The UK designated four major cloud providers—Microsoft, Google, Amazon, Oracle—as "critical third parties" to its financial sector. This first-of-its-kind direct regulation aims to prevent a single tech outage from collapsing multiple banks and insurers. Meanwhile, India maintains its indirect oversight, leaving banks responsible for third-party cloud risks.
How We Got Here
Britain's Financial Services and Markets Act 2023 authorised this move, with final framework rules published November 2024. The actual designations for Microsoft, Google, Amazon, and Oracle only went live this Monday, with the new regime taking full effect July 13, 2026.
The Numbers
- The Bank of England, PRA, and FCA will jointly supervise the resilience of cloud services from the designated firms.
- Designation requires compliance with requirements for identifying, managing, and recovering from operational incidents affecting UK financial services.
- Regulators can now collect data, run incident-management exercises, review self-assessments, and take disciplinary action if standards are not met.
- Financial firms using these cloud services remain legally responsible for managing their own third-party risk, not the cloud providers.
- This UK framework aims to complement similar regulations like the EU's DORA and the US Bank Service Company Act.
What Happens Next
🇮🇳 Why This Matters for India
For Indian banks and fintechs in Mumbai or Bangalore, relying heavily on AWS or Azure means they alone carry the burden of cloud-related operational risks and compliance.
The Take
The UK is fundamentally redefining hyperscalers as critical national infrastructure for its financial system, accepting the deep overhead. India, by contrast, continues to treat cloud as a third-party vendor problem, prioritizing adoption speed but offloading systemic resilience onto individual FIs.
Source:
MediaNama ↗