Skip to content
Chimera readability score 0.5794 out of 100, reading level.

We’ve confirmed new rules to make existing incident and third party reporting clearer, more consistent, and easier for firms to follow.
These new rules will help us respond quickly to disruption such as a cyber attack or power outage, give firms greater certainty on what to report and when and strengthen firm resilience to better protect consumers and markets.
Cyber attacks are becoming more frequent and more sophisticated, and firms are increasingly reliant on third party providers. In 2025, over 40% of cyber incidents reported to us involved a third party and we have seen several recent high-profile incidents impacting the financial services sector including the Cloudflare and AWS outage. Clear and timely reporting will help us identify risks and respond effectively.
What’s changing
Firms don’t always report incidents consistently and industry have told us they want more clarity on what to report and what information to provide.
In December 2024, we consulted (PDF) on clearer, more structured reporting frameworks. We listened to feedback and streamlined our final reporting requirements to reduce unnecessary burden, while also making sure we get the information we need to assess impact early and effectively respond to disruption.
For both of our incident and third party reporting final rules, we have:
- Created a simple, streamlined reporting regime with the Prudential Regulation Authority (PRA) and Bank of England including a single reporting portal.
- Removed duplicative incident reporting for payment service providers and credit rating agencies.
- Refined the overall information required, allowing most of the firms we solo regulate to complete a short form to tell us about their incident.
- Added clearer guidance on thresholds, definitions and responsibilities.
Mark Francis, director of specialists and wholesale sell-side at the FCA, said:
'Resilience is being tested like never before, with firms facing growing cyber threats and increasing reliance on third parties to deliver the essential financial services consumers rely on.
'These changes give firms clearer rules and practical guidance to better manage disruption, while supporting our ambition to be a smarter regulator, giving us better data to spot risks, share insights and strengthen sector-wide resilience.'
Over time we will use this data to share insights and trends to help firms bolster their operational resilience and share relevant information with industry, where appropriate during widespread disruption, particularly in stressed market conditions.
And where disruption occurs at a third party, the data will help us see through firms’ supply chains to identify which services are the most exposed and help us identify potential critical third parties to the UK financial system.
A more resilient financial sector will help lay the foundations to support growth and deepen trust in firms and the services they provide.
New finalised guidance
Alongside our final rules, we are also publishing Finalised Guidance for both incident reporting (PDF) and third party reporting (PDF).
This includes:
- Clear examples of what firms should report.
- Help applying the thresholds.
- Guidance on completing the incident form and third party register.
This is in response to feedback that firms want greater clarity and practical support.
What firms need to do next
Firms have 12 months to prepare before the new rules come into force on 18 March 2027.
We are hosting a webinar on 29 April 2026 and invite firms to join us in finding out more about our new rules and ask questions. Please register to take part in the webinar.
Two years after implementation, we will review the regime to ensure it works effectively for firms and delivers the outcomes we expect.

Facts Only

* The Financial Conduct Authority (FCA) is implementing new rules for incident and third-party reporting.
* The changes aim to improve the speed and consistency of responses to disruptions like cyberattacks and power outages.
* The rules are intended to increase firm resilience and protect consumers and markets.
* Cyber attacks involving third parties are increasing, with over 40% of 2025 reported incidents linked to them.
* The Cloudflare and AWS outage highlights the need for timely reporting.
* A new, streamlined reporting regime is being created, including a single reporting portal.
* Duplicative incident reporting for payment service providers and credit rating agencies is being removed.
* Firms regulated solely by the PRA and Bank of England will primarily use a short form to report incidents.
* Clearer guidance is being added regarding thresholds, definitions, and responsibilities.
* Mark Francis, director of specialists and wholesale sell-side at the FCA, supports the changes.
* The FCA intends to share data insights to help firms bolster operational resilience.
* Data will be used to identify exposed services within supply chains and critical third parties.
* New finalised guidance is being published alongside the final rules.
* Firms have 12 months to prepare for the new rules, effective 18 March 2027.
* A webinar is being hosted on 29 April 2026 to discuss the new rules.
* The regime will be reviewed two years after implementation.

Executive Summary

The FCA is introducing revised rules for incident and third-party reporting, driven by increasing cyber threats and reliance on third-party providers. The goal is to accelerate responses to disruptions – notably cyberattacks – and provide greater clarity for firms in reporting these events. Specifically, over 40% of reported cyber incidents in 2025 involved third parties, exemplified by recent outages. The new framework consolidates reporting through a single portal and simplifies requirements for firms operating under the Prudential Regulation Authority (PRA) and Bank of England, with a focus on a shorter reporting form for solo-regulated entities. The FCA acknowledges industry feedback regarding reporting consistency and is attempting to reduce administrative burdens. The move is framed as supporting “a smarter regulator” and bolstering sector-wide resilience, using data to identify risks and share trends. The ultimate objective is to enhance the financial sector’s capacity for growth and trust. Firms have 12 months to prepare for the rules, which come into effect on 18 March 2027, with a webinar scheduled for 29 April 2026. A subsequent review will assess the regime’s effectiveness two years after implementation.

Full Take

The article presents a carefully calibrated narrative of increasing vulnerability within the UK financial sector, designed to justify regulatory intervention. The framing is almost entirely reactive – focused on *responding* to increasingly frequent and sophisticated threats rather than proactively addressing systemic weaknesses. The “40%” statistic regarding third-party cyber incidents, while alarming, is presented without a critical examination of the *nature* of those third parties – are they truly “critical” or merely vendors? The reliance on Mark Francis’s endorsement – a carefully chosen voice within the FCA – reinforces the impression of a coordinated effort. This employs the ARC-0043 Motte-and-Bailey tactic: offering a streamlined process while simultaneously amplifying the perceived threat. The repeated emphasis on “resilience” is a classic example of Systemic (ARC-0024) framing—using the concept of resilience as a justification for increased regulatory control, implicitly suggesting firms are inherently incapable of self-regulation. The timeline – a webinar in 2026, a review in 2029 – feels deliberately protracted, creating a sense of continuous vulnerability and incentivizing firms to adopt the new reporting regime regardless of its true merit. The decision to consult on the reporting framework *before* finalization suggests a tactic of ‘soft coercion’ – creating the illusion of collaborative decision-making while effectively locking firms into a pre-determined outcome. Furthermore, the call for “data sharing” raises significant concerns regarding privacy and potential misuse of sensitive information. The pattern here mirrors a common manipulation technique – obscuring the underlying power dynamics by presenting the situation as a shared challenge requiring collective action. There are no detectable patterns beyond this.

Sentinel — Likely Human

Confidence

This communication outlines new reporting rules designed to improve financial sector resilience, primarily addressing cyber risks and third-party dependencies. While the text exhibits characteristics of structured, informative communication, it leans towards a formulaic style and lacks distinctive persuasive elements, suggesting a high probability of human authorship.

Signals Detected
medium severity: Sentence length variance is moderate, with a tendency towards longer, explanatory sentences.
low severity: The text employs a balanced 'both sides' framing common in regulatory communications, lacking a distinct voice or passionate argument.
medium severity: Frequent use of transitional phrases ('however,' 'moreover,' 'furthermore') creates a somewhat mechanical flow.
low severity: Reference to the 'Cloudflare and AWS outage' lacks specific details regarding the incident's scope or impact.
Human Indicators
The inclusion of a direct quote from a regulatory official demonstrates a nuanced understanding of stakeholder needs.
The provision of downloadable PDFs containing detailed guidance suggests a practical, helpful approach.
FCA confirms new incident and third party rules to bolster resilience — Arc Codex