As they continue to adopt new technology, including AI, financial service providers face ever-growing cyber threats and operational risks. In response, the UK regulators have laid out a new framework of rules and guidance around the reporting of incidents and third party dependencies. UK firms have a year to integrate the final rules into their current processes, including those developed for EU DORA compliance, before the regime takes effect on 18 March 2027.
An addition to the existing rulebook
In 2024 the Financial Conduct Authority, Prudential Regulation Authority and Bank of England shared their draft rules for operational incident and third party reporting. FCA PS26/2, PRA PS7/26 and a Bank of England policy statement now finalise their respective rules and guidance. This new framework builds on the wider operational resilience regime which started to apply in 2022 and has been fully enforced since March last year.
Key changes since the consultation
In response to feedback, the regulators have:
Introduced more consistency between the regulators’ rulebooks,
Created a two-tier framework under which some firms will need to submit more information than others,
Consolidated three incident reports into one form for enhanced reporting firms to update during the incident cycle,
Disapplied incident reporting guidelines under payment services regulation to avoid duplication, and
Unified the regime for reporting third party arrangements so all firms use the same template.
Greater alignment between the regulators should help firms regulated by both the FCA and PRA, as well as groups managing compliance across several types of entity, but firms will still need to navigate differences between the rulebooks e.g. on reporting thresholds. The de-duplication of the payments regime will also be welcome, although payment service providers should note the additional rules that apply to them.
Operational incident reporting: The two-tier framework
The FCA’s incident reporting regime applies to all firms with a Part 4A permission, payment service providers, UK recognised investment exchanges, registered trade repositories and credit rating agencies. The PRA and Bank of England will apply their incident reporting rules to the firms they oversee.
The FCA regime distinguishes between firms that will provide standard reporting and those subject to enhanced reporting requirements. The latter includes enhanced scope SMCR firms, dual-regulated firms like banks and insurance providers, and non-bank payment service providers.
What triggers a report?
The regulators have agreed a common definition of an operational incident. This is a single event or a series of linked events which disrupts the firm’s operations such that it either disrupts the delivery of a service to an end user external to the firm, or impacts the availability, authenticity, integrity or confidentiality of information or data relating or belonging to such an end user.
Firms only need to report an operational incident that has crystallised and met one or more of the regulators’ thresholds. Firms do not need to report near misses.
The regulators have set different reporting thresholds. For example, the FCA has set thresholds relating to consumer harm, safety and soundness and market stability. Under the PRA regime, firms must submit an incident report if the incident could pose a risk to the stability of the UK financial system, the firm’s safety and soundness, or, for insurers, protection for policyholders. These differences reflect the respective objectives of the regulators.
Timing and process
Firms should report an operational incident as soon as practicable within 24 hours of determining that it meets the thresholds. An exception is payment service providers who must continue to report incidents within four hours, in accordance with existing requirements.
Enhanced reporting firms must also submit material updates and a final report within 30 working days of the incident being resolved. In exceptional circumstances, the firm may take up to 60 working days to submit the final update.
Material third party reporting: Expanded scope and new obligations
The regulators are expanding the scope of firms’ third party notifications to cover both material outsourcing and material non-outsourcing arrangements. This reflects the increasing importance of firms’ third party arrangements which help to deliver and support their activities, services and processes.
The third party reporting rules will apply to dual-regulated firms, enhanced SMCR firms, authorised e-money and payment institutions, CASS large firms, UK RIEs and consolidated tape providers. Unlike the operational incident reporting regime, branches of international firms are in scope of the third party reporting requirement.
Determining materiality
The regulators share a definition of third party arrangement but what each one considers to be “material” (and so reportable) differs according to their objectives.
Firms should assess materiality on a case-by-case basis. The FCA has given examples of arrangements it would generally expect to be classified as material, including services for storing sensitive information such as data centres and cloud hosting, cybersecurity services built and monitored by a third party, cloud SaaS services required to run software, third-party payment and settlement services, AI models used for trading, and real-time market data feeds.
Intragroup arrangements are not exempt. Firms should not treat an intragroup arrangement as being automatically less risky but, to reduce the reporting burden, most firms are only required to report intragroup arrangements where an external third party dependency exists.
Reporting obligations
The third party reporting regime creates two separate obligations that firms must manage concurrently:
Notifications: Firms should notify their regulator about material arrangements early enough in the decision-making process to allow for any engagement before the firm becomes contractually or operationally committed. Significant changes should also be notified, such as a material increase or decrease in the scope of services provided, a change in how the third party stores or processes sensitive data, moving data storage to a new location, a material change to the ownership or financial position of the third party, or a change in third party or key sub-contractor, and
Annual register: Firms must send the regulators a register of their material third party arrangements annually. Firms will be notified when the annual submission window opens and will have 90 calendar days to make their submission using the template provided.
Excel templates for notifications and the register are standardised across the FCA, PRA and Bank of England. The templates capture detailed information including the type and description of the service, supply chain ranking, notice periods, annual contract value, risk assessment outcomes, and an assessment of the substitutability of the service provider.
Next steps
Firms should begin preparing now for the rules to come into force on 18 March 2027. For example, this will require bringing together several stakeholders, including from legal, compliance, operations and technology teams, to:
Determine application and scope e.g. enhanced v standard reporting,
Update incident response procedures, including training,
Extend materiality assessments to cover all third party arrangements,
Audit existing contracts to identify which arrangements are material,
Update vendor policies to factor in pre-commitment notifications,
Assess whether contracts need changing e.g. to collect information about the supply chain, and
Identify alignment with work done to implement comparable rules under e.g. the EU Digital Operational Resilience Act or PRA SS2/21.
CCPs should note that the Bank of England’s policy statement also includes a consultation on an existing requirement for central counterparties to report operational incidents. Responses are requested by 18 June 2026.
The FCA says it will review the policies two years after implementation. In the meantime, the regulators will use the information they collate – in particular via registers – to help them identify vendors which may need to be designated under the critical third parties regime.
/Passle/60746e77e5416b13f482811b/SearchServiceImages/2025-12-17-11-07-01-724-69428ed55657195f590ed8d2.jpg)
/Passle/60746e77e5416b13f482811b/SearchServiceImages/2026-03-17-11-01-22-049-69b934820e6c13394c815377.jpg)
/Passle/60746e77e5416b13f482811b/SearchServiceImages/2026-03-17-10-44-28-699-69b9308c981763bae4ca339e.jpg)
/Passle/60746e77e5416b13f482811b/SearchServiceImages/2026-03-12-14-27-48-267-69b2cd6465124f609d6165c9.jpg)
/Passle/60746e77e5416b13f482811b/MediaLibrary/Images/2026-01-29-07-24-51-856-697b0b430371dbadd5814962.jpg)