Risk & Regulation 360°
UK Operational Resilience
Post-transition compliance, CTP oversight readiness, and embedded resilience frameworks for FCA and PRA regulated firms.
- ✓ New operational incident and third-party reporting (H2 2026)
- ✓ Critical Third Party (CTP) regime now in force—anticipate designations
- ✓ Annual board attestation and independent assurance support
⚠ POST-TRANSITION — 31 MARCH 2025
The Transition Period Has Ended. Supervisory Focus Has Shifted.
Firms must now demonstrate they can remain within impact tolerances for all important business services. The FCA and PRA are looking at how firms strengthen resilience culture and learn from incidents.
Beyond the Compliance Milestone
31 March 2025 marked the end of the transition period, but the requirement to be operationally resilient is not a "once and done" activity. The real test is in how firms evolve to weather all types of storms—from cyber threat actors targeting UK critical national infrastructure, to increasingly complex supply chains, to emerging technologies like quantum computing and AI.
At T3, we help firms embed operational resilience into their DNA—moving beyond regulatory raincoats to building genuine, tested capability that protects customers and markets.
BOOK A FREE CONSULTATIONFCA Supervisory Focus Post-Transition
The FCA is now looking at how firms strengthen their resilience culture by learning from incidents and ongoing scenario testing to remediate any newly discovered vulnerabilities.
Where regulators see failings that put customers or markets at risk, they will use their powers to drive necessary change.
Active Consultation Papers
New Reporting Requirements: What's Coming in H2 2026
CP24/28 — CONSULTATION CLOSED 13 MARCH 2025
Operational Incident and Third Party Reporting
New framework requiring firms to report operational incidents meeting certain thresholds—even if they have not yet breached impact tolerances. Includes mandatory templates aligned with DORA and FSB FIRE standards.
Policy Statement: Expected H2 2025 | Implementation: No earlier than H2 2026
CP17/24 — CONSULTATION CLOSED 14 MARCH 2025
Operational Resilience: Operational Incident and Outsourcing/Third-Party Reporting
Parallel PRA framework for incident reporting and Register of Information for material third-party arrangements. Three-layered reporting (initial, intermediate, final) with escalating data requirements.
Reporting Portal: FCA Connect | Register Submission: FCA RegData (annual)
WHAT THIS MEANS FOR YOUR FIRM
Operational Incidents
Report incidents causing or risking consumer harm, firm safety/soundness, or market stability—regardless of IBS breach status.
Material Third Parties
Notify before entering or significantly changing material arrangements. Maintain and submit Register of Information annually.
Contract Review
Third-party contracts must enable receipt of incident information to meet new reporting timelines and data requirements.
PS16/24 — In Force 1 January 2025
Critical Third Party (CTP) Oversight Regime
The BoE, PRA and FCA now have powers to directly oversee Critical Third Parties whose failure could threaten UK financial stability. HM Treasury designates CTPs—anticipate initial designations in 2025/26.
What Is a CTP?
A third party whose failure or disruption could significantly impact UK financial system stability or confidence. HM Treasury designates based on regulator recommendations.
What CTPs Must Do
Comply with CTP Fundamental Rules, maintain resilience standards for systemic services, conduct self-assessments, scenario testing, and incident management playbook exercises.
What Firms Must Do
Working with a CTP does not reduce your responsibilities. Continue to enhance operational resilience and outsourcing arrangements—accountability remains with the firm.
Alignment with DORA
The UK CTP regime is designed to be interoperable with EU DORA's CTPP framework. Firms operating cross-border should map overlapping requirements.
UK Regulatory Timeline
2025–2026 Key Milestones
1 JANUARY 2025
CTP Oversight Regime In Force
PS16/24 final rules effective. Framework applies once HM Treasury designates specific CTPs.
31 MARCH 2025
Full OpRes Regime — Transition Ended ✓
Firms must demonstrate ability to remain within impact tolerances. Annual board self-assessment now a recurring obligation.
H2 2025
Policy Statements on CP24/28 & CP17/24 ⚠
FCA and PRA finalise operational incident and third-party reporting rules. Final templates and thresholds confirmed.
Q4 2025
PRA Life Insurance Stress Test Results
First publication of individual firm results for largest UK life insurers—enhanced transparency on financial resilience.
2025–2026
Expected First CTP Designations
HM Treasury expected to designate initial Critical Third Parties. Designated CTPs will have transitional periods for certain requirements.
MAY 2026
General Insurance Dynamic Stress Test
Novel three-week dynamic stress exercise for general insurers. PRA to provide logistics and engage with industry from September 2025.
H2 2026
New Incident & Third-Party Reporting Live ⚠
Implementation of CP24/28 and CP17/24 requirements. Firms must be ready to report via FCA Connect and submit Register via RegData.
Emerging Risks & Regulatory Focus
What Supervisors Are Watching
Cyber Threats & CBEST
Threat actors targeting UK critical national infrastructure. PRA continues CBEST and STAR-FS testing, with 2025 thematic highlighting tactics, techniques, and remediation challenges.
Post-Quantum Cryptography
G7 CEG roadmap for financial sector transition to post-quantum encryption through 2035. Firms should begin assessing cryptographic dependencies now.
AI & Cybersecurity
G7 CEG 2025 statement highlights AI opportunities for cyber resilience but also new attack vectors. AI must be governed as a critical operational dependency.
IT Transformation Programmes
PRA monitoring large, complex IT transformations that significantly change resources supporting IBS. July 2024 global IT incident heightened regulatory scrutiny.
Annual OpRes Attestation & Assurance
Supporting your annual cycle with independent challenge and board-ready reporting.
Review IBS
Update Important Business Services reflecting operational changes
Validate Tolerances
Confirm tolerances remain realistic based on disruptions and testing
Scenario Testing
Mature testing across severe but plausible scenarios
Remediate
Address vulnerabilities with funded, governed remediation plans
Board Attestation
Sign-off self-assessment with independent assurance support
How We Support You
UK OpRes Services
H2 2026 Reporting Readiness
Gap analysis against CP24/28 and CP17/24 requirements. Incident classification framework development, reporting runbook creation, and third-party contract review for data-sharing clauses.
Timeline: 6–8 weeks
Annual Attestation Support
Independent review of self-assessment documentation, scenario testing adequacy, remediation plan governance, and board-ready reporting with regulatory language.
Timeline: 4–6 weeks
CTP Impact Assessment
Identify potential CTP dependencies, assess concentration risk, review contract terms for CTP-readiness, and develop exit planning for critical third-party services.
Timeline: 5–7 weeks
Scenario Testing & Exercises
Custom scenario design covering cyber, third-party disruption, and CTP failure. Facilitated tabletop exercises and vulnerability identification with remediation prioritisation.
Timeline: 4–8 weeks
Frequently Asked Questions
What happens now the transition period has ended?
Firms must demonstrate they can remain within impact tolerances for all important business services. The FCA and PRA are now focused on how firms strengthen resilience culture by learning from incidents and ongoing scenario testing. This is not a "once and done" activity—operational resilience must be embedded into firm culture.
When do the new incident reporting rules take effect?
Policy statements are expected in H2 2025, with implementation no earlier than H2 2026. Firms should begin preparing now—reviewing incident classification processes, reporting capabilities, and third-party contracts for data-sharing provisions.
What is a Critical Third Party and how does it affect my firm?
A CTP is a third party designated by HM Treasury whose failure could threaten UK financial stability. Working with a CTP does not reduce your responsibilities—accountability remains with the firm. You should identify potential CTP dependencies and ensure contract terms support resilience requirements.
How does UK OpRes align with EU DORA?
The UK CTP regime and new reporting requirements are designed to be interoperable with DORA where possible. However, the frameworks have diverged in certain areas, requiring separate compliance efforts. Firms operating cross-border should map overlapping requirements to minimise duplication.
Ready to strengthen your UK operational resilience?
Get your 2026 readiness assessment and annual attestation support.
2026 Readiness
Get Your UK OpRes Checklist
Receive a tailored compliance checklist covering post-transition requirements, CTP readiness, and H2 2026 reporting preparation.
Your checklist will be delivered to your inbox within 24 hours.
Operational Resilience
UK OperationalOperational Resilience
FCA/PRA Looking ahead
31 March 2026 TOIL submission deadline. DORA Level 2 now in effect. Master your operational resilience obligations under PRA/FCA rules, AI resilience requirements, and critical third-party compliance. Proven strategies for UK-regulated firms navigating 2026.
Main Objectives:
- Protecting the UK financial system from disruption to operations (e.g., cyber attacks, IT outages, natural disasters);
- Safeguarding important business services and the interests of clients.
Fundamentally, UK Operational Resilience consists of a compilation of laws and policies imposed by UK financial authorities (PRA, FCA, BoE) to ensure operational resilience across the financial sector.
31 March 2026 Deadline
TOIL Submission
DORA Level 2 In Effect
Jan onwards
AI Resilience Guidance
Q2 2026 Expected
ISO 22301 + PRA/FCA + DORA
Complete Resilience
Upcoming consultation papers
| Topic | Issued By | Status | Implementation Date | Your Action | Resources |
|---|---|---|---|---|---|
| DORA Level 2 Implementation | PRA/FCA | In Effect(Jan 2026) | Full compliance required now | Review all digital operational resilience measures; ensure third-party cyber controls; document testing | DORA compliance checklist |
| Critical Third Parties: Guidance Updates | FCA | Finalized(Dec 2025) | Guidance now in effect | Update your 3P register; reassess criticality under new definitions; revise contracts where needed | Updated guidance summary |
| AI Resilience Framework | PRA/FCA | ConsultationQ2 2026 | Likely Q4 2026 guidance | Monitor for consultation launch; prepare for AI-specific scenario testing requirements | AI resilience tracker |
| Cloud Concentration Risk | PRA/FCA | Thematic review ongoing | Expected guidance Q3 2026 | Audit cloud provider dependencies; assess single-provider concentration; plan diversification if needed | Cloud risk assessment |
| Quantum Computing Resilience | International (FSB/Basel) | Early guidance2026 to 2027 | Post-2026 | Monitor for emerging guidance; assess quantum-resistant cryptography readiness (low urgency, but watch) | Quantum preparedness guide |
| NIS2 Directive Equivalence (UK) | PRA/FCA | Assessment ongoing | H2 2026 likely | If you have EU subsidiaries: dual compliance planning; assess if UK equivalent framework needed | NIS2 equivalence resources |
WHO DOES IT IMPACT?
How to comply with UK Operational Resilience?
1
End-to-End Strategic Support
Develop a customized operational resilience roadmap that reflects your individual business model, risk profile and the changing regulatory environment.
Instill robust governance, board-level accountability and metrics to measure progress.
2
Scenario Design & Testing
Developing rigorous, lifelike scenarios to simulate the full spectrum of operational disruptions (e.g., cyber attacks, natural disasters, third-party outages).Conducting tabletop and simulation-led exercises to validate an organization’s response plans and executive decision-making in a stressful environment.
3
Third-Party Risk Management (TPRM)
Perform extensive due diligence and continuous monitoring of key third-party suppliers for their resiliency and their effect on the company’s operations. Support in the negotiation of contractual clauses to guarantee that third-parties adhere to your operational resilience requirements.
4
Impact Tolerance Calibration
Work to define relevant impact tolerances for your key business services, considering customer expectations, regulatory obligations and your risk appetite.
Model the financial and reputational consequences of breaching impact tolerances.
5
Change Management & Culture
Emphasize embedding operational resilience throughout the organization’s culture, not just as a compliance exercise.
Develop change management strategies to drive buy-in and foster a proactive approach to risk identification and mitigation.
6
Data-Driven Insights
Leverage data analysis to map operational dependencies and potential vulnerabilities, informing your resilience strategy.
Establish operational resilience-specific dashboards providing continuous visibility into your risk posture.
Frequently Asked Questions
T3 specialize in building robust UK Operational Resilience frameworks that align with the latest regulatory expectations, including the FCA and PRA guidelines. Our approach goes beyond mere compliance—we design adaptive systems that ensure continuity, manage disruptions, and enhance business agility. Our services include risk assessments, impact tolerance setting, scenario testing, and regulatory reporting. By partnering with T3, firms can confidently meet regulatory deadlines and strengthen their ability to withstand shocks, ensuring minimal disruption to critical operations.
The five key pillars of operational resilience are:
Governance and Accountability – Clear roles and responsibilities for overseeing resilience planning.
Business Continuity Planning – Preparing for disruptions with structured response plans.
Third-Party Risk Management – Ensuring service providers maintain resilience.
Incident Management – Effective response and recovery mechanisms.
Testing and Assurance – Regular testing of resilience measures to identify gaps.
T3’s expert team helps financial institutions strengthen each of these pillars, aligning with both regulatory expectations and industry best practices.
The seven principles of operational resilience are:
Preparation and Planning: Establishing risk tolerance and identifying critical services.
Risk Identification: Understanding internal and external threats to operations.
Incident Response and Recovery: Ensuring rapid and effective responses to disruptions.
Communication: Clear, timely communication during incidents.
Governance: Maintaining accountability for resilience measures.
Third-Party Management: Assessing the resilience of third-party partners.
Continuous Improvement: Regularly updating strategies to reflect evolving risks.
T3 consultants work closely with clients to embed these principles within their operational frameworks, enhancing resilience and compliance with CPS230.
While both operational resilience and business continuity focus on minimizing disruption, they are distinct in scope and approach. Operational resilience is a broader strategy that prepares organizations to adapt and continue critical operations during unexpected events, ensuring long-term sustainability. In contrast, business continuity is more focused on maintaining specific business functions during short-term disruptions. Operational resilience includes business continuity planning as a component but extends to crisis management, third-party risk, and overall organizational adaptability.
The primary ISO standard relevant to operational resilience is ISO 22316:2017 – Security and Resilience – Organizational Resilience, which provides guidance on building organizational resilience. It complements ISO 22301:2019 for business continuity management. Together, these standards help organizations develop robust frameworks to withstand disruptions, protect stakeholders, and recover swiftly. T3 can help your firm align with these standards to meet regulatory expectations and enhance resilience capabilities.
Crisis management and operational resilience serve different purposes in risk preparedness. Crisis management focuses on the immediate response to unexpected events to protect people, assets, and reputation. It is reactive by nature, dealing with communication, decision-making, and containment during a crisis. Operational resilience, however, is proactive and strategic, emphasizing the design of systems and processes that can absorb shocks and continue critical operations. Essentially, crisis management is a response mechanism within the broader framework of operational resilience.
Yes, Business Continuity Planning (BCP) is an integral part of operational resilience. BCP focuses on maintaining business operations during short-term disruptions, while operational resilience extends this by ensuring the firm can adapt and thrive despite long-term shocks. T3’s operational resilience solutions incorporate BCP as a key element, alongside risk assessments, scenario testing, and recovery strategies to ensure end-to-end continuity and regulatory compliance.
Want to hire
Regulation Expert?
Book a call with our experts
