OUT-LAW NEWS 2 min. read

Cloud provider designations ‘bring UK critical third parties regime to life’

Person looks onto Bank of England building and the City

georgeclerk/iStock.


Four major cloud providers have been designated as ‘critical third parties’ (CTPs) in the UK, bringing them within the direct oversight of the UK’s financial regulators for the first time.

The designations, made by the UK Treasury, apply to Amazon, Google, Microsoft, and Oracle, and reflect the fact those companies provide services many UK financial services firms rely on, according to the government.

CTPs must comply with six fundamental rules, much like the high-level principles that UK-regulated financial services firms must adhere to in, for example, the FCA Handbook. Those rules require providers to: conduct their business with integrity; and with due skill, care and diligence; act in a prudent manner; have effective risk strategies and risk management systems; organise and control their affairs responsibly and effectively; and deal with each regulator in an open and cooperative way, and disclose to each regulator appropriately anything relating to the CTP of which it would reasonably expect notice.

The scope of the fundamental rules is mainly limited to services deemed ‘systemic third party services’ that providers provide to firms. However, the exception to this is the sixth rule covering regulatory cooperation and disclosures – it is wider in scope and applies to all the services providers offer.

CTPs also face separate a wider set of requirements, including around operational, technology, cyber and supply chain risk and resilience. They have obligations to report certain incidents to regulators and must develop plans to support firms in terminating and exiting from service contracts and recover data and other assets of theirs in the process.

More detail on the expectations on providers under the CTP regime were set out in a policy paper published in November 2024 by the Bank of England, the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA). The three regulators will jointly oversee the providers’ compliance with their obligations and have wide-ranging information gathering and inspection powers. 

Confirmation of the first four designations gives practical effect to the CTP regime, which has otherwise sat dormant since it was formally introduced on 1 January 2025.

Technology law expert Luke Scanlon of Pinsent Masons said: “The CTP duties set out a list of requirements that will require significant work to be undertaken both in terms of responding to the regulators and directly providing financial institutions with information. The latter will be an area which we will see a lot of attention given to over the coming months.”

Angus McFadyen of Pinsent Masons, who supports financial services firms with their technology contracts, said the CTP regime “has been waiting to be brought to life with the completion of the designation process”. It also represents a “significant step forward” that brings the UK into line with the equivalent ‘critical ICT third-party service providers’ (CTPPs) regime that operates under the EU’s Digital Operational Resilience Act (DORA), he said.

The four CTPs designated in the UK stand in contrast to the 19 CTTPs designated under DORA.

“Being a CTP is not the same as being a regulated financial services firm,” said McFadyen. “CTPs are under oversight, not supervision.”

“For firms, it is critical to recognise that using a CTP does not reduce any existing oversight or accountability requirements. Many CTPs provide complex technology services, and we know that the expectations are only increasing in respect of technology-related system and control requirements,” he said.

“For firms, using a CTP does come with some tangible differences. Firms will still need to negotiate contracts in the normal way, but some obligations apply to the CTP when it is providing ‘systemic third party services’, which for many will be a subset of what is purchased from a CTP. For these systemic third party services, the CTP is subject to enhanced information sharing and testing rules, designed to achieve greater transparency for firms. The reality is that a good number of CTPs are already at the forefront of information sharing, delivering real time dashboards, but for others this will require a step up,” he added.

Trending topics across the site:

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.