UK FCA announces tougher cyber-incident reporting rules for financial firms

Britain's Financial Conduct Authority has confirmed that stricter cyber-incident reporting requirements will apply to financial firms starting March 2026, with a 12-month compliance window running until March 2027. The rules are not a surprise to anyone who has been watching FCA consultations over the past two years, but the formal confirmation and the hard deadline change the calculation for compliance teams across the sector.

The timing is tied directly to data the FCA has been collecting. In the 12 months preceding the announcement, more than 40 percent of cyber incidents reported to the regulator involved third-party providers rather than the firms' own internal systems. That statistic drove a specific policy decision: mandatory disclosure of critical technology dependencies will now be part of the formal reporting framework, not just a recommended practice.

What the new rules actually require

Under the updated framework, regulated financial firms must report material cyber incidents to the FCA within defined timeframes, with initial notification required within 24 hours of a firm becoming aware of a significant disruption. A fuller report detailing root cause, affected systems, customer impact, and remediation steps must follow within 72 hours. These timelines are tighter than what most firms have been working to informally.

The third-party dependency disclosure requirement is the genuinely new part. Firms will need to maintain and submit formal registers of the technology providers that are material to their operations. If one of those providers experiences an outage or breach, the financial firm is now responsible for reporting that event to the FCA even if the firm's own systems were never directly compromised. That closes a gap that regulators identified repeatedly in post-incident reviews.

Why third-party providers became the focus

Financial services firms have outsourced substantial portions of their technology infrastructure over the past decade. Cloud hosting, payment processing, identity verification, data analytics, and core banking functions are routinely handled by specialist vendors. A single vendor can sit at the heart of dozens of regulated firms simultaneously. When that vendor has a problem, the downstream effect can be wide and fast.

The 2023 MOVEit data breach illustrated this exactly. MOVEit was a file transfer tool used by thousands of organisations globally, including several UK financial institutions. When a zero-day vulnerability was exploited, firms that had no direct relationship with each other found themselves disclosing the same breach. The FCA referenced incidents of this type in its consultation documents as part of the justification for mandatory third-party registers.

The EU's Digital Operational Resilience Act, which came into force for EU financial firms in January 2025, includes similar third-party risk provisions. The FCA's rules are partly a response to that regulatory alignment pressure, and partly the product of the UK's own incident data. Either way, firms operating in both jurisdictions now face parallel obligations that will require coordinated compliance programs.

How firms are expected to prepare

The 12-month compliance window gives firms time to build or update their incident response procedures, but it is not a generous timeline for organisations that have not done this work systematically. Building a material technology dependency register requires input from procurement, IT, legal, and operations teams. Firms that have acquired other businesses in recent years often have fragmented vendor lists that have never been consolidated into a single authoritative document.

The FCA has indicated it will provide guidance on what qualifies as a material dependency, but firms should not wait for that guidance before starting. The practical test is straightforward: if a vendor went offline today and your regulated activities would be materially disrupted within 48 hours, that vendor belongs on the register. Applying that test across the full vendor list is time-consuming work.

Incident response playbooks will also need updating. The 24-hour initial notification requirement means that internal escalation paths have to be fast and unambiguous. A breach discovered on a Friday evening needs to reach someone with authority to file an FCA notification before Saturday evening. Firms that rely on manual escalation chains, where a security analyst emails a manager who forwards to a compliance officer who calls a lawyer, are unlikely to meet that window consistently.

The enforcement picture

The FCA has enforcement tools available and has used them. In 2023, it fined Equifax's UK subsidiary 11.1 million pounds for its handling of the 2017 data breach, citing failures in incident management and consumer communication. The new reporting rules give the regulator a clearer basis for future enforcement actions, because firms will now have explicit documented obligations rather than relying on interpretation of broader conduct principles.

Firms that fail to report within the required timeframes, or that submit incomplete dependency registers, face regulatory action that can include public censure, financial penalties, and, in serious cases, restrictions on regulated activities. The FCA has signalled that it views operational resilience and cyber readiness as areas where it intends to increase supervisory intensity through 2026 and 2027.

The compliance deadline is March 2027. That gives the sector roughly two years from the announcement to have everything in place. Given the scope of the changes required, particularly the third-party dependency work, that window will pass faster than most compliance calendars currently reflect.