Britain's financial regulators have drawn a hard line on cyber resilience, with the Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA), and Bank of England confirming new rules that will tighten incident reporting timescales and increase scrutiny of supply chain exposure across almost all regulated firms.
The framework takes effect on March 18, 2027.
The urgency is plain. The FCA's own data shows over 40% of cyber incidents reported in 2025 involved a third party, while the NCSC last year recorded 204 nationally significant incidents, more than double the previous year's tally. Teneo's 2026 CRO Survey found 35% of UK financial services chief risk officers now rank cybersecurity as their top priority.
Under the new framework, firms must maintain a register of third-party providers and demonstrate visibility across their supply chains. But the obligations are not uniform. Law firm Clyde & Co has noted the rules create two parallel regimes: one for incident reporting, covering nearly all regulated firms, and one for material third-party reporting, narrower in scope.
Dual-regulated insurers face both. Many brokers may only be subject to the incident reporting side.
Chris Butler (pictured above), resilience director at Databarracks, said the burden falls squarely on the regulated entity regardless of where a breach originates. "If the cause is a third party, the obligation does not transfer to that supplier; it sits with the regulated firm," he said.
The FCA framework sits alongside two parallel efforts in Parliament. The Cyber Security and Resilience Bill, introduced in late 2025, would expand Britain's existing NIS regulations to cover data centres, managed service providers, and designated critical suppliers.
It proposes 24-hour initial notification and 72-hour full reporting, backed by penalties of up to £17 million or 4% of global turnover.
Separately, a Home Office consultation concluded last year confirmed a ban on ransomware payments by public sector bodies and critical national infrastructure operators. Private sector firms would be required to notify the government before making any payment. Butler noted this raises sharp practical questions. "How do you avoid causing real harm to customers if that option is off the table?" he said.
The UK approach also diverges from the EU's Digital Operational Resilience Act, which took effect in January 2025 and requires initial notification within four hours of classification. Where DORA is prescriptive and controls-focused, the FCA centres on outcomes and impact tolerances. For firms operating across both jurisdictions, this means dual compliance rather than simple alignment.
Darren Tingley, services director at Databarracks, said the test will be practical. "What this comes down to is whether organisations can meet the requirement in practice, not whether they think they can," he said.
The firm's 2025 Data Health Check survey found 77% of organisations felt confident in their crisis response, but Tingley argued confidence without regular exercising remains insufficient.
ORX's 2026 Horizon Report ranked advancing cybercrime as the top emerging operational risk, with supply chain and third-party risk in third place. Whether the rules shift that picture depends on whether firms treat resilience as a discipline rather than an annual tick-box exercise.
