Cyber risk has shifted from a technical issue to a systemic one and Britain’s financial regulators are making that reality unmistakably clear. On March 18, 2026, the Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA), and Bank of England announced a new, unified cyber and operational resilience framework that strengthens the requirements on how firms must prepare for, respond to, and report service disruptions.
The changes reflect an uncomfortable truth for the sector: cyber incidents are no longer rare, contained events. They are frequent, increasingly severe, and often triggered by weaknesses deep in the supply chain rather than in a firm’s own systems.
This approach builds on the UK’s operational resilience regime introduced in 2021, but goes further by explicitly integrating cyber incidents, technology outages and third party failures into a single supervisory lens. Firms must now demonstrate they can stay within defined “impact tolerances,” limits beyond which disruption would cause intolerable harm to consumers or market stability, even during severe cyber events. The final rules will apply to regulated firms beginning on March 18, 2027.
A single reporting regime
At the heart of the framework is a new, unified incident and third party reporting system. Under the rules, firms must submit reports on “operational incidents” through a single portal (regardless of the regulator(s) the report is intended for), replacing fragmented notification processes that previously varied by regulator and incident type. An operational incident is defined as a single event or series of linked events which disrupts the firm’s operations such that it:
- Disrupts the delivery of a service to an end user external to the firm; or
- Impacts the availability, authenticity, integrity or confidentiality of information or data relating or belonging to such an end user.
The final rules include greater guidance on what constitutes an operational incident, including what constitutes a series of linked events, and thresholds and factors to consider when assessing whether a disruption rises to the level of an operational incident under the framework. Note, however, that while the definition is common across the regulators the thresholds for reporting vary.
Crucially, responsibility for reporting does not shift if the root cause sits with a supplier. The financial regulators have been explicit: accountability stays with the regulated firm, regardless of whether a cloud provider, payments processor, software vendor, or other third party supplier was involved.
The framework also introduces enhanced requirements around supply chain visibility. Firms must maintain clear, up to date records of their critical third party dependencies and demonstrate how they would respond if one of those providers failed. Firms must register their “material third party arrangements” annually and notify the regulator of any new or significant changes to material third party arrangements. A material third party arrangement is defined as an arrangement of any form between a firm and a person who provides a product or service to the firm that is of such importance that a disruption or failure in the performance of the product or service provided to the firm could:
- Cause intolerable levels of harm to the firm’s clients,
- Pose a risk to the soundness, stability, resilience, confidence or integrity of the UK financial system, or
- Cast serious doubt on the firm’s ability to satisfy the threshold conditions, or meet its obligations under the Principles or under SYSC 15A (Operational resilience).
How the UK approach differs from Europe
While the UK shares objectives with the EU’s Digital Operational Resilience Act (DORA), the regulatory philosophy is different. DORA is highly prescriptive, setting detailed technical controls and tight notification deadlines. The UK framework, by contrast, is outcomes‑focused: firms are given flexibility in how they achieve resilience, but far less latitude if they fail to deliver it in practice. Reporting thresholds are tied to harm, disruption, and systemic risk, consistent with the UK’s wider operational resilience framework built around important business services and impact tolerances. With this distinction, UK regulators are signaling that well‑designed documents and policies will not be enough. They expect firms to evidence resilience through mapping, scenario testing, and proven recovery capabilities.
Incident Reporting
The March 2026 UK framework introduces a single reporting channel usable across the FCA, PRA, and Bank of England, as well as clear thresholds determining when incidents are reportable. Reporting timelines are less rigidly fixed in hours and more closely tied to materiality and impact. This contrasts with DORA, which mandates very rapid reporting – initial notification can be required within hours of determination of a major Information and Communication Technology (ICT) incident.
Third Party and Supply-Chain Oversight
Both regimes require covered firms to maintain registers of certain third party agreements. UK firms must maintain an annual register of all material third parties. The scope of this requirement is likely broader than the DORA requirement to maintain a register of Information and Communication Technology (ICT) contracts. The UK framework further requires notice to regulators upon certain changes to material third-party arrangements.
DORA embeds third party oversight directly into the regulation by mandating contractual provisions (such as audit rights and termination clauses, for example) and subjecting certain critical ICT providers to direct EU-level oversight. Under the UK framework, material third parties are not directly regulated, and firms must accept full accountability for incidents caused by suppliers. The UK has, however, established a Critical Third Party Regime, which exists alongside the March 2026 reporting rules, whereby certain technology providers can be directly designated and overseen by regulators.
What firms should be doing now
Although the framework’s full reporting regime takes effect in stages, over the course of the next year firms should be focusing on:
- Re testing severe cyber scenarios, including supplier outages
- Strengthening crisis communications, assuming core systems are unavailable
- Validating third party resilience, not just contractual assurances
- Integrating cyber, operational resilience and risk functions, rather than running them in silos
Firms will want to ensure that they are resilient in practice, as well as on paper.
