Background – how the regime works and why delays matter
The UK’s Critical Third Parties (CTP) regime was created by the Financial Services and Markets Act 2023. From 1 January 2025 the Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) can impose resilience rules on external service providers (mostly cloud and data firms) whose failure could threaten financial stabilitybankofengland.co.uk. The rules, codified in new FCA and PRA sourcebooks, require designated providers to maintain robust governance, manage supply‑chain risk, test their ability to withstand outages, report incidents and help financial firms exit their servicesmorganlewis.com. Regulators expected the first designations to follow a six‑month consultation after recommendations were made in early 2025deloitte.com, meaning effective oversight could begin mid‑2025.
However the new regime only applies once HM Treasury designates a firm as “critical.” This requires the Treasury to consider the materiality of the services, the number and type of financial firms using the provider, and the potential systemic impactmorganlewis.com. Designation orders will specify when obligations take effect and may include transition periods. As the FCA has emphasised, the regime does not reduce the responsibilities of regulated firms; it adds a second layer of oversight for providers who underpin their operationsfca.org.uk.
An oversight framework without any designees
Nine months after the regime came into force there were no designated CTPs. A May–September 2025 analysis by Kemp IT Law noted that “no designations have yet been made,” although HM Treasury expected to announce a small number later in 2025kempitlaw.com. In April 2025 the PRA’s business plan confirmed that the regulators were reviewing providers and preparing to recommend designations but still had nonebankofengland.co.uk. On 20 October 2025 an Amazon Web Services (AWS) outage disrupted Lloyds Bank, Halifax, the Bank of Scotland and the UK tax authority HMRC, and knocked out scores of apps including Snapchat, Slack and Pokémon Gotheguardian.com. The House of Commons treasury committee wrote to the economic secretary asking why AWS had not been designatedtheguardian.com. A week later the committee again complained that it was “unacceptable” that no designations had been madecommittees.parliament.uk. As of early November 2025 the government still had not published any designation orders.
Delays matter because the CTP regime cannot improve resilience until it applies. Designated providers would be required to undertake scenario‑testing, supply‑chain mapping, incident reporting and independent “skilled person” reviewsmorganlewis.com. Regulators would gain powers to inspect them and, if necessary, impose public censure or prohibit them from providing critical servicesmorganlewis.com. Without designations, the UK remains reliant on voluntary assurances from cloud firms and on existing outsourcing rules that apply only to financial firms, not to the cloud providers themselves.
Top picks for "slow rollout critical"
Open Amazon search results for this keyword.
As an affiliate, we earn on qualifying purchases.
Competition concerns in the cloud market
Highly concentrated markets and high returns
The Competition and Markets Authority (CMA) concluded in its July 2025 final report on the public cloud infrastructure market that competition is not working well. It found the IaaS market to be highly concentrated—AWS and Microsoft each held a 30–40 % share of supply in 2024, while Google held only 5–10 %, and the positions of AWS and Microsoft are likely to endureassets.publishing.service.gov.uk. Both companies have been earning returns above their cost of capital for yearsassets.publishing.service.gov.uk. These large shares reflect barriers to entry: enormous sunk costs in data centres, networks and servers, and economies of scale that make it hard for smaller providers to competeassets.publishing.service.gov.uk.
Lock‑in through egress fees and technical barriers
The CMA identified commercial and technical barriers that deter customers from switching or adopting multi‑cloud strategies. Chief among these are egress fees—charges for transferring data out of a provider’s cloud. The report noted that these fees increase costs for customers, particularly smaller firms or those holding large datasets, and reduce incentives for suppliers to competeassets.publishing.service.gov.uk. Technical barriers arise from incompatible interfaces and services, latency between clouds and the lack of transferable skills, making it difficult to integrate or substitute servicesassets.publishing.service.gov.uk. These barriers lock customers into their initial provider and diminish competitionassets.publishing.service.gov.uk.
Microsoft licensing practices
Microsoft’s software licensing practices were also found to reduce competition. The CMA said Microsoft’s input prices to AWS and Google for certain software (e.g., Windows Server, SQL Server, Visual Studio and Office suites) are sometimes higher than the prices it charges its own customers, leading AWS and Google to charge more and resulting in “partial foreclosure”assets.publishing.service.gov.uk. Microsoft does not make some products available under its licensing agreements, and customers cannot always bring their existing licences to alternative clouds, which restricts AWS’ and Google’s competitive offeringsassets.publishing.service.gov.uk. The CMA concluded that Microsoft’s licensing practices, together with market concentration and barriers to switching, are features that adversely affect competitionassets.publishing.service.gov.uk.
Potential consumer harm
The CMA estimated that if prices in the UK cloud market are 5 % above those in well‑functioning markets, customers would pay around £500 million more per yearassets.publishing.service.gov.uk. Since UK businesses spent £10.5 billion on cloud services in 2024assets.publishing.service.gov.uk and adoption is growing at nearly 30 % annuallyassets.publishing.service.gov.uk, the stakes are high. Concentration and lock‑in could raise costs and slow innovation for the many industries that depend on cloud services.
Impact of cloud concentration and regulatory delay across key verticals
| Vertical | Impact of concentration and delayed regulation |
|---|---|
| Banking and financial services | Financial firms increasingly rely on cloud services to deliver online banking, payments and trading platforms. The AWS outage on 20 Oct 2025 disrupted Lloyds Bank, Halifax and Bank of Scotland and hindered access to HMRC’s tax portaltheguardian.com. Without CTP designation, there is no direct regulatory oversight of AWS’ resilience, and banks cannot rely on regulators to enforce stronger testing. Lock‑in makes it costly for banks to adopt multi‑cloud strategies, while high switching costs allow providers to charge supra‑competitive pricesassets.publishing.service.gov.uk. Fintechs and smaller banks are particularly vulnerable because they often lack the resources to negotiate bespoke contracts. |
| Government and public sector | A Guardian investigation found that AWS has won 189 UK government contracts worth £1.7 billion, and 35 public sector authorities use AWS across 41 contractstheguardian.comtheguardian.com. Ministries including the Home Office, Department for Work and Pensions (DWP), HMRC, Ministry of Justice, Cabinet Office and Defra depend on its services. The AWS outage revealed that the government’s procurement strategy contradicts its own resilience rhetoric; the treasury committee wrote to the economic secretary asking why Amazon had not been designated a CTPtheguardian.com. Delayed designation means there is no formal requirement for AWS to engage regulators in change management or test its ability to recover from incidents, leaving essential public services exposed. |
| Retail and e‑commerce | Because Amazon runs both the largest cloud platform (AWS) and a massive retail operation, outages ripple through consumer commerce. The 20 Oct 2025 outage disrupted Amazon’s retail site and Ring security devicestheguardian.com. Retailers that run e‑commerce platforms on AWS also suffered downtime, showing how vertical integration can create single points of failure. High egress fees discourage retailers from diversifying across multiple clouds, increasing the risk that an outage takes their stores offlineassets.publishing.service.gov.uk. |
| Communications & entertainment | Platforms such as Snapchat, Roblox, Signal, Duolingo, Slack, Pokémon Go and Peloton were among the thousands of apps knocked offline by the AWS outagetheguardian.com. These services underpin social communication, gaming and fitness for millions of consumers. Concentration means failures at a single provider can cascade across multiple entertainment sectors simultaneously. |
| Healthcare and critical infrastructure | While the AWS outage mainly affected consumer services, previous incidents illustrate the risk to health and infrastructure. In July 2024 a botched CrowdStrike software update affected Microsoft systems, causing outages across hospitals and airports (referenced by the Guardian as “the largest outage in history”)theguardian.com. The UK’s CTP regime aims to ensure that providers can withstand such shocks, but without designations the regulators cannot require cloud suppliers to map their supply chains or test recovery plans. |
| Technology and AI sectors | AI development relies on access to highly specialised cloud infrastructure. The CMA noted that Microsoft, AWS and Google are the only providers offering vertically integrated AI capabilitiesassets.publishing.service.gov.uk. Concentration and licensing restrictions could stifle innovation by making it expensive for start‑ups to access accelerated compute or by tying AI services to a single cloudassets.publishing.service.gov.uk. Without regulatory oversight, these firms could exploit their dominance to shape the emerging AI ecosystem. |
Customer consequences
- Operational resilience – Single points of failure mean outages can simultaneously disrupt banking, payments, government portals, communications and consumer appstheguardian.com. Designated CTPs would have to test and demonstrate that they could recover within agreed timeframesmorganlewis.com; the absence of designations leaves customers dependent on providers’ internal processes.
- Switching costs and lock‑in – High egress fees and proprietary interfaces lock customers into a single providerassets.publishing.service.gov.uk. Without regulatory oversight, there is little pressure on cloud firms to reduce these costs or offer interoperable services. Customers face high exit barriers if a provider raises prices or fails.
- Pricing – Sustained returns above the cost of capital for AWS and Microsoftassets.publishing.service.gov.uk and the CMA’s estimate of potential overpricing amounting to £500 million a yearassets.publishing.service.gov.uk suggest that customers may be paying more than necessary. In the absence of designations and strong competition remedies, cloud providers have limited incentive to lower prices or improve service quality.
- Data sovereignty & security – Government and financial customers worry about where data is processed and who has access. The CTP regime mandates supply‑chain mapping, cyber‑security controls and notification of significant changesmorganlewis.com. Without designations these requirements remain aspirational, and customers must rely on contractual promises.
Halo effect vs. compliance burden
Regulators have debated whether CTP designation could give providers a “halo effect” by signalling to customers that they are safer or approved. The Bank of England’s supervisory statement warns that designation should not imply any competitive advantage and emphasises that designation orders will be strictly for resilience purposesbankofengland.co.uk. Moreover, the compliance burden—governance reforms, supply‑chain risk management, cyber resilience, change management, resource mapping, incident response and termination planning—may offset any halo effectmorganlewis.com. Providers face significant costs in meeting the eight operational resilience requirements and six fundamental rules.
Comparison with the EU’s DORA and global context
The UK is not alone in regulating cloud infrastructure. The EU’s Digital Operational Resilience Act (DORA) will require European financial regulators to designate and supervise “critical ICT third‑party service providers.” EU authorities must complete their information exchange for designations by 30 April 2025, and final rules will apply from January 2025pinsentmasons.com. DORA has extraterritorial reach and overlaps with the UK CTP regime, meaning providers serving both markets must navigate two sets of rulesmorganlewis.com. Coordinated supervision is essential because many cloud firms operate globally; the PRA’s business plan notes that UK regulators are working with international partners including the G7 cyber experts groupbankofengland.co.uk.
Outlook and recommendations
- Urgent designation – The UK government should prioritise designating at least the largest cloud providers. Parliamentary pressure after the AWS outage and the CMA’s competition findings underscore the need for swift action.
- Multi‑cloud strategies – Financial firms, public bodies and other critical sectors should adopt multi‑cloud or hybrid architectures to reduce single‑provider risk. This requires addressing contractual and technical barriers and may necessitate regulatory intervention to cap egress fees and promote interoperability.
- Competition remedies – The CMA recommended that the digital markets unit consider designating AWS and Microsoft with strategic market statusgov.uk. Such designation would allow the CMA to impose conduct requirements, for example requiring fair licensing terms and limiting egress fees.
- Customer preparedness – Potential CTPs should prepare for oversight by reviewing their governance structures, mapping their supply chains and assessing incident management capabilitieskempitlaw.com. Financial firms should continue to meet their own operational resilience obligations and conduct due diligence on third‑party providers.
- International cooperation – Given the global nature of cloud services, regulators should align CTP oversight with DORA and other regimes, share incident reports and coordinate enforcement to avoid fragmentation. This will help ensure consistent resilience standards and reduce regulatory arbitrage.
Conclusion
Cloud infrastructure has become a backbone of the UK economy, supporting banking, government services, retail, communications and emerging AI. The UK’s Critical Third Parties regime was designed to ensure that providers underpinning these services are resilient and subject to direct supervision. Yet nearly a year after the regime took effect, no provider has been designated, leaving the system reliant on voluntary assurance and the goodwill of a few giant firms. At the same time, the CMA’s investigation lays bare a market dominated by two players with high returns, significant barriers to switching and licensing practices that restrict competition. The AWS outage in October 2025 offered a real‑world demonstration of the risks that concentration and regulatory delay pose to consumers and businesses aliketheguardian.com. Swift designation, competition remedies and diversified cloud strategies are essential to protect customers and promote innovation across key verticals.
