The UK's Financial Conduct Authority (FCA) formally confirmed new rules today requiring financial services firms to report cyber incidents and third-party disruptions with significantly greater precision and speed. Published as Policy Statement PS26/2, the rules come into force on 18 March 2027, giving firms exactly 12 months to prepare before enforcement begins.
The final framework was developed jointly with the Prudential Regulation Authority (PRA) and the Bank of England, and it replaces a patchwork of inconsistent reporting practices that regulators and industry had complained about for years. The announcement lands against a backdrop of accelerating threat activity in the financial sector. Attackers are increasingly exploiting the interconnected nature of financial services — not by breaching individual firms directly, but by targeting the cloud providers, managed service firms, and technology vendors those firms depend on. The FCA cited its own data showing that in 2025, more than 40 percent of all cyber incidents reported to the regulator involved a third party. Two incidents that drew particular scrutiny were a Cloudflare outage caused by a storage provider failure and a congestion event linked to AWS infrastructure — both of which cascaded across multiple regulated firms simultaneously. Those episodes made clear that existing reporting rules were not designed for a world where a single vendor failure can trigger a sector-wide incident.
Mark Francis, the FCA's Director of Specialists and Wholesale Sell-Side, described the changes as giving firms "clearer rules and practical guidance" to manage disruption, while enabling the regulator to gather better data to spot risks and strengthen sector-wide resilience. — FCA News, 18 March 2026
The Problem the Rules Are Designed to Fix
Inconsistency was the central complaint from both regulators and industry before today's announcement. Firms had different internal interpretations of what constituted a reportable incident, what level of detail was required in a report, and which regulator to notify when a firm was supervised by more than one authority. Dual-regulated firms — those overseen by both the FCA and the PRA — sometimes submitted duplicative reports with conflicting information, undermining the regulator's ability to build an accurate picture of systemic risk. The Treasury Select Committee had flagged these gaps as far back as 2019, following a wave of IT failures in the financial sector the previous year, and the PRA had committed to reform well before the pandemic temporarily delayed the process.
In December 2024, the FCA and PRA published linked consultation papers — CP24/28 and CP17/24 respectively — inviting industry feedback on proposed frameworks for standardised incident and third-party reporting. The response was substantial, with firms raising concerns about reporting timelines, the volume of required data fields, and how the proposals would interact with existing obligations under UK GDPR and the EU's Digital Operational Resilience Act (DORA) for firms with European operations. Today's policy statements, PS26/2 from the FCA and PS7/26 from the PRA, incorporate those responses and make meaningful concessions on complexity and burden while holding firm on the core transparency objectives.
What the New Rules Actually Require
At its core, PS26/2 defines an operational incident as any single event, or series of linked events, that disrupts a firm's operations in one of two ways: it either disrupts the delivery of a service to the firm's clients or external users, or it compromises the availability, authenticity, integrity, or confidentiality of client information or data. Not every disruption triggers a mandatory report. The FCA has set out thresholds tied to three categories of impact: actual or potential consumer harm, risk to the safety and soundness of the firm or market participants, and risk to market integrity, market stability, or confidence in the UK financial system. The PRA applies parallel thresholds focused on systemic stability, firm safety and soundness, and — for insurers — appropriate policyholder protection. In a notable concession to industry feedback on complexity, the FCA has also removed duplicative incident reporting obligations that previously applied separately to payment service providers and credit rating agencies, and has refined the overall information requirements so that the majority of firms it solo-regulates can use a shorter standard form rather than the full enhanced report.
Critically, the regulators have consolidated what was originally a three-stage submission process into a single, continuously updated report. Earlier drafts of the rules proposed separate initial, interim, and final reports — a structure that drew significant industry pushback on grounds of operational burden during active incidents. The final rules collapse these into one report filed through FCA Connect, the shared submission platform developed jointly by the FCA and PRA. The report is updated as new information becomes available, with firms required to submit as soon as a significant change in circumstances occurs. The initial filing is expected within 24 hours of a firm determining that an incident meets the reporting threshold. The PRA and FCA have both acknowledged that where an incident consumes all of a firm's operational resources, the 24-hour window may not always be achievable — and the supervisory statements allow for this in practice, provided firms do not use active incident management as a routine justification for delayed reporting.
The 24-hour initial reporting window begins when the firm determines an incident meets the threshold — not when the incident first occurs. Firms that build robust internal triage processes will have an advantage in meeting this requirement consistently without disrupting incident response.
The rules also define a separate category of obligation around material third-party (MTP) arrangements. Firms must notify the FCA of any new material third-party arrangements, and of any significant changes to existing ones. They are also required to maintain a register of all MTP arrangements and submit that register to the FCA annually. Incident reports and MTP notifications are submitted through FCA Connect, the single unified portal; the annual register is submitted to the FCA via its regulatory data infrastructure. For the purposes of the register, the definition of "material" is tied to each regulator's statutory objectives — meaning what constitutes a material arrangement for a bank supervised by the PRA may differ from what is material for a wealth management firm supervised solely by the FCA. The FCA has excluded third-country branches from the notification obligations, though they remain subject to the annual register requirement. Intra-group arrangements are only caught where there is an external third-party dependency, limiting the administrative impact on group structures.
The Single Portal and Alignment With Global Standards
One of the more practically significant aspects of the final rules is the creation of a genuinely unified submission infrastructure. FCA Connect will serve as the single portal through which firms submit both incident reports and material third-party notifications, regardless of whether the report is destined for the FCA, the PRA, the Bank of England, or some combination of all three. Dual-regulated firms will no longer need to make separate filings to separate regulators using different formats. A single submission fulfils all relevant obligations simultaneously, with the platform routing information to the appropriate supervisory authority automatically.
The FCA has been explicit that the data gathered through this system will not simply sit in a regulatory database. The regulator intends to use aggregated incident and third-party data to publish trend analysis and sector insights over time — both to help firms benchmark their own resilience posture and to identify emerging systemic risks before they escalate. During periods of widespread disruption, the FCA has indicated it will share relevant information with industry in real time, providing a channel for coordinated response that did not previously exist in a structured form. The regulator also intends to use third-party register data to map supply chain exposure across the financial sector, enabling it to identify providers that are deeply embedded in critical financial services infrastructure but have not yet been formally designated as critical third parties under the existing regime established by the Financial Services and Markets Act 2000 amendments.
In PS26/2, the FCA stated its intention to use the aggregated data over time to publish insights and share information with industry — particularly during periods of widespread disruption and stressed market conditions — to help firms improve their operational resilience. — FCA, PS26/2 (18 March 2026)
The framework has also been deliberately aligned with international standards, notably the Financial Stability Board's Format for Incident Reporting Exchange (FIRE) — finalised in April 2025 — and the EU's DORA. This alignment is particularly relevant for firms with dual UK-EU regulatory obligations, which had previously flagged that divergent reporting regimes would create duplicative compliance overhead. While the UK rules are independent of DORA — which applies to EU-authorised entities — the structural similarities in incident definitions, reporting phases, and third-party disclosure requirements mean that firms already building DORA-compliant processes will find significant overlap with what PS26/2 demands.
The Third-Party Problem Behind the Rules
The 40-percent figure — the share of cyber incidents in 2025 that originated at third parties — is more than a headline statistic. It reflects a structural transformation in how financial services firms are built and operated. The migration of core banking infrastructure to cloud platforms, the outsourcing of payment processing, fraud detection, identity verification, and customer communication to specialist providers, and the layering of software-as-a-service tools across compliance and operations functions have created dependency chains that regulators acknowledge they cannot fully see through under existing disclosure requirements.
The Cloudflare and AWS incidents cited by the FCA illustrate the specific failure mode that concerns supervisors. Neither outage was caused by a cyber attack in the traditional sense — one involved a third-party storage provider failure, the other infrastructure congestion — but both produced disruptions that met the definition of a reportable operational incident for multiple FCA-regulated firms simultaneously. The regulator's concern is not only that such incidents occur, but that under the old reporting framework they might be reported inconsistently, incompletely, or not at all, leaving the FCA unable to assess sector-wide impact in real time or coordinate an effective response.
The new third-party register requirement directly addresses this gap. By requiring banks and other in-scope firms to disclose their material third-party arrangements annually, the FCA will, for the first time, have a structured view of the technology and service dependencies underpinning the UK financial system. The PRA has applied a proportionality carve-out: credit unions with less than £50 million in assets are excluded from the MTP register requirements, a concession made in direct response to consultation feedback about the burden on smaller mutuals. The Bank of England and PRA intend to use this data as an input into the Critical Third Parties (CTP) designation process, through which the regulators can bring major service providers within the scope of direct supervisory oversight. The first set of CTP designations is expected during 2026, and the granular third-party data flowing through the new register will directly inform which firms are considered for that status.
Firms that fail to meet the reporting thresholds or submit incomplete registers after 18 March 2027 face potential enforcement action. The FCA has reserved the right to take action against firms that fail to meet the new or clarified expectations, including in circumstances where operational outages are being widely reported in the sector.
The definition of "material" is one of the most operationally consequential questions in the entire framework, and it is where many firms are likely to make compliance errors. The FCA's Finalised Guidance FG26/4 provides practical worked examples, but the core test is tied to each regulator's statutory objectives: a third-party arrangement is material if its disruption would create an actual or potential risk to consumer harm, to the safety and soundness of the firm, or to market integrity. What this means in practice is that materiality is not determined by the size of the contract, the brand recognition of the provider, or whether the relationship is classified internally as outsourcing. A small, specialist provider of identity verification services that sits in every customer onboarding journey could easily be material. A large, well-known cloud provider used solely for internal document storage might not be. Firms need to assess materiality against observed operational dependency, not commercial significance. The PRA's supervisory statement SS2/21 on outsourcing and third-party risk management sets out further factors relevant to this assessment, and firms building their MTP registers should use it alongside FG26/4 rather than relying on either document alone.
There is also a category of third-party arrangement the FCA has explicitly flagged that many firms have not yet accounted for in their risk registers: AI-provided services. The FCA's own policy documentation acknowledges that third parties are now supplying services through AI-driven tooling at a pace regulators are still calibrating. For firms that have embedded AI tools in fraud detection, customer communication, credit decisioning, or compliance monitoring, the question of whether that AI provider constitutes a material third party is not hypothetical — it is a gap that needs answering before the first annual register is due. Where the AI service is externally hosted, where a disruption to it would affect the firm's ability to deliver important business services, and where a failure would engage consumer harm thresholds, the answer will typically be yes. Firms whose third-party inventory was built before AI tooling became operationally significant will need to review it with this category of provider specifically in mind.
When the Third Party Is the Bottleneck
One question the rules create but do not fully resolve is what happens when the firm is ready to report but the information it needs to file an accurate initial submission is sitting with the third party — and the third party has not yet provided it. The 24-hour clock runs from the moment the firm determines a threshold has been met, not from when it receives a complete picture of the incident. A firm can determine a threshold is met based on the impact it is already observing on its own systems or customer-facing services, even without knowing the root cause or technical details of what happened on the provider's side. The FCA and PRA have both acknowledged that initial reports will sometimes be incomplete, and the single continuous report model is designed to accommodate this: firms are expected to update the submission as new information becomes available, including information received from the third party after the fact.
What this means in practice is that firms cannot reasonably use a vendor's silence as a reason to delay the initial filing. The obligation to report is the firm's, not the third party's, and the threshold determination can be made based on observed impact alone. The practical corollary is that firms need to be able to make a threshold determination — and initiate a report — based on incomplete information, without waiting for root cause analysis. That requires internal triage processes to be front-loaded: the question "does this meet the reporting threshold?" must be answerable before the "why did this happen?" question is resolved. For firms whose incident response procedures currently conflate the two, the 12-month window is the time to separate them.
Contract terms with third parties matter here but are not sufficient on their own. A contractual right to timely incident notification from a vendor does not guarantee that notification will arrive within a useful timeframe during an active disruption. Firms should assess not only whether their contracts contain adequate notification obligations but whether those obligations are operationally realistic — whether the vendor has the internal processes to actually deliver timely notification, and whether the firm has a secondary mechanism for detecting a provider-side incident without waiting to be told. That might mean monitoring service status pages, maintaining independent observability tooling, or establishing a direct technical contact within each material third party for escalation outside normal account management channels.
A firm cannot use a vendor's failure to notify as justification for a delayed report. The threshold determination — and the 24-hour clock — is based on impact the firm has already observed, not on root cause information the third party has yet to provide.
How This Fits Into the Broader Operational Resilience Framework
PS26/2 does not exist in isolation. It layers on top of the foundational operational resilience rules established by FCA Policy Statement PS21/3 and PRA Supervisory Statement SS1/21, which required firms to identify their important business services, set impact tolerances for those services, and demonstrate — through scenario testing — that they could remain within those tolerances during disruption. The deadline for full compliance with those foundational rules was 31 March 2025. Firms that completed that work are now expected to build the new incident and third-party reporting capabilities on top of it.
There is meaningful overlap between the two frameworks, but also deliberate distinctions. Under the operational resilience rules, a reportable incident is one that breaches a firm's impact tolerances for an important business service. The new incident reporting threshold under PS26/2 is broader: firms must report when an incident poses an actual or potential risk that meets the FCA's criteria, even if that risk has not yet caused a breach of an impact tolerance. The FCA has been explicit that these are not identical tests, and firms that conflate them will risk under-reporting. When an incident does disrupt an important business service, the firm is required to flag this connection explicitly in its PS26/2 submission.
There is a further connection that is easy to miss because it operates through a different regulatory instrument: the Consumer Duty. Firms subject to the Duty — which has been in force since July 2023 — are already required to deliver good outcomes for retail customers, including outcomes relating to the products and services they receive and their ability to act on their financial interests. A cyber incident or operational disruption that prevents customers from accessing accounts, processing payments, or receiving critical communications is not only a PS26/2 reporting event — it is potentially a Consumer Duty failure. The FCA's incident reporting thresholds are deliberately framed around consumer harm, and firms that have already mapped their important business services against Consumer Duty outcome requirements will recognise significant overlap between the two frameworks. What PS26/2 adds is the obligation to report that harm to the regulator promptly and in a structured format. Firms that treat PS26/2 implementation as a standalone compliance exercise, separate from their Consumer Duty governance, will create unnecessary duplication — the same incident that triggers a PS26/2 report will frequently also require Consumer Duty-level analysis of what remediation customers are owed.
Governance accountability for incident reporting has also been formalised. The PRA's supervisory statement SS1/26 identifies the Chief Operations Senior Management Function (SMF24) as the individual who should hold overall responsibility for implementing incident reporting requirements and for ensuring that internal processes enable accurate and timely submissions. The PRA has clarified, in direct response to industry questions during consultation, that it does not expect the SMF24 to personally approve the submission of individual incident reports — firms should structure oversight in whatever way is most effective for their business. Where a firm does not have an SMF24, responsibility must be clearly allocated to a named senior manager. This named-accountability structure aligns with the broader Senior Managers and Certification Regime (SM&CR) and means that reporting failures will not be treated as anonymous organisational failures — they will be attributable to specific individuals.
What Firms Should Be Doing Now
The 12-month window between today's publication and the 18 March 2027 enforcement date is longer than many similar regulatory implementation periods, but it is not as generous as it might appear. Firms need to map their current incident detection and escalation processes against the new threshold definitions in PS26/2 and identify where gaps exist. Internal triage procedures need to be updated so that the question of whether a regulatory report is required is answered quickly and consistently — because the 24-hour clock starts when the firm makes that determination, not when the incident begins.
Third-party inventory work is equally pressing. Many firms do not currently maintain a formal register of their technology and service providers at the level of granularity that the material third-party reporting rules will require. Building that register from scratch is a significant exercise, and the data will need to be accurate enough to withstand regulatory scrutiny from the first annual submission. Firms should also assess whether any existing third-party contracts need to be amended to ensure providers are contractually required to notify the firm promptly when a disruption occurs on their side — because a firm cannot report what it does not know about.
Firms should also think carefully about what enforcement under this framework will actually look like in practice. The FCA enters 2027 with a sharper, more data-led enforcement posture than it has operated in previous years. Its 2026 enforcement agenda has explicitly named operational resilience — including firms' ability to keep important business services within impact tolerances during disruption — as a supervisory priority. The named-accountability structure embedded in PS26/2 through SMF24 means that reporting failures will surface as individual accountability questions under SM&CR, not just as firm-level compliance gaps. The FCA has also retained the ability to make public announcements about investigations in defined circumstances, including where the fact of an investigation is already public — meaning a high-profile incident coupled with a reporting failure creates compounded reputational exposure. Firms should not assume that the 2029 joint review represents a soft enforcement horizon. The regulator has been clear that it reserves the right to act against firms that fail to meet reporting expectations from the enforcement date, including in cases where outages are being publicly reported across the sector and a firm's submission record is conspicuously absent.
The FCA is hosting a webinar on 29 April 2026, open to all in-scope firms, covering the new rules and providing an opportunity for questions. The regulator has also published Finalised Guidance documents FG26/3 (operational incident reporting) and FG26/4 (material third-party reporting) alongside the policy statement, providing practical worked examples for applying the thresholds, completing the incident form, and building the third-party register. One additional element that will affect financial market infrastructures specifically: alongside PS26/2, the Bank of England has opened a separate consultation — closing 18 June 2026 — on proposals to revoke Rule 4 of the Recognised Clearing House Rules Instrument 2018 for central counterparties, which currently duplicates the effect of the new IOREP incident reporting rules. Two years after the rules take effect, the FCA and PRA will conduct a joint review — anticipated in 2029 — of whether the policies are working as intended for both regulators and industry.
Key Takeaways
- Enforcement date is 18 March 2027: The rules published today as PS26/2 (FCA) and PS7/26 (PRA) come into force in exactly 12 months. There is no phased grace period — full compliance is expected from day one.
- A single portal replaces multiple reporting channels: FCA Connect will be the unified submission platform for incident reports and material third-party notifications across all relevant supervisory authorities, eliminating duplicative filings for dual-regulated firms.
- Third-party visibility is now mandatory: Firms must maintain and annually submit a register of material third-party arrangements, giving regulators a structured view of supply chain dependencies that has not previously existed at this scale.
- The 24-hour clock starts on threshold determination: Firms must submit an initial report as soon as reasonably practicable and within 24 hours of determining an incident meets the reporting threshold — placing a premium on well-structured internal triage and escalation procedures.
- Named senior managers are accountable: The SMF24 (Chief Operations function) carries explicit responsibility for incident reporting compliance under the PRA's supervisory statement, embedding personal accountability within the SM&CR structure.
The FCA's move is the clearest signal yet that the era of inconsistent, self-interpreted incident reporting in UK financial services is ending. The rules do not materially increase what firms are expected to do when an incident occurs — they increase what firms are expected to disclose, how quickly they must disclose it, and how much structural information regulators now have about the third-party landscape underlying the sector. For firms that have taken operational resilience seriously since the 2025 compliance deadline, PS26/2 represents a logical and manageable next step. For firms that have not, the 12-month window is tighter than it looks.