UK Regulators Finalise Unified Operational Incident and Third Party Reporting Regime

On 18 March 2026, the Financial Conduct Authority (“FCA”), Prudential Regulation Authority (“PRA”) and Bank of England (“BoE”) (together “the Regulators”) published final policy statements[1] setting out a new, unified UK framework for the reporting of operational incidents and material third‑party arrangements, following consultations that closed in March 2025. The reforms form part of the UK regulators’ broader operational resilience agenda in response to the increasing frequency and sophistication of cyber and technology-related threats faced by financial services providers as they embed new technologies and become more interconnected through their reliance on third-party providers.

The new reporting regime comprises: (i) a standardised process for identifying and reporting operational incidents that exceed defined thresholds linked to consumer harm, market integrity and, where relevant, financial stability; and (ii) obligations on firms to notify the regulator(s) of any new material third-party arrangements, or any significant changes to existing arrangements, and to maintain a register of material third-party arrangements. The rules and guidance will apply from 18 March 2027, giving firms a 12‑month implementation window.

I. Application of the Rules

In response to feedback to the original consultations, the Regulators have sought to align their requirements in most areas, including the processes for submitting reports and notifications, in order to reduce burden on firms. Nevertheless, there remain important differences between the respective rulebooks that will need to be navigated by dual-regulated firms and groups managing the compliance of multiple types of regulated entity.

The operational incident and third-party reporting rules will apply to the following FCA and PRA-regulated firms:
 

 
II. Operational Incident Reporting

The Regulators have established a single, unified regime for the identification and reporting of operational incidents, underpinned by a common definition of “operational incident”. The new framework is designed to streamline existing notification obligations while ensuring that regulators receive timely and consistent information about incidents that are relevant to their statutory objectives.

Scope and Trigger for Reporting

The trigger for regulatory reporting is intentionally calibrated to capture only significant operational incidents – that is, incidents that pose a material risk to the Regulators’ statutory objectives, rather than routine operational issues.

Under the unified regime, an “operational incident” is defined as either a single event or a series of linked events that disrupt a firm’s operations such that it:

• disrupts the delivery of a service to an end user external to the firm; or
• impacts the availability, authenticity, integrity or confidentiality of information or data relating to, or belonging to, such an end user.

The concept of an “end user” is deliberately broad. It extends beyond retail and business customers to include other legal entities, trustees, market participants, supervisory regulators and members of the firm’s group.

Thresholds for Reporting

While the definition of an operational incident is common across the Regulators, the thresholds for reporting differ, reflecting the distinct statutory objectives of each authority.

• FCA: Based on the information available at the time, the reporting threshold is met where a firm reasonably believes that the incident poses a risk of:
  • causing intolerable levels of harm to consumers from which consumers cannot easily recover;
  • affecting the safety and soundness of the firm and/or other market participants; and/or
  • undermining market stability, market integrity or confidence in the UK financial system.
• PRA: Based on the information available at the time, the reporting threshold is met where the incident poses a risk to:
  • the stability of the UK financial sector;
  • the safety and soundness of the firm; and/or
  • for insurers, the appropriate degree of policyholder protection.

The Regulators have published guidance containing illustrative examples of incidents that would be likely to meet these thresholds. In practice, the divergence in statutory objectives means that some incidents may be reportable to the FCA or the PRA, but not necessarily both. Where a dual‑regulated firm is required to notify both regulators in respect of the same incident, a single submission will satisfy both requirements.

The regime does not require the reporting of uncrystallised events or near misses. However, firms should consider whether such events warrant disclosure to supervisors – for instance, under Principle 11 (via the Supervision Hub or a SUP 15 notification).

Similarly, the definition of operational incident excludes temporary, controlled and pre‑planned interruptions to services. Where a planned interruption does not proceed as intended and subsequently meets the relevant regulatory thresholds, it will become reportable at that point.

Information to be Reported and Timing of Reports

In response to consultation feedback, the Regulators have materially streamlined the information required in incident reports, particularly at the initial stage, in recognition that firms’ immediate priority (and, therefore, where time and resources will be focused) should be on resolving the incident.

The FCA has divided incident reporting into two categories:

• Standard incident reports apply to most FCA solo‑regulated firms. These reports require a limited set of information, do not need to be updated following submission, and must be submitted promptly – as soon as practicable and within 24 hours of the firm determining that one or more reporting thresholds has been met.
• Enhanced incident reports apply to larger FCA firms (including enhanced scope SMCR firms and CASS large firms), as well as dual‑regulated firms. Enhanced reporting follows a three‑phase process:
  • an initial report, submitted as soon as practicable and within 24 hours of the threshold determination;
  • intermediate updates, provided as significant developments occur; and
  • a final report, to be submitted within 30 working days of the incident being resolved. Where additional time is required, a long‑stop limit of 60 working days applies.

A specific timing carve‑out applies to payment service providers, which fall within the enhanced reporting category. These firms must continue to notify incidents within four hours of first detecting the incident. Outside this limited exception, the existing EBA Guidelines on incident reporting under the Payment Services Directive have been disapplied, and the Payment Services and Electronic Money Approach Document has been updated accordingly.

Method of Submission

All operational incident reports must be submitted via the FCA Connect platform, using the standardised reporting forms. For groups managing multiple regulated entities, a separate submission is required for each in‑scope firm. The regime does not permit consolidated or group‑level incident reporting.

III. Third-Party Reporting

The new regime introduces a harmonised framework for the notification and ongoing reporting of material third-party arrangements, reflecting the Regulators’ increasing focus on operational and systemic risks arising from firms’ reliance on third parties in the delivery of their services.

Scope – Defining “Material” Third-Party Arrangements

The Regulators introduce a common definition of a “third-party arrangement”, which is deliberately broad. It captures arrangements under which a third party – whether acting as a direct service provider or as a subcontractor – provides a product or service, or otherwise supports a firm’s operations, where a disruption or failure could affect the firm’s ability to deliver services to its clients or external users, or to meet its regulatory obligations.

A key development under the new regime is the extension of reporting obligations beyond material outsourcing[2] arrangements to include material non-outsourcing third-party arrangements. The FCA’s guidance confirms that a non-outsourcing arrangement could include, for example, buying or acquiring hardware, software or other information and communication technology products from a third party. The definition of a “third-party arrangement” is intended to reflect the wide range of third-party services or products on which firms increasingly rely, including technology, data, infrastructure and other critical services – in recognition that operational risk and systemic vulnerabilities increasingly arise from a broader range of third-party dependencies, rather than from outsourcing arrangements alone.

The definition also encompasses intragroup service providers, subject to the materiality assessment described below.

Whether a third-party arrangement is “material” – and therefore subject to notification and ongoing reporting – must be assessed by reference to the relevant regulator’s statutory objectives, and may therefore be assessed differently across the Regulators.

Under the FCA framework, a third‑party arrangement will be material where a disruption or failure in the performance of the product or service provided to the firm could:

• cause intolerable levels of harm to the firm’s clients;
• pose a risk to the soundness, stability, resilience, confidence or integrity of the UK financial system; or
• cast serious doubt on the firm’s ability to satisfy the threshold conditions, or to meet its obligations under the Principles or under SYSC 15A.

Under the PRA framework, a third‑party arrangement will be material where a disruption or failure could:

• pose a risk to:
  • the firm’s safety and soundness;
  • in the case of an insurer, an appropriate degree of protection for those who are or may become the firm’s policyholders; or
  • where the firm is, or is controlled by, an O‑SII, or is a relevant Solvency II firm, the stability of the UK financial system; or
• cast serious doubt upon the firm’s ability to satisfy the threshold conditions, the Fundamental Rules, the Operational Resilience Part, the Insurance – Operational Resilience Part, or the Operational Continuity Part.

The Regulators have published guidance to assist firms in identifying material third‑party arrangements, including illustrative examples of arrangements that are likely to be considered material and those that would be unlikely to fall within scope.

Notification Obligations

Firms are required to submit notifications in respect of all material third-party arrangements, including any new arrangements and any significant changes to existing arrangements. A change will be regarded as significant where it materially alters the nature, scale or complexity of the risks inherent in the arrangement. The Regulators have provided guidance containing illustrative examples of changes that would qualify as significant, as well as those that would be unlikely to trigger a notification requirement.

To reduce the reporting burden, the Regulators have clarified that intragroup arrangements will generally only be reportable where they involve dependency on an external third-party service provider. However, firms should not treat intragroup arrangements as inherently lower risk –materiality should be assessed by reference to the nature of the service provided and the potential impact of disruption, rather than the identity of the service provider alone.

Where a dual‑regulated firm is required to notify both the FCA and the PRA in respect of the same material third‑party arrangement, a single notification may be submitted, which will be shared with both regulators.

Requirement to Maintain a Register of Material Third-Party Arrangements

In addition to the notification requirements, firms are required to maintain an up-to-date register of material third-party arrangements, which must be submitted to the Regulator(s) annually.

The purpose of the register is to support the Regulators’ understanding of systemic third‑party risk across the financial services sector. In particular, the information contained in firms’ registers will be used to build a picture of the third‑party landscape, to identify concentrations and dependencies, and to provide insights into operational incidents that originate at, or are driven by, third‑party service providers. The Regulators have also indicated that the data collected through the registers will help inform the designation of critical third parties under the UK Critical Third Parties regime.

Both the notification and register templates are aligned across the Regulators and require firms to provide structured and detailed information about their material third-party arrangements, including, for example:

• the identity of the third-party service provider;
• a description of the services provided and how they support the firm’s operations;
• the nature of any underlying outsourcing and subcontracting;
• an assessment of the potential impact of disruption or failure; and
• relevant contractual, governance and risk management arrangements.

Method and Timing of Submissions of Notifications and Register

Notifications of material third‑party arrangements must be submitted via the FCA Connect platform, using the standardised templates that apply across the Regulators. The submission of a notification is not an approval process; rather, it is intended to ensure that regulators are informed of material third‑party dependencies in a timely and consistent manner.

While the rules do not prescribe a fixed timeline for the submission of third‑party notifications, the Regulators have made clear that they expect firms to notify at an early stage. In particular, notifications should be made before firms enter into, amend or otherwise make internal or external commitments in relation to a material third‑party arrangement, so that regulators have appropriate visibility of emerging risks.

The common templates have been designed, where relevant, to align with similar international regimes, including the EU’s Digital Operational Resilience Act (“DORA”). This alignment is intended to allow firms operating across the UK and EU to streamline third‑party reporting processes to some extent.

The register of material third‑party arrangements is subject to a separate submission process. Firms are required to submit their register annually, rather than on an event‑driven basis. Registers must be submitted via the FCA RegData platform, using the prescribed templates.

IV. Next Steps

With the regime coming into force on 18 March 2027, firms now have just under a year to implement the new rules. Therefore, firms might usefully consider taking the following actions:

• Re-assess incident identification and escalation criteria: review how operational incidents are identified, classified and escalated internally, and map those processes against the new regulatory definitions and reporting thresholds, including testing whether relevant teams can consistently distinguish between reportable and non-reportable events.
• Map existing reporting obligations to the new regime: identify which existing notifications will be subsumed by the new framework, and those which will exist in parallel to the new framework (e.g., reporting obligations under DORA, PRA SS 2/21, Principle 11 notifications). Firms may need to consider whether legacy processes may need to be retired or re-engineered to avoid duplication or inconsistency.
• Identify and document material third-party arrangements: assess third-party relationships through the lens of the new “material third-party arrangement” definition, including outsourcing, cloud, data and other critical service providers. Update relevant contractual arrangements to factor in the notification obligations.

If you have any questions concerning the material discussed in this client alert, please contact a member of our Financial Services practice.