top of page
Search

FCA confirms new incident and third-party reporting rules

  • Writer: Katarzyna Celińska
    Katarzyna Celińska
  • 2 days ago
  • 2 min read

The UK Financial Conduct Authority has confirmed new rules and guidance to make operational incident reporting and material third party reporting clearer, more consistent, and easier for firms to follow. The goal is: help regulators and firms respond faster to disruption, from cyber attacks to outages, and strengthen resilience across the sector.

 

 



Context

Cyber and operational disruptions are escalating

➡️ The FCA notes that cyber attacks are becoming more frequent and more sophisticated, and firms are increasingly dependent on third parties.

➡️ In 2025, over 40% of cyber incidents reported to the FCA involved a third party.

Inconsistent reporting

Industry feedback was that reporting wasn’t consistent and firms wanted clearer thresholds and guidance. The FCA says the new regime is designed to reduce uncertainty on what to report and when.

 

Changes

One aligned regime across FCA + PRA + Bankof England

For both incidents and material third parties, the regulators created:

➡️ a single definition / approach,

➡️ single templates, and

➡️ a single reporting portal.

 

Incident reporting

FCA guidance defines an “operational incident” as a single event or linked events that disrupt operations such that it:

➡️ disrupts delivery of a service to an external end user, or

➡️ impacts availability/authenticity/integrity/confidentiality of data related to that external end user.

 

Reporting thresholds are tied to FCA objectives, including risk of:

➡️ intolerable consumer harm,

➡️ safety & soundness,

➡️ market stability / integrity / confidence.

 

The FCA distinguishes between standard and enhanced reporting.

 

Material third-party reporting

FCA guidance explicitly covers material third party arrangements, including both:

➡️ outsourcing arrangements, and

➡️ non-outsourcing dependencies (e.g., ICT products/services).

 

The FCA also introduces a structured approach:

➡️ notify new or significant changes to material third parties, and

➡️ maintain and submit an annual register of material third-party arrangements.

 

This is inspired by global direction (FSB / BCBS / DORA).

 

Implementation timeline

 

Firms have 12 months to prepare, and the new rules come into force on 18 March 2027.


 
 
 

Comments

Stay in touch

office@itgrcadvisory.com

ITGRC ADVISORY LTD. 

590 Kingston Road, London, 

United Kingdom, SW20 8DN

​company  number: 12435469

Privacy policy

  • Facebook
  • Twitter
  • LinkedIn
  • Instagram
bottom of page