The UK just named its cloud concentration risk
If you run your business on Amazon, Google, Microsoft, or Oracle, which is to say if you run your business on the cloud at all, the UK has just put a name to something you probably already suspected: you cannot easily move. On Friday the Treasury designated those four providers as Critical Third Parties to the financial sector, and from Monday the Bank of England, the Prudential Regulation Authority, and the Financial Conduct Authority began overseeing them jointly. Most Steelwise readers are not banks. The story still lands on you, and it is worth being clear about why.
What was actually announced
The four firms named are Amazon Web Services, Google Cloud, Microsoft, and Oracle. The designation runs under powers created by the Financial Services and Markets Act 2023, with the underlying rules in force since the start of 2025. Regulators can now gather information from these providers, assess how resilient their services are, and make and enforce rules where continuity of a critical service is at risk.
Two limits matter, and both are easy to overstate. The oversight covers only the resilience of the services these firms supply to UK financial firms. It does not turn Amazon or Microsoft into a regulated bank. And the regime complements existing rules, it does not replace them. A financial firm running on one of these clouds is still responsible for its own due diligence, risk management, and contingency planning. The designation does not let anyone off the hook for their own cloud risk. It sits on top.
It is also a rolling regime. The Treasury has said further providers may be designated over time where that is needed to protect UK resilience. Friday's four are a starting point, not the full list.
Read it as concentration, not just regulation
The easy reading is "the big cloud firms are getting regulated". The more useful reading is what the choice of firms tells you. The providers the state judged systemically important were the same four that already dominate the market. As the Treasury put it, so many firms rely on these services that disruption at one could affect multiple firms and markets at the same time. That is a concentration-risk statement. The government has formally acknowledged that a handful of suppliers now sit under most of the economy.
This is the flip side of the sovereignty and lock-in problem we have written about before. Naming the incumbents as critical is a resilience measure, and a sensible one. It is not the same as fixing the concentration. If anything, telling the market that these four are the ones the regulators watch tends to cement their position rather than loosen it. That is an observation, not a legal claim: oversight and competition are not the same lever.
What this regime actually corrects
There is a fairer way to read Friday's news than "the cloud giants are now trusted." For years these platforms have been comparatively opaque: hard to inspect, hard to hold to account, and quick to fall back on their own attestations rather than answer a buyer's questions directly. What the designation does is drag them towards a level of scrutiny that plenty of smaller and sovereign providers have operated under for a long time, because their customers, often in regulated sectors, demanded it in the contract. Regulated finance firms have been asking these questions of their local suppliers for years. They just could not ask them of a hyperscaler and expect a straight answer.
So this is not the public cloud proving it is better. It is the public cloud becoming slightly less opaque than it was. That is worth having, and it is a real gain for the firms that depend on these platforms. It is not a reason to treat the biggest providers as the safe default. The lesson Steelwise keeps returning to holds: what makes a supplier trustworthy is transparency and the ability to switch, not the size of the brand. A smaller provider that will answer your questions and let you leave can be a better bet than a giant that will now, grudgingly, answer a regulator's.
Why this reaches an SME that no regulator supervises
You are almost certainly not directly overseen by the Bank or the FCA. The route in is your customers. If you supply software, data, or services into financial firms, the questions you get asked are about to sharpen. Concentration and exit-planning have just been named a top-of-market concern, and that flows down the supply chain the way operational-resilience rules already do.
In practice, expect finance customers to ask harder questions about your own cloud dependencies: which providers you sit on, and whether you could switch if you had to. The honest answer, for most firms, is "not quickly". Working that out before a procurement team asks is the difference between a calm reply and a scramble.
What to do
- Write down which of the four you depend on, and for what. Hosting, identity, email, database, AI. One line each. You cannot reason about concentration you have not listed.
- Ask the switch question once, calmly. If your main provider doubled its price or went down for a week, what would you actually do on Monday? The answer is worth more than any policy document.
- Check the exit terms, not just the price. Notice periods, data-return format, and the cost of getting your own data back out. The important part of a cloud contract is what happens when you leave.
- Expect the questionnaire to grow a cloud-dependency section. If you sell into financial services, have the answers ready before the question arrives.
How Steelwise can help
Working out what you have plugged in, and whether you could actually switch cloud provider if you had to, is exactly the kind of review we do with clients. Get in touch.