New FCA Operational Incident & Third‑Party Reporting Rules: What You Need to Know

In March 2026, the Financial Conduct Authority (FCA) – in coordination with the Prudential Regulation Authority (PRA) and Bank of England – published new rules on operational incident reporting and material third-party arrangement reporting.

These rules, coming into force on 18 March 2027, aim to bolster firms’ operational resilience by ensuring timely, consistent incident notifications and greater regulatory visibility of critical third-party dependencies. Below we explain what’s changing, who is affected, practical steps for compliance, and how these requirements intersect with other regimes like (UK) GDPR and international standards (such as the EU’s DORA and NIS2).

Who Do the New Rules Apply To?

Operational Incident Reporting – Broad Scope: The incident reporting requirements will cover nearly all regulated financial services firms. This includes all firms with Part 4A permission (FCA-authorised firms), payment service providers, e-money institutions, UK branches of overseas firms, trading venues like Recognised Investment Exchanges (RIEs), as well as certain market infrastructure entities (e.g. trade repositories and credit rating agencies). In short, if your firm is authorised by the FCA, it will likely fall under the new incident reporting regime.

Third-Party Reporting – Targeted Scope: The obligation to report on “material third-party arrangements” will apply to a narrower set of firms – generally those of greater systemic importance or with extensive outsourcing. In-scope firms include banks, building societies, PRA-designated investment firms, large insurers (Solvency II firms and Lloyd’s managing agents), and certain large FCA solo-regulated firms.

PRA Alignment: The PRA is introducing parallel requirements for banks and insurers, developed in tandem with the FCA’s rules. The two regulators have aligned key definitions, templates, and timelines. However, firms regulated by both the FCA and PRA should still familiarise themselves with the published guidance by each authority as the reporting thresholds and triggers differ. This means that dual regulated firms may find that certain incidents are only reportable to the PRA or the FCA.

What’s Changing? – Key Points of the New Rules

These new rules significantly expand and clarify existing reporting obligations in response to industry feedback that current practices were inconsistent. Below are some key changes:

• Clearer Definitions & Thresholds: The FCA and PRA are aligned in their definition for what constitutes an “operational incident” and each has set an explicit threshold criteria for when an incident must be reported. An operational incident is essentially any event (or linked series) that disrupts the firm’s operations such that it either impacts customers’ services or compromises the integrity/availability of customer data. Firms only need to report incidents that they reasonably believe could cause “intolerable” harm to consumers, threaten the firm’s or other firms’ safety and soundness, or undermine market integrity or confidence.
• Streamlined Reporting Process: The FCA and PRA have created a single, unified reporting regime with a common online portal (FCA Connect) and standardized templates. Dual-regulated firms will make one combined incident report that fulfills both FCA and PRA requirements, rather than submitting separate reports to each.
• “Standard” vs “Enhanced” Incident Reports: The FCA is tailoring the reporting burden based on firm size/impact. All firms are required to submit an initial succinct report, as soon as practicable (and in any event within 24 hours), once it is determined that the reporting threshold has been met. Most solo-regulated firms will follow a standard incident reporting process, meaning that this is the only report required per incident. In contrast, larger and more complex firms will follow an enhanced reporting approach, which uses a multi-phase report structure. Following the initial report, an intermediate update is required whenever there are significant developments, and a final report is due within 30 working days after resolution of the incident.
• Annual Reporting of Material Third Parties: The rules introduce a new obligation for in-scope firms to maintain a register of all “material” third-party arrangements and submit this annually to the FCA. This annual register will give the FCA and PRA a regular snapshot of firms’ key dependencies (e.g. major cloud providers, important software vendors, outsourced operations providers, etc.). Dual regulated firms should be aware that whilst there is a unified definition issued by the FCA and PRA for the term ‘third-party arrangement’, there is a difference in the threshold at which each authority considers these arrangements to be ‘material’ and therefore subject to the annual reporting requirements.
• Mandatory Notifications of New Arrangements: Going forward, when an in-scope firm enters a new material third-party relationship (or makes a significant change to an existing one), it must notify the FCA (and PRA, if applicable) at an early stage - ideally before finalising contracts or commitments. The regulators have not set a rigid deadline for these notifications; instead, firms are simply expected to notify promptly and proactively – “at an early stage” of planning. This is not an approval process – the FCA/PRA won’t sign off on the outsourcing but will be alerted so they can engage as needed.  
• Reduced Administrative Burden: The rules reflect industry feedback to streamline the content of reports and provide more guidance. The FCA has reduced the number of questions in the incident report forms, only asking for essential information initially so firms can focus on managing the incident.
• Coordination with PRA: As noted, the FCA and PRA have worked jointly so that dual-regulated firms face aligned requirements. However, it’s worth noting dual-regulated firms must still check both FCA and PRA rulebooks for any sector specific thresholds.  

Practical Steps: How To Prepare

With the go-live date of 18 March 2027, firms have about a year to get ready. Below are practical steps financial institutions should consider to ensure compliance and enhance operational resilience:

1. Familiarise Your Team with the New Definitions and Thresholds: Ensure that your operational risk, IT risk, compliance, and senior management understand what constitutes a reportable “operational incident” under the new rules. Update internal guidance to reflect the FCA’s criteria. Train staff on recognising incidents that might meet these thresholds – including less obvious scenarios. Tabletop exercises based on your business can help teams practice the judgment calls involved in threshold assessment.
2. Integrate FCA Reporting into Incident Response Plans: Revise your incident response plans to incorporate the new notification requirements. When a serious operational disruption occurs, your team should have a clear procedure for quickly evaluating reportability and escalating to the appropriate decision-makers.
3. Determine Your Reporting Tier – Standard vs Enhanced: Assess whether your firm falls into the “enhanced reporting” category (generally, large FCA firms or dual-regulated firms).
4. Inventory and Classify Third-Party Relationships: Start building the “material third-party arrangements” register. Undertake an inventory of your existing outsourcing and third-party service providers. For each, evaluate if it meets the “materiality” test: would a failure or disruption of that service likely cause intolerable client harm, threaten your firm or the system, or undermine compliance with regulatory obligations?
5. Adapt your Third-Party Onboarding Process: Going forward, in-scope firms must notify the FCA whenever they plan to enter a new material outsourcing or service contract (or make a significant change to one). To manage this, firms should include a checkpoint in the vendor onboarding process: before final sign-off on any critical outsourcing deal, the compliance/risk team should prepare the regulator notification.
6. Prepare the Annual Material Outsourcing Register Submission: Aside from one-off notifications, the first full annual register of material third-party arrangements will likely be due in 2028, a year after the rules take effect (the exact timing is to be confirmed by the FCA).
7. Review Internal Monitoring: With more reporting expected, firms should ensure they have strong internal processes to detect and log operational incidents and outages, including those at third parties. For third parties, ensure your vendor management team is promptly informed of any major outages or SLA breaches by critical providers – those could be FCA-reportable incidents if clients are affected.
8. Board and Senior Management Oversight: Finally, ensure your board and senior management are aware of these changes – operational resilience is a top regulatory priority. Boards should satisfy themselves that the firm’s resilience framework is updated and sufficient resource is allocated to meet the new reporting requirements.

Interaction with UK GDPR, DORA, and Other Reporting Regimes

How do these new FCA rules fit alongside other incident reporting obligations – for instance, obligations under data protection law or emerging international standards? It is crucial to understand that these regimes are distinct and compliance with one does not automatically mean you’ve satisfied the others.

• UK GDPR: The FCA’s operational incident rules focus on disruptions to services and system integrity. Not every data breach will be an “operational incident” under FCA rules – for example, a cyber-attack that compromises personal data but doesn’t disrupt services might not meet the FCA’s thresholds yet it would still trigger a duty to notify the ICO under the UK GDPR. Conversely, a major outage of online services will likely be FCA-reportable (if consumers are significantly impacted) but may or may not require a GDPR notification depending on whether personal data was involved.
• EU Digital Operational Resilience Act (DORA): Although DORA does not directly apply in the UK, international firms and groups should be aware of parallels. DORA, effective from early 2025 in the EU, similarly requires financial entities to report significant ICT-related incidents quickly and mandates oversight of “critical ICT third-party service providers”. The FCA explicitly sought to align aspects of its new rules with DORA to ease the burden on firms operating across jurisdictions. If your firm has EU operations, you’ll need to comply with DORA’s incident reporting (which has its own thresholds and tight timelines) in addition to the FCA’s regime for UK entities.
• NIS Regulations (NIS2): Beyond the financial sector, broader cyber incident reporting requirements are increasing. The UK government (through the proposed Cyber Security & Resilience Bill, aligning with the EU’s NIS2 directive) is expanding incident reporting obligations for operators of essential services and certain digital service providers. For example, critical infrastructure operators may soon face a 24-hour initial notification rule for cyber attacks, followed by a 72-hour full report. This is similar to the FCA’s approach and GDPR’s timeline. While banks and financial markets are generally handled by FCA/PRA rather than NIS regulators, firms at the fringes of finance (e.g. cloud service providers, payments systems designated as critical national infrastructure, etc.) should keep an eye on these developments.

The trend is clearly toward faster and broader reporting of cyber incidents across all sectors. Financial firms should cultivate a culture of prompt escalation and transparent communication with all relevant authorities when incidents occur. The new FCA rules are part of a wider regulatory push (domestically and internationally) to strengthen operational resilience through better incident data and oversight of third-party risks. Compliance teams should treat these requirements as an opportunity to enhance internal processes - not only to meet the letter of the law, but to improve the firm’s own ability to withstand and recover from disruptions.

With a year until the rules take effect, now is the time to update your frameworks, educate staff, and engage with the available guidance. By doing so, firms can ensure they not only avoid regulatory breaches, but also better protect their customers and the integrity of the market.

To read the rules in full, please click here.