Market Data

Critical Third Parties: UK Cloud Rule Explained

A Critical Third Party is a provider whose service failure could threaten UK financial stability. The first UK designations are four cloud providers.

6 min read
Four unmarked service folders feeding one blank cloud-server stack with a small amber marker.

The short version

A Critical Third Party is a provider whose service disruption could threaten UK financial stability or confidence. The UK started direct oversight of four cloud providers on 13 July 2026: AWS, Google Cloud, Microsoft and Oracle. Arkolith maps their listed parents to about $4.45 trillion of tracked Q1 2026 13F value, making the rule a cloud, regulation and ownership question at once.

What is a Critical Third Party?

A Critical Third Party, or CTP, is an outside provider whose critical services are important enough that a failure could affect many financial firms or markets at the same time. In the UK regime, HM Treasury designates the provider and the Bank of England, PRA and FCA jointly oversee the systemic services it provides to the financial sector.

The FCA says on its Critical Third Parties page that CTPs may include technology, data and operational service providers of critical services to regulated firms and financial market infrastructures. The key word is systemic. A supplier is not designated just because it is large. It is designated when disruption could threaten financial stability or confidence in the UK financial system.

Which providers are designated first?

HM Treasury named four first providers in its UK technology-provider safeguards announcement. The live FCA page lists the first designated CTPs as Amazon Web Services EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Limited and Oracle Corporation UK Limited.

The FCA and other regulators said in their 13 July oversight statement that oversight starts on Monday 13 July 2026, following designation by Treasury. That turns a cloud-service dependency into a supervised financial-infrastructure dependency.

Designated provider Public parent used for ownership mapping Arkolith page
Amazon Web Services EMEA SARL Amazon AMZN ownership
Google Cloud EMEA Limited Alphabet GOOGL ownership
Microsoft Ireland Operations Limited Microsoft MSFT ownership
Oracle Corporation UK Limited Oracle ORCL ownership

The designation is not whole-company supervision. Treasury's announcement says oversight applies to systemic services provided to the financial sector, not the provider's wider operations.

What changes after designation?

Designation gives UK financial regulators a direct oversight route for the critical services. The regulators can gather information, assess resilience, require assurance and work with the provider on risks to service continuity.

The FCA's PS24/16 policy statement says final CTP rules took effect from 1 January 2025 and that HM Treasury makes the designation decision. The policy statement also says the FCA, PRA and Bank of England use the rules to monitor and manage systemic risks from certain third parties in a proportionate way.

For a reader, the practical change is simple: a designated CTP is no longer only a vendor managed through each firm's outsourcing contract. Its systemic services become part of the regulatory perimeter.

What does not change for banks and firms?

Financial firms are still responsible for their own outsourcing and operational-resilience risk. The FCA's 2024 new rules statement says the CTP rules do not reduce a firm's responsibility for operational shocks or third-party management.

That boundary matters. A bank cannot point to a provider's designation and treat its own resilience work as finished. It still has to know which services are material, what happens if those services fail, and how customers and markets continue to function during disruption.

Why does the rule matter to investors?

The first designations connect operational-resilience law to four listed parent companies: Amazon, Alphabet, Microsoft and Oracle. Arkolith's July 2026 ownership map for the same CTP list tracks about $4.45 trillion of Q1 2026 disclosed long value across those four stocks in public 13F filings.

That figure is not total market capitalization and it is not a trading signal. It is the 13F floor in Arkolith's current corpus. It shows that a narrow-looking cloud rule touches securities held across thousands of institutional books. The follow-up news map, UK Cloud Watchlist Maps to $4.45T in 13F Value, gives the source-linked ownership table.

Use 13F ownership for exposure mapping, not causality. A fund's Microsoft or Amazon position does not prove it is betting on the UK rule. It only proves that the designated provider's listed parent sits inside that fund's disclosed long book.

How should an analyst track the rule?

Start with three layers.

First, track the official perimeter: which providers are designated, which services are in scope, and whether new designations appear. Second, map each provider to the listed parent where there is one. Third, check the ownership and filing context through institutional ownership pages, the 13F data layer, and source filings.

For a repeatable workflow, use Arkolith to answer one focused question: "Which funds disclose positions in the listed parents behind the first UK CTP providers?" The fastest path is to start at /connect, then use the quickstart or the stock-owner workflow. If you are still evaluating the data shape, read 13F Holdings API: Query Funds, Stocks, Quarters and how to read a 13F filing.

What should change in a research model?

Treat CTP status as a tagged event, not as a price forecast. The clean model has five fields: provider name, designated legal entity, listed parent if any, scoped service, and designation date. Then join that event table to ownership, filing and risk notes.

That structure keeps the legal boundary intact. It also avoids two common mistakes: treating every cloud provider service as in scope, and treating every institutional holder as if it made a new regulatory bet.

The useful question is not "is this bullish or bearish?" The useful question is "which public securities and disclosed owners sit behind a newly supervised financial-infrastructure dependency?"

This article explains public records and data workflows. It is not investment advice, legal advice or a recommendation to trade any security.

Frequently asked questions about Critical Third Parties

Is a Critical Third Party always a cloud provider?

No. Cloud providers are the first UK designations, but the FCA says CTPs may include technology, data and operational service providers. The test is systemic importance to financial services, not the vendor category.

Who decides whether a provider is a CTP?

HM Treasury makes the designation decision. The FCA page says Treasury generally acts based on regulator recommendations, but it can also designate providers without a recommendation.

Does CTP designation regulate the whole company?

No. Treasury's announcement says oversight applies to systemic services provided to the financial sector. It does not place the provider's wider operations under the CTP regime.

Does the rule replace a bank's outsourcing controls?

No. UK regulators state that financial firms and financial market infrastructures remain responsible for managing their third-party and operational-resilience risks.

How can I map CTPs to public-market exposure?

Map the designated legal entity to its listed parent, then check 13F owner pages for that parent. For the first UK cloud designations, start with MSFT, GOOGL, AMZN and ORCL.

#UK finance#cloud infrastructure#operational resilience#13F#systemic risk