Skip to main content
Temas actuales
Featured Insights
Servicios / Ver Todo
Industrias / Ver Todo
Careers Overview
About Us Overview
  • Home
  • Perspectivas
  • New Cyber Incident Reporting Rules for UK Regulated Financial Institutions
junio 12 2026

New Cyber Incident Reporting Rules for UK Regulated Financial Institutions

Authors:
Descargar PDF
Share

US technology providers supporting critical businesses and functions performed by UK regulated financial institutions will now face faster, more structured information requests when serious operational incidents occur. This is because the UK regulators have created a single, two-tier incident reporting regime with defined fields for initial, intermediate, and final reports. The initial report is generally expected within 24 hours of the regulated firm determining a threshold is met (and within four hours of first detection for payment service providers), and a final report due within 30 working days of resolution.

As a practical matter, US tech companies should expect regulated financial institution clients to ask quickly for precise details about disruption, data compromise, affected services and geographies, volumes and values of impacted transactions, third-party identifiers (including legal entity identifiers, “LEIs”), and root cause and post-incident remediation; all of which map directly to mandated reporting fields. The rules take effect on 18 March 2027, with a 12-month implementation runway signalled by the FCA in March 2026; regulated financial institutions are already updating contracts, processes, and data capture to be ready.

Q1. What has changed in the United Kingdom’s cyber incident reporting regulatory framework, and why does it matter to US tech providers?

  • The FCA, PRA and Bank of England have created a new unified operational incident reporting framework for regulated financial firms. Under the unified framework, most solo-regulated FCA firms submit a concise “standard” notification once, while larger, more complex regulated firms (banks, insurers, credit rating agencies) must provide “enhanced” reporting in three phases—initial, intermediate, and final—using a single form that is updated across the incident lifecycle. Because more than 40% of cyber incidents reported to the FCA in 2025 involved a third party, the regime is designed to quickly surface vendor-related fragility across the sector. In practice, that means firms will escalate urgent, granular information requests to their tech providers early following an incident. The regulators will use these structured, faster submissions to triage sector-wide stresses, identify cross-firm third-party failures, and, where necessary, mobilize responses. Accordingly, tech vendors should assume that timeliness, accuracy and specificity of inputs directly influence supervisory engagement between their clients and the regulators. 
  • The new rules come into force on 18 March 2027, so US and other tech providers should be prepared to support clients’ dry runs, data mapping, and contractual updates during the run‑up to the implementation date. 

Q2. Which UK regulated firms must report, and when will US and other tech vendors be pulled in?

  • All FCA-authorised firms with a Part 4A permission are in scope for operational incident reporting; most will use the standard notification, while the enhanced tier captures banks, building societies, designated investment firms, insurers, payment service providers (“PSPs”), UK recognised investment exchanges, trade repositories, credit rating agencies (“CRAs”) among others. Vendor involvement begins as soon as a regulated firm reasonably believes an incident meets one or more thresholds linked to (i) consumer harm; (ii) safety and soundness; or (iii) market stability/market integrity.  
  • All tech providers and vendors (regardless of location) which provide services which trigger an operational incident report may be pulled in. There is no geographical restriction limiting these rules solely to UK-based vendors (most of the large cloud storage companies are US-based). Tech providers are most likely to be engaged for information purposes immediately when a financial institution identifies the operational incident as arising from a third party and needs to populate business-service-level impacts, geography, volumes, values and external communications—all explicit fields in the template. Even where a root cause is shared across many different regulated UK firms (banks, insurers, consumer credit firms) due to a vendor failure, each regulated entity must submit its own report describing firm-specific impacts, so a single tech vendor outage may trigger parallel information requests from numerous UK financial institution clients reporting the same incident. 

The regulators will have no direct supervisory powers over the tech provider unless it falls within the UK Critical Third Party regime.

Q3. What counts as an “operational incident” and what does not?

  • An operational incident is defined as either a single event or a series of linked events that disrupts a firm’s operations such that it disrupts service delivery to an external end user or compromises the availability, authenticity, integrity, or confidentiality of end‑user data; this aligned definition is shared across the FCA and PRA. “Linked events” include cascading or same‑root‑cause disruptions, such as a third‑party data‑centre outage cascading into a bank’s platform downtime or a configuration error triggering reconciliation failures and incorrect settlements. The definition of operational incident is not limited to cyber risk and can encompass other operational risks, but cyber risk is the focus of this article.
  • Near misses and planned, controlled interruptions that go as intended are not reportable under the incident regime. However, if a planned change fails and results in disruption that meets a threshold, the firm must report.
  • Regulated firms must assess if an incident reasonably poses a risk against a series of qualitative thresholds:  intolerable consumer harm, threat to safety and soundness, or risk to market stability/integrity.  This will require a judgment to be made by the regulated firm rather than fixed quantitative triggers (as under EU DORA) and so the trigger for a notification requirement may vary from firm to firm.

Q4. How fast must UK regulated firms report, and what are the three phases?

The initial phase must be submitted as soon as practicable after the firm determines a threshold is met, with the FCA expecting submission within 24 hours. PSPs must submit a report within four hours of first detecting a major operational or security incident. The intermediate phase is required when there is a significant change in circumstances, such as identifying the origin, a material escalation in impact, activation of business continuity or disaster recovery plans, meeting another authority’s reporting threshold, or resolving the incident. The final report must be filed within 30 working days of resolution, or where impracticable, as soon as practicable but no later than 60 working days, with reasons for any delay explained to the regulator.

Q5. How do UK regulated firms report?

All reports are submitted by the regulated firm through the FCA’s Connect platform. Reporting occurs at the legal-entity level, not the group level, so each affected entity within a corporate group must submit its own report describing entity-specific impacts, even if the root cause is shared. For dual-regulated firms, a single report can be directed to one or both regulators, depending on which thresholds are met initially or later, with subsequent evolution documented through the intermediate phase rather than creating a second initial report. The regulators state they maintain robust technical and organisational measures to protect the confidentiality, integrity, and availability of information submitted, aligned with recognised frameworks like ISO 27001 and NIST, a point relevant to vendors concerned about sensitive data included in client filings.

Q6. What information will UK regulated firms need, and what will vendors be asked to supply?

Initial reports focus on facts reasonably known in the early stages, including incident status, type, headline and description, severity, time of detection, actions planned and taken, and—crucially for vendors—whether a third party is the origin, in which case the third-party name and LEI are required. As the template is aligned with the FSB Format for Incident Reporting Exchange (“FIRE”) taxonomy, vendors should be prepared to describe disruption types (availability, integrity, confidentiality), classify functions, and map affected services in the firm’s internal taxonomy. Where the regulated financial institutions are PSPs, early provision of transaction metrics becomes mandatory at initial resolution or intermediate reporting, so vendors supporting payments business will need to quickly calculate and share numbers, percentages, and values of payment transactions affected for the relevant service, where available. Initial reporting is not expected to contain speculative root-cause analysis, but vendors should provide factual signals that help clients triage, within the 24-hour general expectation or the four-hour PSP rule.

Q7. What additional information will regulated firms need for intermediate updates?

Intermediate updates capture significant changes, including identification of origin, shifts in severity, activation of contingency plans, or resolution, and require updates to fields such as incident discovery method, detailed business-service impacts, disruption type, IBS classification, geographic spread, and PSP transaction metrics where relevant. Vendors should expect requests for more precise service-level data, richer narrative of actions taken, and confirmation of third-party identifiers, as the form pre-populates earlier answers and expects material updates rather than a running commentary.

Q8. What must be included in the final report, and how will regulated firms use vendor inputs?

The final report requires confirmation of the time of resolution, total service downtime, the final proportion of any impact tolerance used for important business services, and comprehensive details of public reaction, external communications, other authorities notified, affected parties, related entities, cause type, resource types and properties affected, lessons learned, and remedial actions with estimated completion dates. Any supplementary documents, such as incident reports, post-mortems, and customer communications, may be attached at any phase, though attachments are not mandatory. If the regulated firm cannot meet the 30-working-day final deadline because of complexity or reliance on third parties (e.g., tech vendors) for information, it must explain why and submit a report as soon as practicable, and no later than 60 working days.

Q9. What practical steps should US and other tech providers take now to support UK regulated clients under the new regime?

With rules effective from 18 March 2027 and a clear emphasis on cyber-related incidents:

  • US and other tech providers should map their incident reporting and post-incident review outputs to the exact fields described above so they can supply within the requisite timeframe the information required. Tech providers supporting PSPs should be ready to produce transaction counts, percentages, and values per service very quickly because PSPs must file within four hours. Tech providers should also align their internal incident categories with FIRE and ensure their teams can classify function categories and disruption types consistent with UK templates, which reduces rework when clients compile reports. Vendors can also expect regulated firms to require assurance that information provided to them is accurate and complete.  
  • Given the regulators’ explicit assurance about FCA Connect’s confidentiality and security, vendors can support clients by sharing sensitive but necessary technical details, under appropriate contractual and legal safeguards, without assuming undue exposure from the reporting channel itself. Finally, because each affected legal entity must file separately, even for a shared vendor outage, vendors should anticipate parallel inbound requests and prepare scalable playbooks and data feeds that provide firm-specific impact analysis where possible. 

Servicios e Industrias Relacionadas

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.
Subscribe

Follow us

© 2026 Mayer Brown. All Rights Reserved

 

 

Mayer Brown is a global legal services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown Hong Kong LLP (a Hong Kong limited liability partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) (collectively, the “Mayer Brown Practices”). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong LLC (“PKW”) is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong Pte. Ltd. More information about the individual Mayer Brown Practices and PKW can be found in the Legal Notices section of our website.

“Mayer Brown” and the Mayer Brown logo are the trademarks of Mayer Brown.

Attorney Advertising. Prior results do not guarantee a similar outcome.