Operational resilience: reporting rules herald the next chapter for the financial sector

On 18 March 2026 the FCA, PRA and Bank of England (the Bank) published policy statements introducing new requirements and expectations for the reporting of certain operational incidents, and expanding the scope of existing data collections on third party arrangements. These measures, which follow a package of consultation papers published back in December 2024,  are the latest in a series of initiatives to support the operational resilience of the UK financial sector. In particular, they are hot on the heels of the introduction of a new oversight regime for critical third parties to the financial sector (CTPs) in January 2025, which should go live this year (see more here).

The new reporting framework is intended to help manage risk in a financial sector that is increasingly interconnected, complex and dynamic, and which is facing a cyber risk climate where threat actors are attacking firms (and the third parties they rely on) with greater frequency and sophistication. Firms increasingly rely on third parties to deliver their services, and third parties are now supplying their services by means of transformative technological innovations like AI. Against this backdrop, the regulators need to understand how firms are using third parties to effectively supervise their operational resilience. 

Incident reporting and third-party reporting, working in tandem, are expected to give the regulators a clearer picture of linkages and dependencies (including supplier dependencies) in the sector, enabling appropriate supervision - the idea being that the data firms submit will help the regulators triage incidents at pace and respond appropriately.

There is a fair amount of regulatory material to wade through; in addition to their respective policy statements and templates, the FCA has published guidance and the Bank and PRA have published supervisory statements to accompany the new rules. However, key points of interest include:

• Incident reporting – a new incident reporting framework requires all authorised firms to report basic information promptly (within 24 hours or 4 hours for payment services providers (PSPs)) in a structured format to help the regulators triage incidents across the sector. Previously, the regulators received inconsistent reporting from firms on the types and severity of incidents that occur. They have now created a standardised incident reporting process through a single portal, so that all firms make one submission regardless of which regulator(s) a report is for. Firms are divided into two groups: ‘standard’ reporting for the majority of FCA solo-regulated firms (who make a single short report) and ‘enhanced’ for a smaller subset, including dual-regulated firms and PSPs (which follow an ‘initial’, ‘intermediate’ and ‘final’ phase structure). Duplicative incident reporting requirements for PSPs have been removed.
• Material third party reporting – Firms have long had to notify the regulators when carrying out material outsourcings. New provisions expand the scope of the existing outsourcing notifications for some firms to create a unified FCA, PRA and Bank reporting regime for both material outsourcing and non-outsourcing arrangements under the banner of ‘material third party arrangements’.  Examples of non-outsourcing third party arrangements for these purposes may include buying or acquiring hardware, software and other ICT products, such as designing and building an on-premise IT platform, or advanced analytics models developed by third parties. In scope firms will additionally be required to maintain a register of their material third party arrangements in a standardised format, and submit it annually.

Next Steps and Reflections

The new rules and guidance will come into force on 18 March 2027, giving firms 12 months to prepare for compliance. There is plenty to do here for individual firms over the next year, including work to map the new rules against existing incident notification requirements (such as the FCA’s Principle 11).  For those with an EU nexus,  the requirements are intended to be broadly aligned with those under the EU’s Digital Operational Resilience Act (DORA), but they are not replicated exactly. These firms will therefore need to get to grips with new UK rules and adapt their processes to manage the differences between the EU and UK regimes. 

We are writing a longer article on these changes for the ICLG Fintech Guide – please get in touch if you would like a copy.