanding to coordinate where providers are caught by both regimes.
The four are unlikely to be the last names. There is no statutory cap on designations, the Treasury says it takes a risk-based approach, and the regulators will periodically review whether providers still meet the criteria while recommending additions, meaning major software and payment suppliers could follow in time.
For customers, nothing looks different at the till today, and the regime will not stop every outage. What changes is visibility and accountability: supervisors can now watch concentration building across thousands of contracts, test whether a provider can recover quickly, and demand fixes before a failure spreads. When a banking app next goes dark, the question of who answers for it finally has an address. © Copyright IBTimes 2025. All rights reserved.