New UK cloud oversight majors on the wrong risk
XLK•Context on the new regime
On July 13, the Bank of England, the Prudential Regulation Authority and the Financial Conduct Authority began formal oversight of four leading cloud providers for the first time. This follows their designation as “critical third parties” (CTPs) by the Treasury.
The firms – Microsoft, AWS, Google and Oracle – now have regulatory obligations around testing, information sharing and incident management. The new regime is “focused on the resilience of the critical services they provide to the UK financial sector,” according to a statement from the Bank.
Questions over sovereignty and AI infrastructure
This looks outdated. Certain EU member states increasingly view U.S. cloud providers and IT contractors like Palantir Technologies PLTR.O as a threat to strategic autonomy, rather than a point of operational failure. It’s not just a problem that critical IT services are provided by a handful of companies, but that those firms are foreign-owned and data stored with them is potentially subject to extraterritorial laws.




