My FCA is a new portal for firms

View your scheduled Connect, Online Invoicing System and RegData tasks in one place. Find out more.

Reporting operational incidents

First published: Last updated: 18/03/2026

Find out how to report a material operational incident and how to prepare for new reporting rules coming into force on 18 March 2027.

Operational incidents could result from events such as a cyber attack, a system change that does not go to plan, or disruption to a third party.

Firms subject to Principle 11 of the FCA’s Principles for Businesses must deal with the FCA in an open and cooperative way. They must appropriately disclose to the FCA anything relating to the firm of which the FCA would reasonably expect notice.

SUP 15.3 sets out additional rules and guidance on when the FCA would expect notice of matters relating to a firm.

Payment service providers should also be aware of their obligations to report major operational or security incidents under the Payment Services Regulations 2017 (the PSRs). SUP 15.14 sets out additional directions and guidance on this obligation.

When and how to report an incident

You should follow this process for reporting incidents until new rules are introduced in March 2027.

When to report an operational incident What to do Reporting to other authorities

When to report an operational incident

This list is not exhaustive, but these indicators will help you determine if you need to report an incident. The incident:

  • Results in a material disruption to the provision of your financial services.
  • Affects a large number of customers.
  • Results in unauthorised access to your information systems.
  • Results in a significant loss of data.
  • Results in the unavailability or control of your IT systems.
     

What to do

If you consider the incident to be material, report it to us by:

  • Contacting your named FCA supervisor, if you have one.
  • Contacting us using our firm notification form (SUP 15) if you don’t have a named supervisor. You can also contact us with any queries.
  • Informing the PRA if your firm is also regulated by them ('dual-regulated').
  • Following any sector-specific rules or directions that apply, like under SUP 15.14 for payment service providers.

Reporting to other authorities

You should also consider if you need to report the incident to anybody else.

  • For cyber incidents, you may need to report it to the National Cyber Security Centre.
  • If you believe the incident is criminal, you should contact Report Fraud via its website or by calling 0300 123 2040.
  • If the incident involves a data breach, you may need to report it to the Information Commissioner’s Office. Note they require you do this within 72 hours of becoming aware of the breach, where feasible.
  • It also helps other firms if you can share details of the incident on the CiSP platform. Fighting cybercrime must be a collaborative effort.

New rules from 18 March 2027

In March 2026 we published final rules and guidance on reporting operational incidents

The rules will come into force on 18 March 2027 and will apply to almost all firms regulated by the FCA and to firms regulated by the PRA and the Bank of England.

1

13 December 2024

Consultation on proposals published

2

13 March 2025

Consultation closed

3

18 March 2026

Final rules and guidance published

4

18 March 2027

New rules come into force

Overview of the new rules

From March 2027 there will be a standardised process for how firms must report an operational incident if it meets one or more thresholds by posing a risk:

  1. Of causing intolerable levels of harm to consumers from which consumers cannot easily recover.
  2. To the safety and soundness of the firm and/or other market participants.
  3. To market stability, market integrity or confidence in the UK financial system.

This will be done using a single form using Connect regardless of the regulator the report is for.

Most FCA solo-regulated firms will submit a short ‘standard’ report. A smaller subset of ‘enhanced’ reporting firms will need to give more information if there are significant changes to the status of an incident and to finalise their report after the incident is resolved.

We have subsumed incident reporting requirements under the Payment Services Regulations into our new framework to avoid duplication.

We have worked with the PRA and Bank of England to create a single regulatory regime. Firms also regulated by the PRA and the Bank of England can see more information about the incident reporting rules and thresholds that apply to them on their website.

Prepare for the rules

We are giving firms 12 months to prepare for the new requirements.
You should:

If the new rules apply to your firm, you should:

  • Prepare now by starting to implement any changes you’ll need to make to your business.

Understanding the rules

The Policy Statement and Finalised Guidance will help you understand:

  • How an operational incident is defined.
  • Thresholds for when you need to report an incident.
  • How you’ll need to report an incident.
  • Whether your firm will be subject to standard or enhanced reporting.

Alongside our Policy Statement, we have also published reporting templates to help you get ready:

Support for firms

As well as giving firms time to prepare, we will also offer firms the training they need to embed new frameworks confidently before March 2027.

Join our webinar on 29 April 2026 to find out more about our new incident and third party reporting rules and ask questions. Register for the event.


Operational resilience

CrowdStrike outage: lessons for operational resilience
Operational resilience: insights and observations for firms
Reporting operational incidents
Russian invasion of Ukraine: operational and cyber resilience
Operational resilience insights for insurance firms