🟡 Medium | Source: AWS Security Blog
AWS has been officially designated as a Critical Third Party (CTP) to the UK financial sector under a new regulatory regime that came into force on 1 January 2025. This designation, made by HM Treasury, gives the Bank of England, PRA, and FCA direct oversight powers over AWS’s services as they relate to UK financial institutions. For financial sector clients, this means AWS is now subject to formal regulatory scrutiny, which should improve resilience and accountability but also introduces new compliance obligations.
Security Architect’s Take: If you operate cloud infrastructure for UK-regulated financial institutions on AWS, review your shared responsibility model documentation and incident response plans in light of the new CTP oversight framework — regulators may now request evidence of your reliance on AWS and how you manage that concentration risk. Ensure your third-party risk management (TPRM) register reflects AWS’s CTP status and that contractual arrangements align with PRA/FCA expectations.
Original advisory: AWS designated as a critical third party to the UK financial sector