Operational incident and third-party reporting requirements have now landed. Here is what senior risk, compliance, and operational resilience leaders need to understand before the clock starts.
There is a year to implement, but the immediate challenge is not the timetable. It is ensuring your response is proportionate, practical, and focused on real risk, not just compliance with the regulation. Having read both FCA documents carefully, our view is that firms could run the risk of misinterpreting what is being asked of them. Here is where we see the gaps.
Operational Incident Reporting
Common risk: treating this as a process exercise, building a notification procedure and assuming that is enough.
There is a new mandatory requirement for firms to report significant operational incidents to the FCA in a structured three-phase process: an initial report as soon as a threshold is reached (the 24-hour window is a ceiling, not a default), intermediate updates as the incident develops, and a final report within 30 working days. The FCA expects you to report before impact tolerances are breached, not after.
The threshold question is broader than most firms assume. An incident does not need to affect an Important Business Service to be reportable. A data breach, a cascade failure in a non-critical system, or a cyber-attack causing severe reputational damage can all meet the threshold. Internal severity frameworks must also align to the FSB FIRE taxonomy. If your escalation process cannot produce a reasoned judgement in real time, you will be late, poorly evidenced and visible to the FCA.
DCR’s View: The capability question is not whether you can complete a form. It is whether your governance, escalation, and management information are strong enough to make the right call while the incident is still live. Most firms have never stress-tested this against the three regulatory thresholds. That is the gap worth fixing first.
Third-Party Reporting
Common risk: treating this as a supplier register exercise built around outsourcing, and stopping there.
There is a new mandatory requirement to notify the FCA of all material third-party arrangements, outsourcing and non-outsourcing, and to submit a structured annual register covering every arrangement that could pose a risk to the firm's continuity, regulatory standing, or viability. The new rules cover non-outsourcing arrangements on AI tools, analytics platforms, cyber security services, data feeds, risk modelling software. These likely sit in your technology budget, not your TPRM register. If you have not re-scoped your third-party population, your register will be incomplete before you have even started.
The annual register is a structured data submission via FCA RegData within 90 days of the window opening - covering contract values, substitutability assessments, audit outcomes, impact tolerances, and SMF sign-off for every material arrangement. SMF accountability attaches to every entry. The FCA will also use this data to identify candidates for Critical Third-Party designation. What you submit could influence which of your key suppliers faces a new regulatory regime.
One point most firms will miss entirely: if you are currently in procurement for any new material arrangement, you should be notifying the FCA before making any commitment, not after. That obligation is live from implementation.
DCR’s View: Most firms have a TPRM process that covers the obvious - outsourcing contracts, key suppliers, the arrangements closest to their Important Business Services. That is a reasonable starting point, but it is no longer sufficient. If your SMF holders are signing off a register that is incomplete, they are exposed and they probably do not know it yet.
Not sure where your gaps are?
The DCR team is working with firms right now to assess readiness across both requirements. Whether you need a threshold framework review, a re-scoped third-party register, or a governance stress-test, we can help you prioritise what matters before the window opens.