Regulators jointly oversee services provided by designated critical third parties (CTPs) to reduce systemic risks to the UK Financial System.
From 13 July 2026, regulators oversee systemic services provided by CTPs to address risks that could affect the wider financial system.
7 December 2023
Consultation published
15 March 2024
Consultation closed
March–November 2024
We considered feedback
12 November 2024
Policy statement and final rules published
1 January 2025
Regime took effect
13 July 2026
Designation regulations came into force for first critical third parties
Why critical third parties matter
CTPs are third party providers whose service disruption or failure could threaten the stability of, or confidence in, the UK financial system. They may include technology, data and operational service providers of critical services to regulated firms and financial market infrastructures (FMIs).
Firms and FMIs increasingly rely on these service providers. If a provider that supports a significant part of the financial sector experiences serious disruption to its services, it could affect many firms, consumers and markets. The CTP regime helps regulators address these risks that could impact the wider financial system.
A new oversight regime
In November 2024, the FCA, Bank of England, and PRA (the regulators) introduced new rules for CTPs[1], following consultation[2] with industry stakeholders. The regulatory framework came in on 1 January 2025. The rules apply to a CTP from the date the relevant Treasury designation regulation comes into force.
Through proportionate, targeted, and coordinated oversight of systemic services provided to firms by CTPs, the regime aims to:
- Reduce systemic risk by ensuring CTPs meet robust operational resilience standards.
- Enable regulators to intervene and raise the resilience of services provided by CTPs.
- Complement, not replace, firms’ own responsibilities for managing third-party risks.
- Encourage timely information sharing between CTPs and firms, to ensure that firms have the appropriate knowledge to adequately manage risks related to their use of CTP services.
Oversight may include regulatory engagement, information gathering and resilience assessments focused on the systemic services CTP offers to the UK financial sector.
What the regime means for designated CTPs
- Joint oversight of CTP services begins when the Treasury’s designation regulations come into effect, meaning the regulators’ rules apply to CTPs from then.
- CTPs should read our existing publications on the regime.
- The regulators’ targeted oversight prioritises the systemically important third-party services, not the entirety of CTPs’ businesses; ensuring a proportionate approach to managing systemic risks.
What the regime means for firms
- Firms remain responsible for managing their own third-party risks in line with our existing operational resilience and outsourcing requirements.
- More information on existing requirements: operational resilience[3] and outsourcing pages[4].
How CTPs are designated
The Treasury decides whether to designate a third party as a CTP, based generally on recommendations from the regulators. The Treasury may also make designations without any regulator recommendations. The Treasury can de-designate CTPs or designate new CTPs as markets evolve.
Once designated by the Treasury, CTPs’ systemic services are jointly overseen by the regulators. Designation is based on the potential for disruption to threaten UK financial stability or confidence in the UK financial system.
Designated Critical Third Parties
- Amazon Web Services EMEA SARL - Designated on 13 July 2026[5]
- Google Cloud EMEA Limited - Designated on 13 July 2026[5]
- Microsoft Ireland Operations Limited - Designated on 13 July 2026[6]
- Oracle Corporation UK Limited - Designated on 13 July 2026[7]