The United Kingdom decided, sensibly, that a handful of cloud and technology providers had become so central to banking, insurance and market infrastructure that their failure was now a financial-stability problem in its own right. So it built a supervisor for them. The rules took effect on 1 January 2025 (FCA PS24/16; Bank of England PS16/24).
Eighteen months later, the regime oversees no one. Not because it failed, but because the switch that turns it on has never been flipped.
A regime with an off-by-default design
The critical third parties (CTP) framework is a genuine piece of supervisory architecture, written jointly by the Bank of England, the PRA and the FCA. It sets resilience standards, testing requirements and incident-reporting duties for the technology firms — overwhelmingly the large cloud platforms — whose outage would ripple across multiple regulated institutions at once. The post-2020 wave of cloud migration made the concern concrete: when a large share of UK banks run core workloads on the same two or three hyperscalers, those providers are no longer ordinary vendors.
But the regulators deliberately did not give themselves the power to switch the regime on. Under the legislation, the FCA, PRA and Bank of England may only recommend a firm for oversight. The decision to designate — the legal act that makes any provider a “critical third party” and brings it inside the rulebook — sits with HM Treasury alone. As the policy statement puts it, the regulators recommend; the Treasury decides (FCA PS24/16).
That division was intentional, and defensible. Designating a named company as systemically critical is a serious act with international and trade implications, and a democratically accountable minister, not an independent regulator, should own it. The problem is what happens when the minister does not act. The rulebook exists in full. The standards are written. The reporting templates are live. And every one of them applies to an empty set, because no designation order is in force.
The gap between “in force” and “in effect”
This is the distinction that matters and that gets lost in the announcements. A rule being in force means it is law. A rule being in effect means it constrains someone’s behaviour. The CTP regime has been in force for a year and a half and in effect on precisely zero firms.
Meanwhile the risk the regime was built to address has not paused to wait for a designation. Concentration on a small number of cloud providers has deepened, not eased, since the rules were drafted, as banks push more of their estate — now including AI inference workloads — onto the same platforms. The regulators clearly know this. They have kept building the surrounding scaffolding: in March 2026 the Bank of England, PRA and FCA published their policy statement on operational incident and third-party reporting (PS7/26), and UK and EU authorities signed a memorandum of understanding to coordinate oversight of critical third parties across the two jurisdictions (FCA statement). Every piece of the machine is being polished except the one that makes it run.
Why the delay is the story
HM Treasury has indicated it is gathering the evidence to support designation decisions and expects to make initial designations during 2026, with attention pointed squarely at the largest cloud and AI providers; Parliament’s Treasury Committee has gone further, recommending the major AI and cloud providers be designated by the end of 2026 (Treasury Committee, AI in Financial Services — responses, April 2026). That intent is welcome. It is also, after eighteen months, overdue — and the shape of the delay tells you where the friction is.
Designating a hyperscaler is not a technical exercise. It is a decision to formally name a small number of mostly US-headquartered technology giants as systemically important to British finance, to subject them to UK resilience testing and incident duties, and to do so at a moment when the government is also courting those same firms for investment and data-centre capacity. Those goals pull in opposite directions. A designation says “you are a risk we must supervise.” An investment pitch says “you are a partner we want to keep.” The Treasury holds both files, and the second has had the louder champions.
That is the real reason the switch stays off. It is not bureaucratic slippage. It is an unresolved policy conflict between treating the cloud platforms as critical infrastructure to be regulated and treating them as inward investors to be wooed — and the CTP regime cannot bite until that conflict is settled in favour of the first.
The implication
For UK financial firms, the practical position is awkward. They are already accountable, under existing outsourcing and operational-resilience rules, for risks concentrated in providers they cannot meaningfully discipline. The CTP regime was supposed to move part of that burden onto the providers themselves. Until a designation order lands, it does not. The asymmetry the regime was designed to fix remains exactly where it was.
For the Treasury, the cost of waiting is quiet but real. Every month without a designation is a month in which the UK has a fully built supervisor for its most concentrated technology dependency and chooses not to use it. The next major cloud outage to hit several banks at once will be measured against that choice. A regime that exists on paper but constrains no one is not caution. It is a decision deferred — and the bill for deferral falls due on whatever day the outage arrives first.
Discussion
Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.