UK Operational Incident and Third-Party Reporting Rules: What Firms Should Do Now

The Financial Conduct Authority (FCA) has published Policy Statement PS26/2 together with final guidance in FG26/3 and FG26/4. The Prudential Regulation Authority (PRA) has also published PS7/26 alongside Supervisory Statement SS1/26 and an update to SS2/21. PS26/2 and PS7/26 introduce a new UK framework for reporting serious operational incidents and material third-party arrangements. The framework was developed by the FCA, PRA, and the Bank of England and is intended to give the regulators better visibility of operational disruption and third-party dependencies and to support a more data-driven supervisory approach.

The new rules take effect on 18 March 2027. Although framed as reporting obligations, the regime is anticipated to have wider implications for firms’ governance, incident management, and third-party risk frameworks. Firms will need to identify quickly when a crystallised incident reasonably appears to meet an FCA and/or PRA threshold, apply the relevant thresholds consistently, and configure their escalation processes to meet strict new deadlines. The third-party reporting rules will require much closer coordination across legal, compliance, procurement, outsourcing, cyber, and operational resilience teams.

What should firms do now?

Firms should begin preparations now, given the breadth of changes required and the 12-month implementation period. In particular, firms should focus on the following steps.

• Confirm scope. Determine whether the firm falls within standard reporting (most FCA authorised firms) or enhanced incident reporting (such as banks, Solvency II firms, and enhanced scope Senior Managers & Certification Regime (SM&CR) firms). Broadly, the enhanced scope SM&CR regime covers FCA solo-regulated firms that meet certain specified qualitative and quantitative criteria, including having assets under management of £50 billion or more, calculated as a three-year rolling average. Separately, confirm whether the firm is in scope of the third-party notification and register requirements.
• Conduct a gap analysis. Compare existing incident reporting, outsourcing, procurement, and operational resilience frameworks against the new requirements and guidance to identify gaps and prioritise remediation.
• Recalibrate incident criteria. Align internal incident definitions, triage criteria, and escalation triggers with the new operational incident definition and reporting thresholds.
• Build reporting processes. Ensure the firm can submit initial reports within 24 hours, provide follow-up updates where required, and, for payment service providers, meet the retained four-hour deadline from first detection.
• Review third-party governance. Reassess how the firm identifies material third-party arrangements across both outsourcing and non-outsourcing arrangements, including intra-group arrangements that depend on outside providers. Ensure governance structures mandate that early-stage notifications are submitted to the PRA and/or the FCA before any contractual or operational commitments are finalised.
• Prepare for the annual register. Assign ownership and put in place the data collection and validation needed to complete the required register.

Operational incident reporting

A single UK framework

PS26/2 and PS7/26 create a single UK framework for operational incident reporting across the FCA, PRA, and Bank of England. This includes:

•  a common definition of an operational incident;
• a single reporting template; and
•  a single submission route via FCA Connect.

Dual-regulated firms will make a single submission, which is shared across regulators. This is intended to reduce duplication and improve consistency and timeliness of reporting.

The new regime also consolidates existing reporting requirements for payment service providers (PSPs) and registered credit rating agencies.

Definition and thresholds

An operational incident is either a single event or a series of linked events which disrupt the firm’s operations such that it:

• disrupts the delivery of a service to an end user external to the firm; or
• affects the availability, integrity, authenticity, or confidentiality of information or data relating or belonging to such an end user.

The definition is deliberately broad. It can capture related or cascading events as well as incidents involving the loss, compromise, or unavailability of customer data. It does not, however, extend to a near miss or to a planned, controlled interruption that proceeds as intended. If a planned change or intervention does not go to plan, and the resulting disruption or data impact meets the relevant reporting threshold, the incident becomes reportable.

End users external to the firm can include retail or business customers, other legal entities, trustees, market participants, supervisory regulators, and members of the firm’s group. Reportability is not limited to incidents affecting an important business service.

The PRA and FCA have adopted broadly aligned, but not identical, reporting thresholds.

The PRA requires reporting where an incident poses a risk to (i) the stability of the UK financial system (for O-SIIs and Solvency II firms), (ii) the safety and soundness of the firm, or (iii) policyholder protection (for insurers).

The FCA requires reporting where a firm reasonably believes an operational incident poses a risk (i) of causing intolerable levels of harm to consumers from which consumers cannot easily recover; (ii) to the safety and soundness of the firm and/or other market participants; or (iii) to market stability, market integrity, or confidence in the UK financial system.

Firms may use internal classification and escalation frameworks, but they should be calibrated to the PRA and/or FCA thresholds and informed by customer impact, service disruption, legal and regulatory obligations, data compromise, and wider market effects.

In practice, this means an incident may be reportable to one regulator but not the other, requiring dual-regulated firms to assess the FCA and PRA thresholds independently in each case. Where an incident meets both sets of thresholds, it should be reported accordingly. FG26/3 also makes clear that this is not a tick-box assessment and that reportability is not limited to incidents affecting an important business service. Data-loss incidents and failed planned changes can still be reportable.

Standard vs enhanced reporting

The regime introduces a two-tier model:

• Standard reporting. Applies to a firm other than an enhanced reporting firm. It requires the submission of a single report providing basic information about an operational incident. Firms subject to standard reporting will not have to update their submission, although the FCA may engage further depending on the quality of the information submitted or the severity of the incident.
• Enhanced reporting. Applies to an “enhanced reporting firm” as defined in SUP 15.18.3R (which includes enhanced scope SM&CR firms, banks, Solvency II firms, CASS large firms, and payment service providers). It requires the submission of a more detailed report in phases over the lifecycle of an operational incident, specifically submitted across three distinct phases: the initial phase, intermediate phase, and final phase.

Key timing requirements include the following:

• Initial report. As soon as practicable and, ordinarily, within 24 hours of determining that one or more thresholds are met.
• Updates (enhanced firms). After each significant change in circumstances, including when the incident is resolved.
• Final report (enhanced firms). Within 30 working days of resolution, or, if that is impracticable, as soon as practicable thereafter and no later than 60 working days, with reasons for any delay.

Payment service providers: Enhanced timing requirements

Under Regulation 99 of the Payment Services Regulations 2017, PSPs are required to notify the FCA, without undue delay, of major operational or security incidents. This obligation has, to date, been supplemented by the European Banking Authority Guidelines on incident reporting under the Payment Services Directive (the EBA Guidelines), which require PSPs to submit an initial report within four hours of first detecting such an incident.

Under the new UK framework, the EBA Guidelines will be disapplied. PSPs will instead comply with their Regulation 99 obligations solely through this new operational incident reporting regime.

However, the new framework preserves the accelerated reporting timeline for PSPs. In particular, PSPs will continue to be expected to submit an initial report within four hours of first detecting a major operational or security incident.

PSPs are therefore subject to more stringent reporting timelines than other firms in scope. In particular, the initial report must be submitted within four hours of first detection rather than within 24 hours. This reflects the time-critical nature of incidents in the payments sector and the potential for rapid consumer and market impact. As noted, PSPs are also classified as enhanced reporting firms and must therefore also comply with the requirements to provide subsequent updates and a final report, in accordance with the timelines outlined above.

Material third-party reporting

Broad scope and policy intent

The regime introduces new requirements for material third-party arrangements, defined broadly to include any arrangement (outsourcing and non-outsourcing) under which a third party provides a product or service to the firm, including intra-group arrangements and sub-contracting chains where materiality is to be assessed by reference to risks similar to those raised in relation to operational incident reporting.

This reflects the regulators’ increasing focus on:

• third-party concentration risk;
• supply chain dependencies; and
• systemic vulnerabilities arising from common providers.

FG26/4 gives practical examples of arrangements that will normally be material, such as cloud and data-centre services, cyber services, and services that underpin important business services, and of arrangements not generally expected to be material, such as consultancy, legal services, utilities, and office supplies.

Notification requirements

Firms must notify regulators when entering into, or materially changing, a material third-party arrangement.

Notifications must be made:

• early in the decision-making process, before internal or external commitments are finalised;
• via a single template and portal (FCA Connect); and
• without any requirement to await regulatory approval.

The process is supervisory rather than approval-based. Firms may proceed after submission, but the FCA expects notification sufficiently early to allow any engagement it considers appropriate. For most firms, an intra-group arrangement is not notifiable if the service is provided wholly within the group and there is no external dependency in the chain.

Annual register

In-scope firms must maintain and submit an annual register of material third-party arrangements.

The regulators intend to use this data to:

• identify systemic third-party dependencies;
• monitor concentration risk; and
•  inform potential designation of critical third parties.

Interaction with existing operational resilience requirements

The new reporting regime sits alongside, and complements, existing UK operational resilience requirements, including the identification of important business services and impact tolerances.

Importantly:

•  reporting is not limited to important business services;
• incidents outside IBS frameworks may still be reportable (e.g., data loss); and
• third-party reporting extends beyond traditional outsourcing.

Firms should therefore consider the new requirements as part of an integrated operational resilience framework rather than a standalone compliance exercise.

For example, firms with EU-based affiliates should consider any overlap with the requirements of the EU Digital and Operational Resilience Act (DORA), which became applicable from January 2025. DORA includes cybersecurity requirements with respect to the ICT systems of firms, including with respect to incident reporting and operational resilience. To the extent firms do have affiliates that are subject to DORA, this could be factored into any gap analysis assessing compliance with the new rules, including whether it is possible to leverage any existing work to comply with DORA’s requirements.

Practical implications

The regime will have implications well beyond reporting itself. In particular, firms will need to ensure

• effective governance and ownership of incident reporting and third-party risk;
• robust escalation frameworks to identify reportable incidents quickly;
• consistent application of thresholds across business lines;
• enhanced third-party risk management, including supply chain visibility; and
• cross-functional coordination across legal, compliance, IT, procurement, and resilience teams.

Looking ahead

The new regime represents a significant step in the UK regulators’ operational resilience and third-party risk agenda.

With the implementation date of 18 March 2027 and a 12-month transition period, firms should prioritise:

• gap analysis;
• implementation planning; and
•  embedding the requirements into existing resilience frameworks.

More broadly, the regime signals a continued regulatory focus on data-driven supervision, systemic risk, and third-party dependencies, areas that are likely to remain a priority for UK regulators in the coming years.

These requirements sit alongside existing operational resilience requirements and should be considered as part of a broader, integrated resilience framework.