Cyber Risk: How UK and EU banks will navigate incident reporting under EU DORA and new FCA requirements

Cyber risk in the regulated financial services sector often crosses legal entities and geographies as banking groups typically share IT infrastructure and outsourcing arrangements. In March this year, the UK regulators (Bank of England, Prudential Regulation Authority and Financial Conduct Authority) published new rules on material operational incident reporting. These rules apply to all material operational incidents, not just those relating to cyber risk. However, cyber and other IT risks will form a significant part of the operational risks reported under these new requirements. UK and EU financial firms which are part of cross-border groups may be subject to incident reporting under the new UK rules (“UK Incident Reporting Rules”), as well as under the existing EU Digital Operational Resilience Act and related delegated regulations (“DORA”). The UK Incident Reporting Rules must be complied with by 18 March 2027.

This Legal Update examines (a) how regulated firms will need to navigate both regulatory regimes where the underlying cyber incident impacts both their UK and EU in-scope entities, (b) compares the key elements of the UK and EU regimes (see table below), and (c) sets out recommendations for next steps to prepare for implementation.

Subject	UK Incident Reporting Rules	DORA
In-scope Entities	The standard reporting requirements have broader application; the enhanced reporting applies only to the larger, more complex firms. Standard reporting: all firms with a Part 4A permission under UK Financial Services and Markets Act (FSMA) (an authorisation to perform regulated activities in the United Kingdom). Enhanced reporting: enhanced scope SMCR firms, banks, designated investment firms, building societies, Solvency II firms (insurers), CASS large firms, payment service providers, UK recognised investment exchanges, registered trade repositories, and registered credit rating agencies. Third-country branches are excluded.	Credit institutions, investment firms, payment institutions (including those exempted under PSD2), e-money institutions, account information service providers, crypto-asset service providers, central counterparties, trading venues, trade repositories, central securities depositories, insurance/reinsurance undertakings, managers of AIFs, management companies, IORPs, credit rating agencies, administrators of critical benchmarks, crowdfunding service providers, securitisation repositories, and critical ICT third-party service providers following designation. Certain microenterprises, small insurance intermediaries, and small IORPs are excluded or subject to a simplified framework. Third-country branches are excluded.
Timing and Implementation	Rules were finalised in March 2026 and come into force on 18 March 2027. Firms have a 12-month preparation period, with a review two years post-implementation.	DORA is already in effect and has applied from 17 January 2025.
Definition of a reportable incident	A single event or series of linked events disrupting the firm's operations such that it: (1) disrupts the delivery of a service to an end user external to the firm, or (2) impacts the availability, authenticity, integrity, or confidentiality of information or data relating to such an end user. The definition covers crystallised incidents only; planned, controlled interruptions that go to plan are excluded.	An "ICT-related incident" means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity. Reporting is mandatory for "major ICT-related incidents", which must: affect critical services (i.e., ICT services or network and information systems supporting critical or important functions, authorised financial services, or constitute a successful malicious and unauthorised access to such systems); and either: meet the data losses threshold (see below); or meet two or more of the other materiality thresholds. Quantitative materiality thresholds: Clients/counterparts/transactions: >10% of clients using affected service, or >100,000 affected clients, or >30% of financial counterparts, or >10% of daily average number or value of transactions, or relevant clients affected. Reputational impact: media coverage, repetitive complaints, inability to meet regulatory requirements, or likely loss of clients with material business impact. Duration/downtime: incident duration >24 hours, or service downtime >2 hours for critical/important functions. Geographical spread: impact in two or more Member States. Data losses: adverse impact on critical services impacting the business objectives or regulatory compliance, or successful malicious unauthorised access that may result in data losses. Economic impact: costs and losses exceed or are likely to exceed €100,000. Recurring incidents (same root cause, at least twice in six months, collectively meeting the criteria) are treated as one major incident. Reporting for significant cyber threats is voluntary. These are defined as a cyber threat with the technical characteristics which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident.
Reporting Timeline	Standard firms: single short report; no routine updates required. Enhanced firms: Initial: as soon as practicable, expected within 24 hours of determining thresholds are met. PSPs must report within 4 hours of first detection. Intermediate: upon any significant change in circumstances; firms update the same form. Final: within 30 working days of resolution; extendable to 60 working days in exceptional circumstances with explanation.	Initial notification: as early as possible, but within 4 hours from classification as major, and no later than 24 hours from the moment the entity became aware of the incident. If classified as major later than 24 hours after awareness, the initial notification is due within 4 hours of that later classification. Intermediate report: at the latest within 72 hours from submission of the initial notification, even where status has not changed; an updated intermediate report must be submitted without undue delay when regular activities are recovered. Final report: no later than one month after either the intermediate report or the latest updated intermediate report.
Reporting templates	Standard report: ~16 structured fields (status, trigger, type, title, description, severity, detection time, recovery actions, cause, origin, third-party details). Enhanced report: ~45 fields spanning initial (mandatory/optional), intermediate, and final phases, including impact metrics (affected customers, transactions, service downtime, geographic spread, lessons learned, remedial actions). All submissions via FCA Connect portal; dual-regulated firms submit a single form shared with PRA.	Initial notification: basic identifying information, classification trigger, and initial impact details. Intermediate report: updated details including evolving impact assessment. Final report: root causes, resolution dates, direct and indirect costs and losses, financial recoveries, information relevant for resolution authorities, and details of recurring incidents. Standard forms and ITS templates have been adopted for submission to the relevant national competent authority.
Near-misses and planned changes	Near-misses are not reportable under SUP 15.18; firms should consider reporting them through usual supervisory channels (SUP 15.3.1R / Principle 11) where they have serious regulatory impact. Planned, controlled interruptions (e.g., routine system updates) are not reportable unless they go wrong and meet one or more thresholds.	Focus is on reporting major ICT-related incidents that have crystallised. All ICT-related incidents and significant cyber threats must be recorded internally, though only major incidents trigger the external reporting obligation. Financial entities may voluntarily notify significant cyber threats where the threat could, if materialised, affect critical/important functions with high probability and could meet the classification criteria and materiality thresholds (particularly the criticality of services, clients/transactions, or geographical spread thresholds).
Client Communications	The FCA framework is a supervisory reporting regime; it does not impose a specific client notification duty for incidents. Principle 11 requires firms to disclose to the FCA anything of which the regulator would reasonably expect notice; broader customer communication decisions remain with the firm's existing policies. Enhanced reporting fields include optional/mandatory fields on public reaction, external communications issued, and customer complaints.	DORA imposes a mandatory client notification duty: where a major ICT-related incident impacts the financial interests of clients, financial entities must inform clients without undue delay about the incident and the measures taken to mitigate adverse effects. For significant cyber threats, entities must inform potentially affected clients of appropriate protective measures. Entities must also maintain crisis communication plans for responsible disclosure of major incidents to clients, counterparts, and the public.
PSD2 alignment	Payment service providers' previous PSD2 incident reporting (EBA/GL/2017/10) is disapplied and replaced by this regime. PSPs submit via the FCA Connect enhanced reporting form, with a 4-hour initial reporting deadline from detection retained from the prior PSD2 framework. A report submitted under this regime fulfils Regulation 99(1) PSRs obligations; no separate PSD2 notification is required.	DORA consolidates PSD2 incident reporting for credit institutions, payment institutions, account information service providers, and e-money institutions: all operational or security payment-related incidents previously reported under PSD2 are now reported under DORA, irrespective of whether the incidents are ICT-related. The same time limits apply (4 hours from classification / 24 hours from awareness for initial notification; 72 hours for intermediate; 1 month for final). Credit institutions, CCPs, and trading venue operators do not benefit from weekend/bank holiday relief on initial or intermediate reports. Significant credit institutions' reports are transmitted onward to the ECB.

What are key next steps for in-scope entities?

Banking and investment groups that operate both UK authorised entities and EU authorised entities will need to comply with both regimes on an entity by entity basis, coordinating thresholds, timelines, and content where the underlying cyber incident relates to shared IT infrastructure and/or outsourcing. A key step for preparedness for incident reporting will be the mapping of ICT assets to entities –any ICT asset inventory conducted under DORA will prove helpful in this exercise.
Financial entities will need to calibrate incident classification criteria against the FCA’s outcomes based thresholds for consumer harm, safety and soundness, and market integrity against DORA’s “major ICT related incident” materiality framework with specific quantitative criteria. Notification obligations may be triggered under the quantitative thresholds under DORA that do not meet the qualitative thresholds under the FCA requirements.
Ensure that contractual arrangements with IT service providers give sufficient information to satisfy reporting requirements and data capture for the reporting templates. The same reporting templates may also be relevant to disclose to a firm’s cyber insurers.

著者

Partner
Ana Hadnes Bruder
- Frankfurt +49 69 7941 1778
abruder@mayerbrown.com
パートナー
Musonda Kapotwe
- ロンドン +44 20 3130 3778
mkapotwe@mayerbrown.com
パートナー
Oliver Yaros
- ロンドン +44 20 3130 3698
oyaros@mayerbrown.com

What are key next steps for in-scope entities?

著者

関連サービスと産業

業務分野

産業分野

最新のInsightsをお届けします