We’ve confirmed new rules to make existing incident and third party reporting clearer, more consistent, and easier for firms to follow.
These new rules will help us respond quickly to disruption such as a cyber attack or power outage, give firms greater certainty on what to report and when and strengthen firm resilience to better protect consumers and markets.
Cyber attacks are becoming more frequent and more sophisticated, and firms are increasingly reliant on third party providers. In 2025, over 40% of cyber incidents reported to us involved a third party and we have seen several recent high-profile incidents impacting the financial services sector including the Cloudflare and AWS outage. Clear and timely reporting will help us identify risks and respond effectively.
What’s changing
Firms don’t always report incidents consistently and industry have told us they want more clarity on what to report and what information to provide.
In December 2024, we consulted (PDF) on clearer, more structured reporting frameworks. We listened to feedback and streamlined our final reporting requirements to reduce unnecessary burden, while also making sure we get the information we need to assess impact early and effectively respond to disruption.
For both of our incident and third party reporting final rules, we have:
- Created a simple, streamlined reporting regime with the Prudential Regulation Authority (PRA) and Bank of England including a single reporting portal.
- Removed duplicative incident reporting for payment service providers and credit rating agencies.
- Refined the overall information required, allowing most of the firms we solo regulate to complete a short form to tell us about their incident.
- Added clearer guidance on thresholds, definitions and responsibilities.
Mark Francis, director of specialists and wholesale sell-side at the FCA, said:
'Resilience is being tested like never before, with firms facing growing cyber threats and increasing reliance on third parties to deliver the essential financial services consumers rely on.
'These changes give firms clearer rules and practical guidance to better manage disruption, while supporting our ambition to be a smarter regulator, giving us better data to spot risks, share insights and strengthen sector-wide resilience.'
Over time we will use this data to share insights and trends to help firms bolster their operational resilience and share relevant information with industry, where appropriate during widespread disruption, particularly in stressed market conditions.
And where disruption occurs at a third party, the data will help us see through firms’ supply chains to identify which services are the most exposed and help us identify potential critical third parties to the UK financial system.
A more resilient financial sector will help lay the foundations to support growth and deepen trust in firms and the services they provide.
New finalised guidance
Alongside our final rules, we are also publishing Finalised Guidance for both incident reporting (PDF) and third party reporting (PDF).
This includes:
- Clear examples of what firms should report.
- Help applying the thresholds.
- Guidance on completing the incident form and third party register.
This is in response to feedback that firms want greater clarity and practical support.
What firms need to do next
Firms have 12 months to prepare before the new rules come into force on 18 March 2027.
We are hosting a webinar on 29 April 2026 and invite firms to join us in finding out more about our new rules and ask questions. Please register to take part in the webinar.
Two years after implementation, we will review the regime to ensure it works effectively for firms and delivers the outcomes we expect.
Facts Only
* The Financial Conduct Authority (FCA) is implementing new rules for incident and third-party reporting.
* The changes aim to improve the speed and consistency of responses to disruptions like cyberattacks and power outages.
* The rules are intended to increase firm resilience and protect consumers and markets.
* Cyber attacks involving third parties are increasing, with over 40% of 2025 reported incidents linked to them.
* The Cloudflare and AWS outage highlights the need for timely reporting.
* A new, streamlined reporting regime is being created, including a single reporting portal.
* Duplicative incident reporting for payment service providers and credit rating agencies is being removed.
* Firms regulated solely by the PRA and Bank of England will primarily use a short form to report incidents.
* Clearer guidance is being added regarding thresholds, definitions, and responsibilities.
* Mark Francis, director of specialists and wholesale sell-side at the FCA, supports the changes.
* The FCA intends to share data insights to help firms bolster operational resilience.
* Data will be used to identify exposed services within supply chains and critical third parties.
* New finalised guidance is being published alongside the final rules.
* Firms have 12 months to prepare for the new rules, effective 18 March 2027.
* A webinar is being hosted on 29 April 2026 to discuss the new rules.
* The regime will be reviewed two years after implementation.
Executive Summary
Full Take
Sentinel — Likely Human
This communication outlines new reporting rules designed to improve financial sector resilience, primarily addressing cyber risks and third-party dependencies. While the text exhibits characteristics of structured, informative communication, it leans towards a formulaic style and lacks distinctive persuasive elements, suggesting a high probability of human authorship.
