Financial Conduct Authority confirms streamlined incident and third party reporting rules with a single reporting portal effective 18 March 2027

The Financial Conduct Authority has confirmed final rules and finalised guidance for incident reporting and third party reporting, aiming to make reporting clearer, more consistent and easier for firms to follow and to improve supervisory response to disruptions such as cyber attacks and technology outages. The framework is aligned with the Prudential Regulation Authority and the Bank of England and includes a single reporting portal. It removes duplicative incident reporting for payment service providers and credit rating agencies, refines the information firms must provide and enables most FCA solo-regulated firms to use a short-form incident report. The finalised guidance adds clearer thresholds, definitions and responsibilities, with practical examples of what to report, help applying thresholds, and instructions for completing the incident form and third party register. Firms have 12 months to prepare, with the new rules coming into force on 18 March 2027. The FCA will host a webinar on 29 April 2026, and will review the regime two years after implementation.