FCA operational resilience deadline amid high-profile disruptions: what do firms need to know?

read time: 4 mins
07.05.25

In the last two years, customers of several of the UK’s largest banks and building societies have endured more than 33 days of unplanned systems outages, as IT systems and security failings have repeatedly affected the provision of critical services. Data recently published by the Treasury Committee highlighted 158 banking-IT-failure incidents since January 2023, with one bank, Barclays, expecting to pay up to £7.5 million to compensate customers for a single three-day service issue.

Against this backdrop, the Financial Conduct Authority’s (FCA) operational resilience regime reached its critical milestone on 31 March 2025, marking the end of the transitional period set out in PS21/3.

In this article, we highlight the key requirements of the FCA's operational resilience framework, outline how FCA rules interact with the EU’s Digital Operational Resilience Act and explore how the FCA requirements will impact third-party ICT providers.

Why the urgency?

The FCA expects all regulated firms (banks, insurers, payment institutions and e-money issuers, and investment firms) to demonstrate they can maintain critical services during severe disruptions or recover swiftly within predefined impact tolerances. The recent repeated service failures in the financial sector illustrate why these requirements matter, not just for compliance, but for protecting customers and preserving market stability.

FCA operational resilience: key requirements

Firms must:

  • Identify important business services: clearly define services, e.g. payments, online banking access, where disruption could significantly harm customers or market integrity.
  • Set impact tolerances: specify the maximum acceptable disruption duration for each important service. Notably, tolerances are not the same as internal recovery targets; they mark the absolute outer limit of disruption the firm will allow.
  • Identify dependencies, including on service providers: each important service is underpinned by a web of people, processes, technology, facilities, and information. Firms must map these resources to understand how a failure in any component, including at third-party providers, could impact the service. This detailed mapping exercise should reveal single points of failure and other vulnerabilities.
  • Conduct scenario testing: regularly simulate severe disruptions, e.g. cyberattacks, technology outages, telecom failures, or pandemic-scale staffing shortages, to test resilience and recovery capabilities, for instance, ramping up the severity of scenarios, performing technical failover drills, and including critical third parties in joint tests.
  • Implement remediation plans: since 31 March 2025, firms are expected to have mitigated vulnerabilities such that for each important service, they can stay within tolerance in the face of plausible disruptions. Where fixes are still in progress, there should be board-approved, funded remediation plans with clear timelines, and evidence (through re-testing) that those fixes will be effective.

The FCA stresses that accountability sits at board level, and firms must embed resilience into their governance, risk management, and culture.

Beyond FCA compliance: aligning with EU's Digital Operational Resilience Act 

For firms operating in the EU, understanding how FCA rules interact with the EU’s Digital Operational Resilience Act (DORA), which has been effective from January 2025, is crucial. DORA specifically addresses ICT risks, mandating comprehensive ICT risk management, incident reporting, resilience testing, and oversight of critical third-party ICT providers. Although FCA rules have a broader operational scope, they share core principles with DORA, notably managing third-party risk.

Implications for third-party ICT providers

Third-party ICT suppliers, though not directly regulated by the FCA’s regime, will feel significant indirect effects. FCA-regulated firms must scrutinise their suppliers’ operational resilience closely. Providers should anticipate heightened contractual demands, rigorous audits, joint scenario testing, and requests for detailed transparency into their operational controls and risk mitigation plans.

Critically, the EU's DORA regime imposes direct oversight of critical ICT suppliers operating in the EU financial market, which may create a parallel regulatory burden for UK suppliers serving EU-based clients. Forward-looking ICT providers can position themselves advantageously by proactively demonstrating compliance readiness, aligning operational standards with FCA and DORA principles, thereby enhancing their market appeal.

Commercial opportunity in operational resilience

Operational resilience isn’t merely a compliance obligation – it's increasingly a competitive differentiator. Firms that avoid outages enhance customer loyalty, trust, and brand reputation, while ICT suppliers with demonstrable resilience can gain competitive market advantage. In an era where customer trust and uninterrupted service delivery are paramount, resilience becomes not just essential but commercially valuable.

Final thoughts

As the 31 March 2025 deadline has now passed, firms and their third-party providers must ask whether they are genuinely ready to meet these new standards - not only to comply with regulatory expectations but to safeguard their businesses and the customers who depend on them. In financial services, reliability underpins trust, and resilience is the ultimate measure of reliability.

For further information, please contact our financial services regulatory team.

Sign up for legal insights

We produce a range of insights and publications to help keep our clients up-to-date with legal and sector developments.  

Sign up