Context
The FCA has published a policy statement and separate finalised guidance for operational incident reporting and material third party reporting, confirming new rules to make existing incident and third party reporting clearer, more consistent, and easier for firms to follow. It has also published a number of associated annexes and templates.
The FCA intends for these new rules to help it respond quickly to disruption such as a cyber attacks or power outages, to give firms greater certainty on what to report and when and to strengthen firm resilience to better protect consumers and markets.
The final operational incident reporting rules apply to all regulated firms and the final third party reporting rules are relevant for Enhanced SMCR firms and Solvency II firms, among others.
Key points to note and next actions
Cyber attacks are becoming more frequent and more sophisticated, and firms are increasingly reliant on third party providers. In 2025, over 40% of cyber incidents reported to the FCA involved a third party and there have been several recent high-profile incidents impacting the financial services sector, including the Cloudflare and AWS outage. Clear and timely reporting will help us identify risks and respond effectively. Firms don’t always report incidents consistently and industry have told us they want more clarity on what to report and what information to provide.
The final reporting requirements follow the FCA’s December 2024, consultation on clearer, more structured reporting frameworks. Based on the feedback, the FCA has streamlined its requirements to reduce unnecessary burden, while also making sure it receives the information needed to assess impact early and to effectively respond to disruption. The FCA has:
- Created a simple, streamlined reporting regime with the Prudential Regulation Authority (PRA) and Bank of England including a single reporting portal.
- Removed duplicative incident reporting for payment service providers and credit rating agencies.
- Refined the overall information required, allowing most of the firms it solo regulates to complete a short form to report their incident.
- Added clearer guidance on thresholds, definitions and responsibilities.
Over time the data will be used to share insights and trends to help firms bolster their operational resilience and share relevant information with industry, where appropriate during widespread disruption, particularly in stressed market conditions.
And where disruption occurs at a third party, the data will help the FCA to see through firms’ supply chains to identify which services are the most exposed and help it identify potential critical third parties to the UK financial system. A more resilient financial sector will help lay the foundations to support growth and deepen trust in firms and the services they provide.
New finalised guidance
The Finalised Guidance for incident reporting (PDF) and third party reporting (PDF) includes:
- Clear examples of what firms should report.
- Help applying the thresholds.
- Guidance on completing the incident form and third party register.
What firms need to do next
The new rules come into force on 18 March 2027, so firms have 12 months to prepare. Two years after implementation, the FCA will conduct a review to ensure the regime works effectively for firms and delivers the outcomes it expects.
The FCA is hosting a webinar on 29 April 2026, so firms can find out more about these new rules and ask questions. To register to take part in the webinar click here.