.svg)
As legislators ask questions, the outage may increase scrutiny of cloud and digital infrastructure providers and prompt financial institutions to review their reliance on foreign-hosted services.
On October 20, 2025, the Treasury Select Committee wrote to the economic secretary to the Treasury following a widespread outage at Amazon Web Services (AWS) that disrupted several organisations, including Lloyds Banking Group.
In the letter, members of Parliament (MPs) questioned why AWS has not yet been designated under the UK’s critical third parties (CTP) regime, a framework designed to manage risks posed by key technology providers to the financial sector.
“Amazon Web Services, a US cloud infrastructure provider, has today been affected by a widespread outage across its systems. This appears to have disrupted several other firms, including Lloyds Banking Group,” the letter states.
The outage affected multiple well-known e-commerce platforms and financial services organisations, including Coinbase and Halifax.
Although the rules came into effect in January 2025, they only apply once firms are formally designated by HM Treasury, and no such designations have yet been made.
Delays and risk
The committee asked the minister, Lucy Rigby KC, to explain the delay in bringing AWS and other major technology firms under the regime.
MPs also sought clarification on whether the Treasury is concerned about critical UK infrastructure being hosted overseas, after reports suggested the outage originated in the US.
The letter noted that HMRC may also have been affected and requested details on steps being taken to review the incident and prevent future disruptions.
The correspondence follows earlier exchanges between the committee and AWS as part of its inquiry into artificial intelligence (AI) in financial services.
AWS previously told MPs that “financial services customers are choosing to use AWS to support and improve their security and resilience. AWS has a comprehensive approach to resilience that spans multiple layers of protection, ensuring businesses can reliably maintain operations.”
Operational resilience standards
The CTP regime targets firms whose services are essential to the stability of UK financial institutions, including cloud providers, data centres and other elements of digital infrastructure.
Designation under the regime triggers requirements for robust operational and resilience standards, including redundancy, contingency planning and reporting obligations.
Established in November 2024 under amendments to the Financial Services and Markets Act, the regime has similarities to the EU’s Digital Operational Resilience Act (DORA), which mandates resilience standards for financial entities and their third-party ICT providers.
However, the UK framework is narrower and less prescriptive than DORA.
The AWS outage is likely to accelerate scrutiny of cloud and digital infrastructure providers, and may prompt HM Treasury to finalise designations under the CTP regime more rapidly.
It may also lead financial institutions to review their reliance on foreign-hosted services, consider investing in further resilience measures and explore alternative providers to mitigate operational risk.
Regulators in the UK and other affected jurisdictions could use the episode to clarify expectations for uptime, redundancy and incident reporting, signalling a more proactive approach to safeguarding the stability of financial services.
