In the last two years, customers of several of the UK’s largest banks and building societies have endured more than 33 days of unplanned systems outages, as IT systems and security failings have repeatedly affected the provision of critical services. Data recently published by the Treasury Committee highlighted 158 banking-IT-failure incidents since January 2023, with one bank, Barclays, expecting to pay up to £7.5 million to compensate customers for a single three-day service issue.
Against this backdrop, the Financial Conduct Authority’s (FCA) operational resilience regime reached its critical milestone on 31 March 2025, marking the end of the transitional period set out in PS21/3.
In this article, we highlight the key requirements of the FCA's operational resilience framework, outline how FCA rules interact with the EU’s Digital Operational Resilience Act and explore how the FCA requirements will impact third-party ICT providers.
The FCA expects all regulated firms (banks, insurers, payment institutions and e-money issuers, and investment firms) to demonstrate they can maintain critical services during severe disruptions or recover swiftly within predefined impact tolerances. The recent repeated service failures in the financial sector illustrate why these requirements matter, not just for compliance, but for protecting customers and preserving market stability.
Firms must:
The FCA stresses that accountability sits at board level, and firms must embed resilience into their governance, risk management, and culture.
For firms operating in the EU, understanding how FCA rules interact with the EU’s Digital Operational Resilience Act (DORA), which has been effective from January 2025, is crucial. DORA specifically addresses ICT risks, mandating comprehensive ICT risk management, incident reporting, resilience testing, and oversight of critical third-party ICT providers. Although FCA rules have a broader operational scope, they share core principles with DORA, notably managing third-party risk.
Third-party ICT suppliers, though not directly regulated by the FCA’s regime, will feel significant indirect effects. FCA-regulated firms must scrutinise their suppliers’ operational resilience closely. Providers should anticipate heightened contractual demands, rigorous audits, joint scenario testing, and requests for detailed transparency into their operational controls and risk mitigation plans.
Critically, the EU's DORA regime imposes direct oversight of critical ICT suppliers operating in the EU financial market, which may create a parallel regulatory burden for UK suppliers serving EU-based clients. Forward-looking ICT providers can position themselves advantageously by proactively demonstrating compliance readiness, aligning operational standards with FCA and DORA principles, thereby enhancing their market appeal.
Operational resilience isn’t merely a compliance obligation – it's increasingly a competitive differentiator. Firms that avoid outages enhance customer loyalty, trust, and brand reputation, while ICT suppliers with demonstrable resilience can gain competitive market advantage. In an era where customer trust and uninterrupted service delivery are paramount, resilience becomes not just essential but commercially valuable.
As the 31 March 2025 deadline has now passed, firms and their third-party providers must ask whether they are genuinely ready to meet these new standards - not only to comply with regulatory expectations but to safeguard their businesses and the customers who depend on them. In financial services, reliability underpins trust, and resilience is the ultimate measure of reliability.
For further information, please contact our financial services regulatory team.