UK dithers on tech’s “critical third parties”
Regulators, CISOs alike remain concerned about concentration risk
British and European regulators have agreed to collaborate on improved oversight of “critical third parties” (CTPs) that support financial services.
Such CTPs are likely to include cloud hyperscalers and systems integrators.
European regulators in November 2025 named 19 tech firms as CTPs.
The UK has yet to designate a single firm as one – although AWS and GCP are among those who have publicly stated they expect to fall under sweeping rules first published by the Bank of England in November 2024.