The FCA has simplified the rules for reporting on cyber-attacks and third-party incidents.
The new policies follow the FCA’s consultation, which launched in December 2024, to understand what more structured reporting frameworks would look like. As a result, the regulator is streamlining its reporting requirements while making sure it is still informed of disruption swiftly.
The FCA said cyber-attacks are becoming more frequent and more sophisticated, and that firms are increasingly reliant on third party providers. The regulator noted that in 2025 over 40% of cyber incidents reported to the regulator involved a third party.
Changes to the final rules for both incident and third-party reporting include:
- A simple, streamlined reporting regime with the Prudential Regulation Authority (PRA) and Bank of England including a single reporting portal.
- The removal of duplicative incident reporting for payment service providers and credit rating agencies.
- Allowing most of the firms the FCA solo regulates to complete a short form to tell us about their incident.
- Clearer guidance on thresholds, definitions and responsibilities
In the future, data collected from the reporting will be used to share insights and trends with firms to help them bolster their operational resilience.
Mark Francis, director of specialists and wholesale sell-side at the FCA, said: “Resilience is being tested like never before, with firms facing growing cyber threats and increasing reliance on third parties to deliver the essential financial services consumers rely on.
“These changes give firms clearer rules and practical guidance to better manage disruption, while supporting our ambition to be a smarter regulator, giving us better data to spot risks, share insights and strengthen sector-wide resilience.”
The new rules come into force on 18 March 2027. The FCA will review the regime two years after implementation to ensure it is working effectively for firms and delivering the outcomes the regulator expects.
