PS26/2: The FCA Wants Data, Not Declarations on Resilience

The Financial Conduct Authority has moved the UK operational resilience regime into its next phase with PS26/2 on operational incident and third party reporting. Firms have spent the past few years identifying important business services and setting impact tolerances.

Previously, firms have been using different thresholds, different taxonomies and different timelines limiting the regulator’s ability to compare events or assess systemic patterns.

The final rules anchor reporting to three outcomes: consumer harm, safety and soundness, and market integrity or stability. This aligns incident reporting with the core objectives of the resilience framework rather than internal IT severity metrics.

The policy is supported by a defined reporting structure set out across the body and annexes of PS26/2. Firms are required to submit information through standardised templates that capture core fields such as incident type, affected services, root cause, impact assessment and remediation status. The templates distinguish between initial, intermediate and final reports, with each stage requiring a different level of detail. On the third party side, the annual register template captures provider identity, service type, supply chain position, linkage to important business services and relevant impact tolerances, with identifiers such as LEIs included where available. The FCA has aligned these templates with international formats, including the Financial Stability Board’s incident reporting model, to support consistency and cross-regulatory use.

Phased Reporting

PS26/2 also changes how incidents are reported. For firms in scope for enhanced reporting, the FCA expects an initial notification within 24 hours of determining that a threshold has been met. This is followed by intermediate updates and a final report once the incident is resolved.

This structure reflects a simple trade-off. The FCA prioritises early awareness over complete information at the outset. Firms can submit a short initial report while they focus on containment and recovery, then provide detail once facts are established.

The approach aligns with wider regulatory thinking on incident reporting. It reduces the risk that firms delay notification while trying to produce a full root cause analysis during a live event. It also supports a more consistent view across firms and incidents.

Third Party Dependencies

Firms must notify the FCA when entering into or making significant changes to a material arrangement. They must also submit an annual register of such arrangements.

This marks a shift in supervisory focus. The FCA is no longer looking at contractual outsourcing in isolation. It is seeking a view of the full dependency chain that supports service delivery.

The reporting framework is designed to support joint supervision across the FCA, PRA and the Bank of England. Data submitted by firms will be shared across authorities and used to identify risks that extend beyond individual institutions. This connects directly to the UK’s Critical Third Party regime. Regulators are building the capability to identify providers whose failure could generate systemic events.

Firms must link each material third party to important business services and relevant impact tolerances. They must identify supply chain position and provide a Legal Entity Identifier where available.

This creates a structured dataset that connects dependencies to service delivery and resilience thresholds. It allows supervisors to assess not only which providers are used, but how critical they are to the functioning of services.

Over the coming twelve months, firms must define what “material” means across business lines, identify dependencies that sit outside formal outsourcing frameworks, and map subcontractors and supply chains where visibility is limited.

On the incident side, firms must align internal classification with FCA thresholds and ensure escalation processes support timely notification. The largest task sits in data integration. Many firms hold supplier information across multiple systems with different ownership. Reconciling these into a single, accurate register will require coordination across functions.

From Framework to Evidence

PS26/2 completes a transition that has been underway since the introduction of the UK’s operational resilience framework in 2021.

The policy introduces two reinforcing capabilities. First, structured operational incident reporting provides supervisors with earlier and more consistent visibility of disruptions that threaten consumers, firms or markets. Second, the material third party regime extends oversight beyond outsourcing to capture the wider network of dependencies that underpin service delivery. Together, these elements shift resilience from a firm-defined framework to a regulator-observable dataset.

The common thread is data integrity. PS26/2 assumes that firms can draw on a coherent, governed dataset that connects incidents, services and third-party dependencies. In practice, many firms hold this information across multiple systems with different ownership, standards and levels of completeness. Bringing these elements together into a single, reportable view will be the critical success factor.

The FCA, alongside the PRA and the Bank of England, is building the capability to assess operational resilience through structured, comparable information across firms. For institutions, this raises the bar from demonstrating that resilience frameworks exist to evidencing, through consistent data and reporting, how those frameworks operate under stress.