The Financial Conduct Authority (FCA) has confirmed sweeping changes to how regulated firms must report operational incidents and third-party dependencies, as cyber threats continue to mount across the financial services sector. The new rules will come into force on 18 March 2027, giving firms 12 months to prepare.
The new rules are designed to help the FCA respond more quickly to disruptions such as cyber attacks or power outages, give firms greater certainty on what to report and when, and strengthen firm resilience to better protect consumers and markets.
The regulator framed the changes as part of its broader ambition to become a smarter, data-driven supervisor capable of identifying systemic risks before they escalate.
The urgency behind the reforms is underscored by a stark set of figures. In 2025, more than 40% of cyber incidents reported to the FCA involved a third party, with recent outages affecting major providers — including Cloudflare and AWS — highlighting the potential for widespread disruption.
The regulator acknowledged that firms have not always reported incidents consistently, citing a lack of clarity on what to report and what information to provide as a key driver of the overhaul.
Following a consultation launched in December 2024, the FCA worked alongside the Prudential Regulation Authority (PRA) and Bank of England to streamline its final requirements. Under the new regime, the FCA has introduced a streamlined reporting framework in coordination with the PRA and the Bank of England, including a single reporting portal for firms.
The regulator has also removed duplicative incident reporting obligations for payment service providers and credit rating agencies, refined the overall information required, and added clearer guidance on thresholds, definitions and responsibilities. Importantly, most firms regulated solely by the FCA will be able to complete a short form to report their incident, reducing administrative burden while still ensuring the regulator receives the data it needs.
FCA director of specialists and wholesale sell-side Mark Francis said, “Resilience is being tested like never before, with firms facing growing cyber threats and increasing reliance on third parties to deliver the essential financial services consumers rely on. These changes give firms clearer rules and practical guidance to better manage disruption, while supporting our ambition to be a smarter regulator, giving us better data to spot risks, share insights and strengthen sector-wide resilience.”
Alongside the final rules, the FCA has also published Finalised Guidance covering both incident reporting and third-party reporting. The new guidance includes clear examples of what firms should report, help applying the thresholds, and guidance on completing the incident form and third-party register. This was developed in direct response to industry feedback requesting greater practical clarity and support.
Looking ahead, the FCA indicated it intends to use the data collected to share insights and trends with the wider industry, helping firms bolster their operational resilience over time. The FCA said the data collected will also help it identify systemic risks across supply chains, particularly where disruption originates at a third-party provider. This, in turn, will support efforts to identify potential critical third parties to the UK financial system. The FCA said it would review its new cyber rules in 2029, two years after implementation.
The FCA is hosting a webinar on 29 April 2026 and is inviting firms to find out more about the new rules and ask questions.
Keep up with all the latest RegTech news here
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
