(Based on the FCA’s CP24/28 consultation. Final rules are expected shortly and may change.)
The FCA is consulting on changes that will reshape how organisations identify, assess, and report operational incidents, as well as how they oversee their most important third-party relationships.
The consultation reflects growing concern that disruptions, particularly those linked to technology and outsourced services, are becoming more frequent and more complex. When incidents are not escalated or reported consistently, the impact can extend beyond the firm itself and directly affect customers, markets, and confidence in the financial system.
Although implementation is not expected until the second half of 2026 and the final rules may change, CP24/28 gives a clear indication of the FCA’s current thinking. Many of the changes will require practical and operational adjustments rather than policy updates alone.
For that reason, we recommend firms begin reviewing their current incident response and third-party risk arrangements now, so they are not starting from scratch once the final requirements are confirmed.
What is CP24/28?
CP24/28 is the FCA’s consultation on proposed changes in two linked areas:
- A new, more standardised approach to operational incident reporting, including clearer reporting thresholds and a structured notification process
- Enhanced reporting of material third-party arrangements, extending beyond traditional outsourcing to include critical technology and service providers
- The proposals aim to give the FCA earlier, clearer, and more consistent information, enabling a faster and more effective response when incidents could impact customers, firms, or the wider financial system.
Who does this apply to?
Operational incident reporting
The incident reporting proposals apply broadly to regulated firms, including:
- Authorised firms
- Payment service providers
- UK Recognised Investment Exchanges
- Trade repositories
- Credit rating agencies
The FCA has said it will apply proportionality for smaller firms, but the reporting framework itself will be consistent.
Third-party reporting
The third-party proposals apply to a narrower group of larger and more complex firms, including:
- Banks
- PRA-designated investment firms
- Building societies
- Solvency II firms
- Enhanced scope Senior Managers & Certification Regime (SM&CR) firm
- Client Assets Sourcebook (CASS) large firm
- UK recognised investment exchanges
- Authorised payment and electronic money institutions
- Consolidated tape providers
What is changing?
A clear definition of an operational incident
For the first time, the FCA defines an operational incident as an event, or series of events, that disrupts operations by:
- Interrupting service delivery, or
- Affecting the availability, integrity, authenticity, or confidentiality of data relating to clients or external users
This means cyber attacks, data breaches, cloud outages, and system failures are clearly in scope.
Common reporting thresholds
Firms must assess incidents against three impact areas:
- Consumer harm
Serious harm that customers cannot easily recover from - Market integrity
Risk to confidence, stability, or integrity of the UK financial system - Safety and soundness
Risk to the firm’s viability or to other market participants
The FCA is not setting fixed metrics. Firms must apply judgement based on their services, customers, and risk profile. Importantly, incidents should be reported where they could cause serious harm, not only after harm has already occurred.
A staged reporting process
CP24/28 proposes a more standard and structured reporting lifecycle, replacing the current fragmented approach. Instead of a single notification, firms will be expected to report in stages:
- Initial notification
When an incident breaches, or is likely to breach, a reporting threshold. - Intermediate updates
When there are material changes in impact, scope, or understanding, including when the incident is resolved. - Final report
After closure, setting out the full impact, root cause, and any lessons learned.
This reflects the reality that incidents evolve and that early regulatory visibility is important, even when all the facts are not yet known.
Structured submissions through an FCA platform
The FCA plans to introduce an online reporting platform supported by templates. This will replace unstructured emails with consistent, comparable data.
Third-party risk goes beyond outsourcing
The FCA is expanding its focus from material outsourcing to material third-party arrangements. This includes non-outsourcing relationships such as:
- Cloud providers
- Managed service providers
- Core technology platforms
- Data and payment providers
In-scope firms must identify which of these relationships are truly critical, notify the FCA of new or significantly changed arrangements, and maintain an annual register.
What this means for security and resilience teams
CP24/28 plans to make incident reporting part of the live response process, not something that happens after the event. Firms will need to decide early on whether an incident could meet a reporting threshold, even while information is still limited.
In practice, this means having:
- Clear internal definitions that link directly to the FCA thresholds
- The ability to quickly assess service impact, data impact, and customer impact
- Strong coordination between security, IT, risk, legal, and compliance
- Clear escalation to senior management during major incidents
- A good understanding of which third parties are genuinely critical and where concentration risk sits
If incident response or third-party oversight is based mainly on informal judgement or personal experience, those gaps are likely to become obvious very quickly when a serious incident occurs.
How firms can start thinking about CP24/28
While the final rules are not yet confirmed, CP24/28 gives a strong indication of where the FCA is heading. For firms likely to be in scope, now is a good time to start sense-checking existing arrangements.
This might include:
- Considering how you currently identify and classify serious incidents
- Taking a fresh look at your most critical suppliers and dependencies
- Checking that escalation to senior management is clear during major incidents
- Reflecting on whether your current systems would support more structured reporting in future
These early reflections can help highlight where more detailed work may be needed once the final requirements are published, without committing to changes too early.
Final note
CP24/28 is still subject to final FCA confirmation. However, the core principles around early reporting, impact-based thresholds, and expanded third-party oversight are unlikely to change materially.
If you are likely to be in scope, we recommend starting to review your incident response procedures and supplier governance now. This will not only make it easier to adapt once the final rules are confirmed, it will also leave you better prepared for real operational disruption when it occurs.