Skip to content

Featured Search

Operational resilience is growing up: What the PRA’s new rules really mean.

Tags

Operational resilience has been a major regulatory focus for years. Financial institutions have invested heavily in mapping important business services, setting impact tolerances, and building resilience frameworks.

But a quiet shift is now underway.

With the release of PS7/26, the Prudential Regulation Authority (PRA), alongside the FCA and Bank of England, is moving operational resilience from framework design to operational proof. Firms are no longer being asked simply to demonstrate that they have thought about resilience. They are being asked to evidence it in real time, through structured reporting of incidents and third-party dependencies.

This is not just a reporting update. It is a change in how resilience is supervised.

And while the policy is positioned as reducing reporting burden, the reality for many firms will feel very different.

Download our cyber eBook to understand how leading firms are connecting controls, ownership, and evidence into a single, decision-ready view:

cyber_ebook_cta_1200x400

A more significant change than it looks       

On the surface, the PRA has listened to industry concerns.

The final policy simplifies elements of the proposed regime. Three separate incident reports have been merged into a single report updated over time. Reporting templates have been streamlined. Data fields have been reduced. A single submission channel via FCA Connect aims to remove duplication.

There is also clear alignment with international standards, including the EU’s Digital Operational Resilience Act (DORA) and the Financial Stability Board’s FIRE reporting framework.

But the more important development is the standardisation of operational resilience data.

Regulators are building a consistent, comparable dataset across firms. They want to understand not just what went wrong in one institution, but how incidents propagate, where dependencies concentrate, and where systemic vulnerabilities may be forming.

Reporting is no longer about compliance. It is about supervisory insight at scale.

Reporting becomes part of incident response          

One of the most significant practical implications of PS7/26 is that reporting is no longer a post-incident activity. It is embedded within the incident lifecycle itself.

Firms are expected to:

  • Identify whether an incident meets regulatory thresholds quickly
  • Submit an initial report as soon as reasonably practicable, typically within 24 hours
  • Update that report as the situation evolves
  • Provide a final view within defined timeframes.

This introduces a new tension. When an operational incident occurs (whether a cyber attack, system outage, or third-party failure) the priority is clear: contain the issue, restore services, and minimise impact on customers. Now, firms must also ensure that accurate, structured regulatory reporting happens in parallel.

Industry bodies have already highlighted the risk. While greater standardisation is welcome, there is concern that reporting could become a continuous, resource-intensive exercise during live incidents. The danger is not just administrative burden: it is the potential diversion of attention away from response and recovery.

Can you report quickly and accurately without slowing down your ability to respond?

For many organisations, the answer depends on how connected their systems and processes are.

Third-party risk moves to the centre of resilience

If incident reporting is half of the story, third-party risk is the other. PS7/26 significantly expands the visibility regulators expect over firms’ reliance on external providers. The focus is no longer limited to traditional outsourcing arrangements. Instead, firms must identify and manage material third-party (MTP) arrangements more broadly.

This includes:

  • Notifying regulators when entering into or significantly changing material third-party arrangements
  • Maintaining and submitting an annual register of these relationships
  • Applying consistent judgement to determine what is “material” based on risk to regulatory objectives

The intent is clear: regulators want to understand where critical dependencies sit across the financial system.

As firms increasingly rely on cloud providers, data services, fintech partners, and complex supply chains, the risk is no longer contained within individual institutions. It becomes interconnected. A failure at a single provider can cascade across multiple firms. By collecting structured third-party data, regulators can begin to identify:

  • Concentration risk
  • Critical third parties (CTPs)
  • Potential single points of failure across the system

For firms, this creates a new level of scrutiny.

Many organisations still manage third-party risk across multiple functions (procurement, IT, risk, compliance), often with inconsistent data and ownership. Under the new regime, those gaps will become visible.

If your third-party data is fragmented, compliance will expose it quickly.

Alignment with global regulation, but not simplicity          

The UK’s approach is clearly influenced by international developments.

Alignment with DORA and the FSB’s FIRE framework reflects a broader push toward consistent global standards for operational resilience reporting. For multinational firms, this is a positive step. It reduces duplication and creates a more predictable regulatory environment.

However, alignment does not mean simplicity.

Firms must still interpret reporting thresholds based on the PRA’s objectives of financial stability, safety and soundness, and policyholder protection. These thresholds require judgement. They are not purely prescriptive.

At the same time, differences remain between regulatory authorities, even where submission mechanisms are aligned. Firms may still need to maintain internal processes that can satisfy multiple regulatory perspectives.

The result is a familiar challenge: external standardisation does not eliminate internal complexity.

It shifts the burden toward governance, interpretation, and consistency.

The real challenge is governance      

It is easy to focus on the reporting templates. But the real difficulty lies upstream.

To comply effectively with PS7/26, firms must be able to answer a series of fundamental questions quickly and consistently:

  • What qualifies as a reportable operational incident?
  • What constitutes a material third-party arrangement?
  • Who is responsible for making these decisions?
  • Where does the required data sit across the organisation?
  • How is that data validated and updated during an incident?

These are not technology questions alone. They are governance questions.

Many firms will find that their existing operating models are not designed to support this level of coordination. Incident management may sit within IT. Third-party risk may sit within procurement. Regulatory reporting may sit within compliance.

Without clear ownership, shared definitions, and integrated workflows, reporting becomes manual, slow, and inconsistent.

Regulators have deliberately allowed flexibility in how firms interpret thresholds and materiality. But that flexibility comes with an expectation: decisions must be defensible, consistent, and evidence-based.

Why the 2027 deadline is closer than it looks  

With an implementation date of March 2027, firms might assume there is ample time to prepare. In practice, the timeline is tighter than it appears.

This is not simply a matter of updating reporting templates or configuring submission processes. It requires:

  • Aligning definitions of incidents and materiality across the organisation
  • Establishing clear ownership and accountability
  • Integrating data from multiple systems and functions
  • Embedding reporting into incident response workflows
  • Testing processes under real-world conditions

Firms already working on operational resilience or DORA programmes will have a foundation. But even they may find gaps when it comes to real-time reporting capability and data consistency.

From reporting to readiness    

The firms that will adapt most effectively are those that treat PS7/26 as more than a regulatory requirement.

They will focus on building a connected view of:

  • Incidents and disruptions
  • Third-party dependencies
  • Ownership and accountability
  • Evidence and reporting workflows

This allows them not only to meet regulatory expectations, but to respond more effectively when disruption occurs - because ultimately, that is what operational resilience is about.

Conclusions and next steps for your organisation  

Under PS7/26, operational resilience is no longer assessed primarily through frameworks and documentation. It is assessed through data, speed, and clarity under pressure.

For regulated financial services firms, the question is no longer whether you can report an incident. It is whether you can do so quickly, accurately, and without compromising your response.

Firms that rely on fragmented systems and manual processes will struggle to meet that standard. Firms that connect incidents, third-party risk, ownership, and evidence into a single, integrated view will not only comply more easily, they will operate with greater confidence in the face of disruption.

If you want to see how Protecht enables integrated incident management, third-party risk visibility, and real-time regulatory reporting, contact one of our specialists today:

blog-contact-us-cta_1200x400
Back to list

About the author

Gary has over 10 years’ experience consulting and providing advisory services to a wide range of clients both locally and overseas. He has a MSc in Finance and Capital Markets. Prior to Protecht, Gary spent time with three global banks consulting on risk and strategic change. He started his career in Risk Advisory at KPMG.

You may also like