Signal Scanner · REGULATION, STANDARDS & POLICY CHANGE

Inside the Perimeter: Regulators Take Direct Oversight of the Cloud Hyperscalers

A weak signal in regulation and policy: for the first time, financial regulators are supervising the cloud hyperscalers directly, as named entities rather than through their bank clients, extending the regulatory perimeter to critical suppliers in a template other sectors will copy.

The consensus on operational-resilience rules treats them as a compliance burden: another reporting regime that obliges banks and insurers to map their suppliers, test for outages and document recovery plans. That framing misses the structural shift underneath. Beneath the compliance workload, the EU's Digital Operational Resilience Act and the UK's critical-third-party regime are doing something regulators have never done at scale: reaching past the firms they license to supervise the technology providers those firms depend on, as designated entities in their own right. The cloud is being pulled inside the regulatory perimeter. The question for the next two years is not how banks comply, but how far this new supervisory reach over critical suppliers extends, and which sector copies it next.

Signal Identification

This is a regulatory pivot in the architecture of supervision, not a routine compliance update. The novelty is the object of oversight: a small number of critical technology suppliers, chiefly the cloud hyperscalers, brought under direct regulatory authority despite not being licensed financial entities. The perimeter that defined who regulators can supervise is being redrawn around systemic dependency rather than legal form.

Time horizon: 2-4 years (EU designations live from late 2025; UK first designations expected 2026; oversight maturity and first enforcement tests 2026-2028) Plausibility band: High Geographic / Jurisdictional Scope: Primary: the EU-27 (DORA) and the UK (critical-third-party regime). Spillover: other jurisdictions and sectors weighing supplier-level oversight of cloud and AI providers. Sectors exposed: cloud and ICT providers, banks, insurers, market infrastructure, asset managers, and the compliance, procurement and resilience functions inside them.

What's Changing

The EU has named the suppliers and taken them in-house. On 18 November 2025 the European Supervisory Authorities published the first official list of 19 designated Critical ICT Third-Party Providers under Article 31(9) of DORA, including Amazon Web Services, Google Cloud and Microsoft, now supervised directly by the ESAs rather than through their bank clients (FinTech Global, 05/05/2026). Designation follows a concentration test, and persistent non-compliance carries periodic penalties of up to 1% of average daily worldwide turnover per day of breach, with non-EU providers required to establish an EU presence within twelve months. The ECB's 2026-28 priorities reinforce the shift, elevating operational resilience and third-party risk to a top supervisory focus (ECB Banking Supervision, 22/01/2026).

The supervised-cloud perimeter: a fast-moving regime

Nov 2025 EU names 19 providers Jan 2026 EU-UK oversight agreement Mar 2026 UK third-party reporting policy 2026 UK first designations

Source: ESMA (18/11/2025); Bank of England (14/01/2026); PRA PS7/26 (18/03/2026); Norton Rose Fulbright (20/04/2026).

The UK is building the parallel regime and wiring it to the EU's. In January 2026 the FCA, Bank of England and PRA signed a Memorandum of Understanding with the European Supervisory Authorities to coordinate oversight of critical suppliers across both regimes, including during incidents such as outages or cyber-attacks, with the UK designation process under way (Bank of England, 14/01/2026). In March the PRA finalised mandatory operational-incident and material-third-party reporting, aligned to DORA and the Financial Stability Board's incident-reporting standard, to help it identify critical third parties and locate single points of failure (PRA PS7/26, 18/03/2026). Parliament is pushing further: the Treasury Select Committee has urged HM Treasury to designate the major cloud and AI providers, and the Treasury expects to make initial designation decisions during 2026 (Norton Rose Fulbright, 20/04/2026).

Disruption Pathway

The pathway runs in three stages. First, designation: regulators name the systemically critical suppliers and assert formal authority over them, as the EU has done and the UK is about to. Second, examination: lead overseers begin information requests, inspections and resilience testing of the providers themselves, and the providers stand up regulator-facing functions, EU entities and reporting pipelines they did not previously need. Third, generalisation: once financial supervisors hold a working model for overseeing hyperscalers, the same logic, supervise the dependency, not just the licensed firm, migrates to other regulated sectors and to AI providers.

Stresses concentrate at three points: the cloud providers, which must serve multiple overseers across jurisdictions with divergent expectations; the financial firms, which remain fully responsible for their own resilience; and the regulators themselves, who must build the technical capability to oversee infrastructure they do not run. Two adaptations follow. Structurally, hyperscalers move from procurement counterparties to quasi-regulated entities. Operationally, boards in regulated firms must treat concentration on a designated provider as a supervised risk to be evidenced, not a commercial choice to be assumed.

Why This Matters

For boards, compliance leaders and the hyperscalers, the signal reframes operational resilience from a reporting obligation into a question of who sits inside the regulatory perimeter. Cloud and major AI providers should expect direct supervision and resource regulator-facing oversight, incident reporting and EU establishment accordingly; treating designation as procurement underestimates it. Regulated firms cannot offload resilience to a designated supplier, since supervising the provider does not relieve the firm, so concentration on a single hyperscaler becomes a board-level risk to be evidenced and, where required, mitigated through exit and substitutability planning. For policymakers in other sectors, the live question is whether to copy the model.

Decision-action posture for this signal: Prepare — the EU regime is already live and the UK's first designations are expected within the year, so build the oversight, reporting and concentration-risk architecture now and commit fully on the UK designation trigger.

Counter-Argument

The strongest objection is that the new authority is more nominal than it looks: the lead overseer "can issue recommendations but cannot directly impose binding orders or fines," enforcement runs indirectly through public notices and recommendations that firms suspend or terminate a provider, and designation does not make a hyperscaler a prudentially regulated entity. Because substitutability is limited and migration runs 12-18 months, the underlying concentration risk persists regardless of who is nominally in charge (Glocert International, 03/02/2026).

The objection is right that the teeth are soft and wrong that this makes the shift cosmetic. The structural change is reach: regulators can now compel disclosure from, inspect and publicly sanction providers they previously could not touch, and a recommendation to terminate carries real force at hyperscaler scale. The perimeter has already moved; enforcement calibration is a matter of time, not principle.

Implications

On the available evidence this is a durable redrawing of the regulatory perimeter, not a transient cycle: the EU designations are made, the UK regime is being wired to them, and the supervisory model now targets systemic dependency rather than legal form. The inflection window is the next two to four years, set by the first oversight examinations, the UK's initial designations and the first enforcement test. Those positioned to gain are hyperscalers that build credible regulator-facing oversight early and firms that can evidence substitutability; those exposed are providers that treat designation as a formality and firms that assume supervision of their supplier reduces their own accountability.

Early Indicators to Monitor

Disconfirming Signals

Strategic Questions

Keywords

DORA; critical third parties; cloud concentration risk; operational resilience; CTPP designation; hyperscalers; regulatory perimeter; third-party oversight; UK critical-third-party regime; ESAs; financial stability; FSB FIRE

Bibliography

Source tiers: Tier 1, governments, regulators and intergovernmental bodies. Tier 2, think-tanks, academic institutes, major consultancies and quality data providers. Tier 3, quality journalism and specialist trade press. Tier 4, vendor, company and practitioner sources, used only as directional corroboration.


Prepared by Shaping Tomorrow: 8 June 2026