UK regulators have introduced a major update to how firms report operational incidents and manage third‑party risk.
Published in March 2026, the FCA’s PS26/2, the PRA’s PS7/26 and the Bank of England’s FMI policy together mark a clear shift from principles‑based guidance to a standardised, data‑driven operational resilience regime.
One harmonised reporting framework
For the first time, the FCA, PRA and Bank of England have aligned definitions, thresholds and timelines into a single operational incident reporting regime. Firms will submit one report, through one portal, using consistent templates.
This simplifies compliance - especially for dual‑regulated firms - while giving regulators more consistent, higher‑quality data. The approach also aligns closely with international standards such as DORA and the FSB FIRE taxonomy.
Stronger focus on third‑party risk
A key change is the new requirement to identify and report material third‑party (MTP) arrangements.
Firms must notify regulators of new or significantly changed MTPs, maintain a structured register, and submit it annually. This enables supervisors to identify critical third parties and concentration risks - recognising that resilience is increasingly shaped by shared technology, cloud and data providers.
Proportionate, but more demanding
While expectations are rising, regulators have built in proportionality. The FCA has introduced a short‑form incident report for many firms, and the PRA has tailored requirements for smaller entities.
The message, however, is clear: better data, clearer accountability and stronger third‑party oversight are now essential.
Why this matters now
With implementation set for March 2027, firms have limited time to update incident management frameworks, systems and governance. Those that act early will be better positioned to meet regulatory expectations - and manage disruption in an increasingly complex operating environment.
Operational resilience is no longer just a compliance requirement. It’s a strategic capability.
How Delta Capita can assist with turning resilience into a source of confidence
As the operational incident reporting regime evolves, credibility will be crucial. Firms that can evidence strong third‑party oversight, informed board engagement, effective scenario testing and clear recovery capabilities will be better placed to manage disruption and meet regulatory expectations.
Delta Capita brings deep expertise across operational resilience, incident reporting and third‑party risk, helping global financial institutions turn complex regulatory requirements into practical, sustainable solutions.
By combining industry insight with hands‑on delivery, Delta Capita enables firms to move beyond compliance and build resilience that protects customers, supports strategic goals and strengthens long‑term confidence.
To learn more about our Operational Resilience Health-check services, please contact:
- Martin Hillier (Global Head of Transformation & Change): martin.hillier@deltacapita.com
- Karan Kapoor (Global Head of Regulatory Consulting): karan.kapoor@deltacapita.com
- Liliana Hillebrand (Principal Consultant): liliana.hillebrand@deltacapita.com