We’ve confirmed new rules to make existing incident and third party reporting clearer, more consistent, and easier for firms to follow.
These new rules will help us respond quickly to disruption such as a cyber attack or power outage, give firms greater certainty on what to report and when and strengthen firm resilience to better protect consumers and markets.
Cyber attacks are becoming more frequent and more sophisticated, and firms are increasingly reliant on third party providers. In 2025, over 40% of cyber incidents reported to us involved a third party and we have seen several recent high-profile incidents impacting the financial services sector including the Cloudflare and AWS outage. Clear and timely reporting will help us identify risks and respond effectively.
What’s changing
Firms don’t always report incidents consistently and industry have told us they want more clarity on what to report and what information to provide.
In December 2024, we consulted (PDF) on clearer, more structured reporting frameworks. We listened to feedback and streamlined our final reporting requirements to reduce unnecessary burden, while also making sure we get the information we need to assess impact early and effectively respond to disruption.
For both of our incident and third party reporting final rules, we have:
- Created a simple, streamlined reporting regime with the Prudential Regulation Authority (PRA) and Bank of England including a single reporting portal.
- Removed duplicative incident reporting for payment service providers and credit rating agencies.
- Refined the overall information required, allowing most of the firms we solo regulate to complete a short form to tell us about their incident.
- Added clearer guidance on thresholds, definitions and responsibilities.
Mark Francis, director of specialists and wholesale sell-side at the FCA, said:
'Resilience is being tested like never before, with firms facing growing cyber threats and increasing reliance on third parties to deliver the essential financial services consumers rely on.
'These changes give firms clearer rules and practical guidance to better manage disruption, while supporting our ambition to be a smarter regulator, giving us better data to spot risks, share insights and strengthen sector-wide resilience.'
Over time we will use this data to share insights and trends to help firms bolster their operational resilience and share relevant information with industry, where appropriate during widespread disruption, particularly in stressed market conditions.
And where disruption occurs at a third party, the data will help us see through firms’ supply chains to identify which services are the most exposed and help us identify potential critical third parties to the UK financial system.
A more resilient financial sector will help lay the foundations to support growth and deepen trust in firms and the services they provide.
New finalised guidance
Alongside our final rules, we are also publishing Finalised Guidance for both incident reporting (PDF) and third party reporting (PDF).
This includes:
- Clear examples of what firms should report.
- Help applying the thresholds.
- Guidance on completing the incident form and third party register.
This is in response to feedback that firms want greater clarity and practical support.
What firms need to do next
Firms have 12 months to prepare before the new rules come into force on 18 March 2027.
We are hosting a webinar on 29 April 2026 and invite firms to join us in finding out more about our new rules and ask questions. Please register to take part in the webinar.
Two years after implementation, we will review the regime to ensure it works effectively for firms and delivers the outcomes we expect.