- within Technology topic(s)
- in United States
- with readers working within the Retail & Leisure, Securities & Investment and Law Firm industries
- within Technology, Wealth Management and Employment and HR topic(s)
- with Senior Company Executives, HR and Inhouse Counsel
Overview
The FCA and PRA are prioritising stronger operational resilience, expecting firms to embed robust controls, stress testing and third‑party oversight into their risk culture and core decision‑making. In this blogpost, we consider the following recent key publications aimed at strengthening firms' ability to mitigate and manage risks associated with operational disruptions:
- FCA and PRA policy statements and final rules on operational incident and third-party reporting;
- FCA insights and observations following a review of firms’ annual operational resilience self-assessments; and
- Cross Market Operational Resilience Group (CMORG) firm guidance on frontier AI.
Taken together, these publications highlight that firms must move beyond compliance and proactively embed operational resilience across their business to ensure readiness for disruption and emerging risks.
FCA and PRA policy statements
In March 2026, the PRA and FCA published long‑awaited policy statements with final rules on operational incident and third‑party reporting (PRA PS7/26 and FCA PS26/2).1 (We considered the regulators' consultation papers in a previous blog post.)
The new rules introduce a single framework for regulatory reporting which will come into force on 18 March 2027, with the regulators committing to review the rules after two years. In summary:
Operational incident reporting
A unified incident definition
Both regulators now use a single definition of an operational incident: a disruption (or series of linked events) that either:
- disrupts the delivery of a service to an external end user; or
- compromises the availability, integrity, confidentiality or authenticity of data relating to that end user.
Routine, controlled outages are not reportable, unless they go wrong and the resulting impact breaches reporting thresholds.
Different thresholds, shared discipline
While the definition is harmonised, reporting thresholds are not. They reflect each regulator’s statutory objectives:
- The PRA focuses on risks to safety and soundness, policyholder protection and (for certain firms) UK financial stability.
- The FCA focuses on consumer harm, market integrity and confidence in the UK financial system.
Dual‑regulated firms should expect some incidents to be reportable to only one regulator.
Crucially, firms do not need to report near misses or uncrystallised events, and thresholds are assessed using information available at the time.
Faster timelines, fewer forms
For PRA firms and larger FCA firms subject to “enhanced” reporting, the regulators have converged on a single, updateable report:
- Initial notification: as soon as practicable and within 24 hours of determining the incident is reportable (or four hours for payment service providers);
- Interim updates: where there are significant changes in circumstances; and
- Final update: within 30 working days of resolution (and in any event within 60 working days).
Smaller FCA solo-regulated firms will generally submit a single short report.
All reports are submitted via FCA Connect, and for dual‑regulated firms a single submission is shared with both regulators. Reporting is strictly entity‑level, not group‑level - an important operational point for complex groups.
Third‑party arrangements
Beyond outsourcing
The new regime deliberately goes wider than traditional outsourcing. A “third‑party arrangement” captures any arrangement with a service provider, including intragroup arrangements and services the firm could otherwise perform itself.
When does an arrangement become “material”?
Materiality depends on the regulator:
- The PRA focuses on safety and soundness, policyholder protection and, for certain firms, financial stability.
- The FCA focuses on client harm, market integrity and resilience.
However, the regulators’ policies and definitions are aligned in substance: a firm needs a defensible, well‑documented materiality assessment, applied consistently across the organisation.
Notification and annual register
Firms must do both of the following:
- Notify regulators when entering into, or significantly changing, a material third‑party arrangement.
- Maintain and submit annually a register of material third‑party arrangements via FCA RegData.
Notifications should be made early and before commitments are finalised, but firms should not expect regulatory sign‑off - the process is not an approval gateway.
Immediate steps for firms
To prepare for the new rules, key priorities for firms are:
- Start implementation planning early - conduct a focused gap analysis against the new rules, and map overlaps and divergences with the EU Digital Operational Resilience Act (DORA) and international practice and standards, to avoid duplication of effort. Consider how to comply with the new standardised reporting process and make any necessary process, documentation and technology changes. Will staff training be required or be otherwise beneficial?
- Tighten incident escalation and reporting - review how incidents are identified, assessed and escalated. Can the firm reliably determine reportability within 24 hours? Are thresholds and decision‑making clear and consistently applied?
- Rebuild third‑party inventories - refresh third‑party mapping to capture both outsourcing and non‑outsourcing arrangements, including intragroup dependencies, and test materiality assessments in practice.
- Clarify governance and ownership - incident reporting and third‑party reporting cut across operations, IT, procurement, compliance and resilience teams. Clear ownership, senior accountability and coordination are critical.
The new reporting requirements will help the FCA and the PRA to understand the impact of incidents and how firms are reacting (at both an individual and sector level) to respond to them. In particular, more granular and consistent data will assist the regulators in building up a picture of industry interconnectivities and reliance of third parties and emerging technologies. The regulators are engaging with firms in the lead-up to the new requirements coming into force, to support them in adapting to the reporting regime and reporting technologies.
FCA insights and observations on firms’ operational resilience self-assessments: one year on
The FCA has published a series of insights and observations on firms’ operational resilience self-assessments, detailing good and poor practice following a review to mark one year after the end of the operational resilience transition period.
We summarise some of the FCA's key findings in the table below:
| Requirement | Good practice | Poor practice / areas for improvement |
|
Important business services and impact tolerances Firms must identify their important business services, set impact tolerances for each, and regularly review both. |
|
|
|
Mapping resources Firms must identify and document the people, processes, technology, facilities, and information needed for delivering each of their important business services. This includes any relationships with third parties which could threaten their ability to remain within impact tolerance. |
|
|
|
Scenario testing Firms must develop and maintain testing plans that show they can remain within impact tolerances for each important business service through severe but plausible disruptions. Firms must test scenarios that vary in nature, severity, and duration, and are aligned to their risks and vulnerabilities. |
|
|
|
Vulnerability management Firms’ mapping and scenario testing must identify vulnerabilities that could prevent them from remaining within impact tolerance during a disruption. The self-assessment should include enough detail for the board to make informed decisions about where firms prioritise making improvements to ensure that they can remediate these vulnerabilities. |
|
|
|
Communications plans and strategy Firms must maintain an internal and external communications strategy that delivers clear, timely and relevant messaging during operational disruptions. |
|
|
|
Governance Boards must review and approve the self-assessment documentation. Board and senior-level accountability and responsibility helps embed operational resilience into strategy and risk frameworks. Strong governance makes decision-making clear and aligned with regulatory expectations. This protects consumers and markets even during the most severe disruptions. |
|
|
Actions for firms
Overall, the FCA found strong engagement and good progress across all areas of the operational resilience requirements. However, it has emphasised that operational risk is not static or a standalone exercise; firms need to take a dynamic approach, treating resilience as a core business capability that is integrated into strategic planning, product development and customer engagement. Firms should review the good and poor practice examples that the FCA has set out, taking into account their firm’s approach to operational resilience and readiness to remain within impact tolerances for all important business services. Firms should also consider whether there are any areas highlighted where they could make improvements.
CMORG firm guidance for frontier AI
In June 2026, CMORG published firm guidance for frontier AI. Not long before this, in mid-May 2026, the FCA, the Bank of England and HM Treasury issued a joint statement setting out their collective position on frontier AI models and cyber resilience, highlighting that regulated firms and FMIs need to take action to plan for and mitigate cybersecurity risks posed by frontier AI. Among other things, the regulators and HM Treasury called on firms to take note of relevant publications in this space, including from CMORG and the National Cyber Security Centre (NCSC). The FCA has recently added a new section with links to relevant resources on frontier AI to its operational resilience webpage, in recognition of its considerable implications for cyber security and operational resilience.
Frontier AI models are the most advanced AI systems in development, situated at the frontier of technology’s current capabilities. These models introduce new cybersecurity risks by compressing the time between vulnerability discovery and exploitation, which in turn enables attackers to act with greater speed, scale and sophistication. As a result, financial institutions face the growing challenge of maintaining resilience in an environment where the pace, volume, and accessibility of cyber are advancing more rapidly than existing defensive frameworks they were designed to address.
The CMORG guidance reflects a strong and emerging consensus on the core capabilities required to maintain resilience, setting out a structured and coherent approach across governance, protection, response, automation and collective resilience.
The guidance is intended to provide a practical and actionable baseline for firms to assess their current capabilities and accelerate their response to existing threats.
The guidance is structured around four interconnected themes:
- Taking control through governance, leadership and operating model shift
- Establish strong executive ownership, oversight and close regulator engagement.
- Ensure governance, risk and compliance can operate at speed.
- Refresh risk positions and threat assessments regularly (including AI-driven threats), using evidence, threat intelligence and peer insight.
- Redesign operating models, control environments and delivery frameworks for speed and scale.
- Adapt change management and governance to enable rapid decision-making and execution.
- Protecting the organisation
- Continuously reduce the attack surface (e.g. remove vulnerabilities, limit exposure, restrict privileges).
- Assign clear ownership and accountability for remediation, supported by ongoing validation.
- Treat AI systems as privileged: strict access controls, defined purposes, monitoring, human oversight and safeguards.
- Ensure systems are designed and tested for containment, recovery and resilience under sustained attack.
- Preparing to respond at pace
- Translate threat intelligence into action: detection priorities, telemetry, response and control validation.
- Move to continuous, intelligence-led vulnerability management (focusing on exploitation, exposure, supplier impact and business risk—not just severity scores).
- Accept short-term disruption from faster remediation to reduce overall risk.
- Use automation and AI to reduce response latency, with strong governance to maintain accountability.
- Working collectively - supply chain and ecosystem risk
- Manage risk across the full ecosystem (suppliers, software, cloud, shared infrastructure, open source, AI providers).
- Treat the extended ecosystem as part of the attack surface.
- Retain accountability for third-party resilience impacts.
- Be prepared to coordinate rapid, cross-organisational remediation efforts.
The guidance will evolve over time to keep pace with and reflect developments in frontier AI, so firms should monitor for any updates to it.
Footnote
1. For completeness, the Bank of England also published a policy statement on operational incident and outsourcing and third-party reporting rules for financial market infrastructures (FMIs), but this is outside the scope of this blog post.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]
