My FCA is a new portal for firms

View your scheduled Connect, Online Invoicing System and RegData tasks in one place. Find out more.

Operational resilience

First published: Last updated: 31/03/2025 See all updates

Read about the importance of operational resilience and the requirements for firms.

Operational resilience is the ability of firms, financial market infrastructures and the financial sector to prevent, adapt and respond to, and recover and learn from operational disruption. Firms in scope of our operational resilience rules had until 31 March 2025 to ensure they could operate their important business services within their impact tolerances.

The importance of operational resilience

Ensuring the UK financial sector is operationally resilient is important for consumers, firms and financial markets. We believe an operationally resilient financial system is one that contributes to making sure the UK is an attractive, safe place to do business and enhances its competitiveness.

Operational disruptions and the unavailability of important business services can cause wide-reaching harm to consumers like being unable to access their accounts or pay bills. They also pose a risk to market integrity – threatening the stability of, and confidence in, the financial system.

Operational resilience requirements for firms

In March 2021, we published our final rules and policy and a shared policy summary alongside the Bank of England (the Bank) and the Prudential Regulation Authority (PRA).

This policy statement followed our consultation paper, our shared policy summary for the consultation and the Bank’s discussion paper.

The rules apply to:

  • banks
  • building societies
  • PRA-designated investment firms
  • insurers
  • Recognised Investment Exchanges
  • Enhanced scope Senior Managers and Certification Regime firms
  • entities authorised and registered under the Payment Services Regulations 2017 and Electronic Money Regulations 2011
  • consolidated tape providers

Our rules and guidance came into force on 31 March 2022.

If you’re one of the firms in scope of our policy, you need to have performed mapping and testing before 31 March 2025 so that you:

  • Can remain within impact tolerances for each important business service.
  • Have made and will continue to make the necessary investments to operate consistently within your impact tolerance.

You should have: 

  • Identified your important business services that, if disrupted, could cause intolerable harm to consumers and markets.
  • Set impact tolerances for the maximum tolerable disruption to your important business services without causing harm to consumers, firms or markets.
  • Identified any vulnerabilities in your operational resilience through testing and be on track to remediate.
  • Conducted lessons learnt exercises and identified, prioritised, and invested in your ability to respond and recover from disruptions as effectively as possible.
  • Developed internal and external communications plans for when important business services are disrupted.

Firms’ progress with implementation – our observations

To understand how firms have been tracking to meet their operational resilience requirements, we set out insights on key aspects of our policy and guidance. This is to help firms assess their preparations towards meeting our regulatory deadline in March 2025. Read our insights and observations to:  

  • Review your firm’s approach.
  • Assess your readiness to comply by 31 March 2025.
  • Consider areas of our policy your firm could improve on.

CrowdStrike incident insights and observations

We set out how firms responded to the widespread CrowdStrike incident that took place on 19 July 2024, and their preparedness for future incidents, in line with our operational resilience policy. 

Read our CrowdStrike outage insights to:

  • Consider the lessons learned.
  • See what next steps your firm can take to better prepare for incidents.
  • Learn from examples of good practice and areas your firm could strengthen.

Reporting an operational incident

Under Principle 11 of the FCA’s Principles for Businesses, firms are required to deal with the FCA in an open and cooperative way and to disclose to the FCA appropriately anything relating to the firm of which the FCA would reasonably expect notice. SUP 15.3 sets out additional rules and guidance on when the FCA would expect notice of matters relating to a firm. This means that the FCA is likely to expect a firm to report material operational incidents to the FCA. An incident may be material if it:

  • Results in a significant loss of data.
  • Results in the unavailability or control of your IT systems.
  • Affects a large number of customers.
  • Results in unauthorised access to your information systems.

Note that this list is not exhaustive. Payment service providers should also be aware of their obligations to report major operational or security incidents under the Payment Services Regulations 2017 (the PSRs). SUP 15.14 sets out additional directions and guidance on this obligation.

If you consider the incident to be material, please report it to us by:

  • Contacting your named FCA supervisor, if you have one.
  • Using the channels on our contact page if you don’t have a named supervisor.
  • Informing the PRA if your firm is dual-regulated (by both the FCA and PRA).
  • By following any specific rules or directions that apply.

You should also consider whether you may need to report the incident to anybody else:

  • If you believe the incident is criminal, you should contact Action Fraud via its website or by calling 0300 123 2040.
  • If the incident involves a data breach, you may need to report it to the Information Commissioner’s Office. Note they require you do this within 72 hours of becoming aware of the breach, where feasible.
  • For cyber incidents, you may need to report it to the National Cyber Security Centre.
  • It also helps other firms if you can share details of the incident on the CiSP platform. Fighting cybercrime must be a collaborative effort.

Authorities' Response Framework

In the event of a major operational disruption in the financial sector, we may use the Authorities' Response Framework (ARF) to coordinate a joint response with the other financial authorities including the Treasury and the Bank of England. 

Disruption in one part of the sector can spread to another, and to the wider economic system. The financial authorities have a crucial role in reducing the effects of this and ensuring stability. 

This joint framework has an overall governing body comprised of senior representatives from FCA, PRA and His Majesty’s Treasury (HMT). It enables the authorities to coordinate a response to an incident, while evaluating and responding to the impact of it against their own statutory objectives. We work to ensure the relevant markets function well, and through the framework we strive to reduce harm to consumers and markets.

See more information on the ARF.

Proposed new requirements for operational incident and third party reporting

On 13 December 2024, we launched our consultation: CP24/28: Operational Incident and Third Party Reporting, proposing new incident and third party reporting requirements for financial services firms.

Firms face growing challenges to remaining operationally resilient. When operational incidents do occur, disruption to firms and the services they provide can harm consumers and the wider sector. Currently, some firms are unclear on how to report such incidents, often leading to inconsistencies in how they are reported to us. These gaps make it harder to manage the impact of these incidents.

We have set out our proposed new approach for firms to report incidents to us, helping us effectively respond to incidents and understand their impact, as well as the steps firms are taking both individually and across the sector. We also want to understand more about firms’ important third party suppliers (material third parties), especially as many firms are increasingly reliant on third party services, with many operational incidents originating there. This will help us address risks at individual firms and systemic risks, where many firms rely on the same third parties.

We are proposing clearer and more consistent incident and third party reporting requirements for firms, providing better guidance and structure. These proposals aim to enhance incident and third party risk management, strengthen firms’ operational resilience, and minimise harm. 

We developed these proposals jointly with the PRA and the Bank. The consultation closed on 13 March 2025. 

Overseeing critical third parties

Financial firms and market infrastructures (FMIs) have become increasingly reliant on the services of a small number of third parties, known as critical third parties (CTPs). Disruption to or failure by one of these third parties, such as a cyber-attack or power outage, could affect many consumers and firms, and even threaten financial stability or confidence in the UK financial system.    

The Government gave financial regulators new powers in the Financial Services and Markets Act 2023 to oversee the resilience of the services CTPs provide the financial sector, that may pose systemic risks if disrupted.  

On 12 November 2024 we, alongside the Bank and PRA, set out how we intend to use our new powers to oversee critical third parties.  

The financial regulators have worked together and engaged with industry to develop the CTP regime. The new rules align closely with international standards and similar regimes in other jurisdictions.  

What this means for firms and FMIs in scope of our operational resilience rules 

The CTP oversight regime will not change the accountability of firms, their boards and senior management for:

  • Remaining operationally resilient.
  • Complying with our existing outsourcing and operational resilience rules, including when they rely on services provided by third parties.  

The final rules will not only strengthen the resilience of the services that critical third parties provide to individual firms, but will improve the resilience of the UK financial services sector as a whole.

Complete our cyber and operational resilience questionnaires

To help firms, as well as us, to understand their cyber resilience capability at a high level, with the PRA we’ve developed a self-assessment questionnaire. CQUEST consists of 50 multiple-choice questions covering aspects of cyber resilience, such as: 

  • Does your firm have a board-approved cyber security strategy?
  • How does it identify and protect its critical assets?
  • How does it detect and respond to an incident, recover the business and learn from the experience?

The answers provide a valuable snapshot for firms' cyber resilience capability and highlights areas for development.

If you would like to complete CQUEST, please email your supervisor, copying in [email protected].

The FCA has also created a broader operational resilience self-assessment questionnaire called ORQUEST to help firms, as well as us, understand their operational resilience capabilities, including their cyber capabilities.

If you would like to complete ORQUEST, please email your supervisor or portfolio lead, copying in [email protected].

CBEST - cyber resilience assessment

We also use CBEST − a targeted assessment tool to help us assess firms’ cyber resilience by using live penetration testing that mimics the actions of cyber attackers. It enables regulators and firms to better understand vulnerabilities and take remedial actions, strengthening the resilience of individual firms and the wider financial sector.

Each year, we, alongside the PRA publish our annual thematic analysis of CBEST assessments, highlighting cyber resilience observations from CBEST, such as cyber defences, as well as detection and response capabilities against cyber threats.

We encourage firms’ cyber security teams and senior managers to consider our observations in our latest annual CBEST thematic analysis

: Editorial amendment tense change following 31 March 2025 deadline.
: Link added CBEST - cyber resilience assessment
: Information added Proposed new requirements for operational incident and third party reporting
: Information added Critical third parties to the UK financial sector
: Information added CP24/3: Quarterly Consultation Paper No. 43
: Editorial amendment page update as part of the website refresh
: Information changed To reflect that our rules and guidance came into force on 31 March 2022
: Information added Authorities' Response Framework section
: Information added Cyber Resilience updated to Operational Resilience.

In this section

CrowdStrike outage: lessons for operational resilience
Operational resilience: insights and observations for firms
Russian invasion of Ukraine: operational and cyber resilience
Operational resilience insights for insurance firms

Related content

PS24/16: Operational resilience: Critical third parties to the UK financial sector