Inside the Perimeter: Regulators Take Direct Oversight of the Cloud Hyperscalers
A weak signal in regulation and policy: for the first time, financial regulators are supervising the cloud hyperscalers directly, as named entities rather than through their bank clients, extending the regulatory perimeter to critical suppliers in a template other sectors will copy.
The consensus on operational-resilience rules treats them as a compliance burden: another reporting regime that obliges banks and insurers to map their suppliers, test for outages and document recovery plans. That framing misses the structural shift underneath. Beneath the compliance workload, the EU's Digital Operational Resilience Act and the UK's critical-third-party regime are doing something regulators have never done at scale: reaching past the firms they license to supervise the technology providers those firms depend on, as designated entities in their own right. The cloud is being pulled inside the regulatory perimeter. The question for the next two years is not how banks comply, but how far this new supervisory reach over critical suppliers extends, and which sector copies it next.
Signal Identification
This is a regulatory pivot in the architecture of supervision, not a routine compliance update. The novelty is the object of oversight: a small number of critical technology suppliers, chiefly the cloud hyperscalers, brought under direct regulatory authority despite not being licensed financial entities. The perimeter that defined who regulators can supervise is being redrawn around systemic dependency rather than legal form.
What's Changing
The EU has named the suppliers and taken them in-house. On 18 November 2025 the European Supervisory Authorities published the first official list of 19 designated Critical ICT Third-Party Providers under Article 31(9) of DORA, including Amazon Web Services, Google Cloud and Microsoft, now supervised directly by the ESAs rather than through their bank clients (FinTech Global, 05/05/2026). Designation follows a concentration test, and persistent non-compliance carries periodic penalties of up to 1% of average daily worldwide turnover per day of breach, with non-EU providers required to establish an EU presence within twelve months. The ECB's 2026-28 priorities reinforce the shift, elevating operational resilience and third-party risk to a top supervisory focus (ECB Banking Supervision, 22/01/2026).
The supervised-cloud perimeter: a fast-moving regime
Source: ESMA (18/11/2025); Bank of England (14/01/2026); PRA PS7/26 (18/03/2026); Norton Rose Fulbright (20/04/2026).
The UK is building the parallel regime and wiring it to the EU's. In January 2026 the FCA, Bank of England and PRA signed a Memorandum of Understanding with the European Supervisory Authorities to coordinate oversight of critical suppliers across both regimes, including during incidents such as outages or cyber-attacks, with the UK designation process under way (Bank of England, 14/01/2026). In March the PRA finalised mandatory operational-incident and material-third-party reporting, aligned to DORA and the Financial Stability Board's incident-reporting standard, to help it identify critical third parties and locate single points of failure (PRA PS7/26, 18/03/2026). Parliament is pushing further: the Treasury Select Committee has urged HM Treasury to designate the major cloud and AI providers, and the Treasury expects to make initial designation decisions during 2026 (Norton Rose Fulbright, 20/04/2026).
Disruption Pathway
The pathway runs in three stages. First, designation: regulators name the systemically critical suppliers and assert formal authority over them, as the EU has done and the UK is about to. Second, examination: lead overseers begin information requests, inspections and resilience testing of the providers themselves, and the providers stand up regulator-facing functions, EU entities and reporting pipelines they did not previously need. Third, generalisation: once financial supervisors hold a working model for overseeing hyperscalers, the same logic, supervise the dependency, not just the licensed firm, migrates to other regulated sectors and to AI providers.
Stresses concentrate at three points: the cloud providers, which must serve multiple overseers across jurisdictions with divergent expectations; the financial firms, which remain fully responsible for their own resilience; and the regulators themselves, who must build the technical capability to oversee infrastructure they do not run. Two adaptations follow. Structurally, hyperscalers move from procurement counterparties to quasi-regulated entities. Operationally, boards in regulated firms must treat concentration on a designated provider as a supervised risk to be evidenced, not a commercial choice to be assumed.
Why This Matters
For boards, compliance leaders and the hyperscalers, the signal reframes operational resilience from a reporting obligation into a question of who sits inside the regulatory perimeter. Cloud and major AI providers should expect direct supervision and resource regulator-facing oversight, incident reporting and EU establishment accordingly; treating designation as procurement underestimates it. Regulated firms cannot offload resilience to a designated supplier, since supervising the provider does not relieve the firm, so concentration on a single hyperscaler becomes a board-level risk to be evidenced and, where required, mitigated through exit and substitutability planning. For policymakers in other sectors, the live question is whether to copy the model.
Decision-action posture for this signal: Prepare — the EU regime is already live and the UK's first designations are expected within the year, so build the oversight, reporting and concentration-risk architecture now and commit fully on the UK designation trigger.
Counter-Argument
The strongest objection is that the new authority is more nominal than it looks: the lead overseer "can issue recommendations but cannot directly impose binding orders or fines," enforcement runs indirectly through public notices and recommendations that firms suspend or terminate a provider, and designation does not make a hyperscaler a prudentially regulated entity. Because substitutability is limited and migration runs 12-18 months, the underlying concentration risk persists regardless of who is nominally in charge (Glocert International, 03/02/2026).
The objection is right that the teeth are soft and wrong that this makes the shift cosmetic. The structural change is reach: regulators can now compel disclosure from, inspect and publicly sanction providers they previously could not touch, and a recommendation to terminate carries real force at hyperscaler scale. The perimeter has already moved; enforcement calibration is a matter of time, not principle.
Implications
On the available evidence this is a durable redrawing of the regulatory perimeter, not a transient cycle: the EU designations are made, the UK regime is being wired to them, and the supervisory model now targets systemic dependency rather than legal form. The inflection window is the next two to four years, set by the first oversight examinations, the UK's initial designations and the first enforcement test. Those positioned to gain are hyperscalers that build credible regulator-facing oversight early and firms that can evidence substitutability; those exposed are providers that treat designation as a formality and firms that assume supervision of their supplier reduces their own accountability.
Early Indicators to Monitor
- HM Treasury making its first critical-third-party designations of named cloud or AI providers during 2026.
- ESAs opening formal oversight examinations of designated CTPPs, with published findings or recommendations.
- A hyperscaler establishing a dedicated EU entity or regulator-facing oversight function in response to designation.
- Another regulated sector or jurisdiction proposing supplier-level oversight of critical cloud or AI providers.
- A supervisor publicly citing concentration on a designated provider in a firm-level resilience finding.
Disconfirming Signals
- EU oversight stalls, with designations made but no substantive examinations or recommendations issued.
- HM Treasury defers critical-third-party designations beyond 2026 or narrows the regime's scope.
- Courts or legislators curtail regulators' authority over non-licensed technology providers.
- The model stays confined to financial services, with no adoption by other sectors or regulators.
Strategic Questions
- Should regulated firms build evidenced exit and substitutability plans now, or wait for supervisors to demand them?
- Do hyperscalers treat direct oversight as a moat that entrenches incumbents, or a cost that invites challengers?
- At what point does supplier-level oversight move from financial services into other regulated sectors?
Keywords
DORA; critical third parties; cloud concentration risk; operational resilience; CTPP designation; hyperscalers; regulatory perimeter; third-party oversight; UK critical-third-party regime; ESAs; financial stability; FSB FIRE
Bibliography
Source tiers: Tier 1, governments, regulators and intergovernmental bodies. Tier 2, think-tanks, academic institutes, major consultancies and quality data providers. Tier 3, quality journalism and specialist trade press. Tier 4, vendor, company and practitioner sources, used only as directional corroboration.
- Tier 1 The European Supervisory Authorities designate critical ICT third-party providers under DORA. European Securities and Markets Authority (18/11/2025).
- Tier 1 UK and EU regulators sign Memorandum of Understanding to strengthen oversight of critical third parties. Bank of England (14/01/2026).
- Tier 1 Supervisory priorities 2026-28: charting a course through turbulent waters. European Central Bank Banking Supervision (22/01/2026).
- Tier 1 PS7/26 - Operational resilience: Operational incident and third-party reporting. Bank of England (PRA) (18/03/2026).
- Tier 2 DORA CTPP Oversight: What It Means for Cloud Providers and Major Vendors. Glocert International (03/02/2026).
- Tier 3 TSC publishes Regulator responses to its report on AI in Financial Services. Norton Rose Fulbright (20/04/2026).
- Tier 3 DORA CTPPs explained: rules, risks and obligations. FinTech Global (05/05/2026).