Blog
Compliance
ISO 27001
Cyber Essentials
GDPR
April 12, 2026
Approx 6 min read

PRA Operational Resilience: What Firms Must Do Now

The PRA operational resilience requirements under PS6/21 and FCA PS21/3 are now fully in force. The three-year transition period ended on 31 March 2025. Every firm in scope should now be able to demonstrate it can remain within its impact tolerances for each important business service, backed by mapping, scenario testing, and documented investment decisions.

The requirements did not stop at that deadline. The FCA's one-year-on review has already identified patterns of good and poor practice. A new incident reporting and third-party register regime takes effect on 18 March 2027. And the Critical Third Parties framework, live since January 2025, is awaiting its first formal designations from HM Treasury.

For technology suppliers to the financial services sector, these requirements create both obligations and commercial opportunity. Here is what matters now.

What PRA operational resilience requirements demand

PRA PS6/21 and FCA PS21/3 were developed jointly and their definitions are aligned. Work done to meet one regulator's requirements is directly applicable to the other.

The core obligations are:

Identify important business services. These are services provided to external end users where disruption could cause intolerable harm to consumers or markets. The emphasis is on external impact, not internal processes.

Set impact tolerances. Each important business service needs its own tolerance, defined as the maximum disruption the firm can sustain without causing intolerable harm. The FCA has been clear that time-based measures alone are insufficient. Tolerances must also incorporate the nature and volume of harm: customer types affected, transaction volumes, financial thresholds, and criticality factors.

Map supporting resources. Firms must identify the people, processes, technology, facilities, and information that underpin each important business service.

Conduct scenario testing. Testing must go beyond desk-based exercises to include penetration testing, disaster recovery simulations, and lessons learned from real incidents. The FCA expects firms to incrementally increase disruption severity to identify exactly where their vulnerabilities lie.

Invest to close gaps. Where testing reveals the firm cannot remain within tolerances, investment is required to build that capability.

What the FCA found in its one-year-on review

The FCA published its findings from the first year of post-transition supervisory engagement. The patterns are instructive.

Good practice

Firms with clear methodologies for defining important business services scored well, particularly where they documented their assumptions and exclusion rationale. The FCA highlighted the use of quantitative metrics alongside time-based measures as a positive indicator. Real-world incident data informed tolerance calibration at the strongest firms, and several had invested in data vaulting, immutable backups, and standby data centres.

Poor practice

The most common failure was setting impact tolerances for market integrity and consumer harm as a single measure rather than distinguishing between them. Resource mapping was too technology-focused at many firms, with insufficient coverage of people and facilities. The FCA also found firms claiming universal recovery capability without testing against sufficiently severe scenarios, alongside missing vulnerability management documentation and minimal response plan testing.

One finding deserves particular attention: some firms inappropriately exclude services from the "important" classification based solely on the argument that customers could switch to a competitor. The FCA considers this poor practice. All criteria must be applied comprehensively.

Impact tolerances are not recovery time objectives

This distinction matters and is frequently misunderstood. A recovery time objective measures how fast you restore a service after disruption. An impact tolerance addresses whether intolerable harm occurred during the disruption.

A firm could restore service within its RTO but still breach its impact tolerance if the nature or volume of harm during the outage exceeded what was tolerable. The FCA expects firms to measure both dimensions independently.

Third-party risk and why it matters for technology suppliers

Third-party failures remain the regulated firm's regulatory responsibility. Outsourcing does not transfer the obligation. Firms must demonstrate sophisticated understanding of their dependencies and interconnectivity with suppliers, and they must track and govern remediation of any vulnerabilities identified in their third-party arrangements.

The Critical Third Parties regime

PRA PS16/24 took effect on 1 January 2025, establishing the framework for regulating Critical Third Parties to the UK financial sector. HM Treasury designates CTPs by secondary legislation. Once designated, a CTP must meet minimum resilience standards, participate in targeted testing, provide information directly to regulators, and comply with regulatory directives.

The concentration risk is real. Over 65 per cent of UK firms used the same four cloud providers, according to HM Treasury's Critical Third Parties policy statement. No formal designations have been made yet, but the framework is operational and the first designations are expected.

New reporting requirements from March 2027

PRA PS7/26 and FCA PS26/2, published in March 2026, introduce mandatory incident and third-party reporting from 18 March 2027. Firms will need to:

  • Define and report operational incidents above set thresholds
  • Notify regulators of new or significantly changed material third-party arrangements
  • Maintain and annually submit a register of all material third-party arrangements
  • Report through a single platform via FCA Connect

These rules are explicitly aligned with international standards including the EU's DORA framework and the FSB FIRE format.

What this means for technology suppliers

Even if your organisation is never designated as a Critical Third Party, you are captured indirectly. Regulated firms must prove their supply chain supports operational resilience. From March 2027, they must formally catalogue and report on their material third-party arrangements.

Suppliers who can provide ready-made compliance evidence make it significantly easier for financial services clients to meet these obligations. ISO 27001 certification, Cyber Essentials Plus, documented business continuity and disaster recovery plans, and incident response procedures all serve as evidence that a regulated firm's supply chain is resilient.

Suppliers who cannot provide this evidence create a compliance headache for their clients and put themselves at a commercial disadvantage as the regulatory scrutiny increases.

How this connects to DORA

The Digital Operational Resilience Act became mandatory for EU financial entities on 17 January 2025. It is an EU regulation, not a UK one, but the overlap is significant for firms with cross-border operations or clients.

In January 2026, the FCA, Bank of England, and PRA signed a Memorandum of Understanding with the European Supervisory Authorities to enhance cooperation on oversight of critical third-party providers. The UK's CTP regime was designed to be compatible with DORA. The new UK incident reporting framework was explicitly aligned with DORA's requirements.

For technology suppliers, this means that strong ISO 27001 implementation and comprehensive GDPR data processing controls provide foundational coverage across both the UK operational resilience regime and DORA's ICT risk requirements. The frameworks are different in detail but share common foundations in information security management, incident response, and business continuity.

Naq does not offer a standalone DORA compliance module. Its ISO 27001, Cyber Essentials, and GDPR coverage addresses the controls that overlap between DORA's ICT risk requirements and the UK operational resilience framework.

How ISO 27001 maps to PRA operational resilience requirements

The FCA aligns its measures with ISO 27001 and the NIST Cybersecurity Framework. The overlaps are substantial.

ISO 27001 covers information security management systems, risk assessment, access controls, incident management, business continuity, and supplier relationships. These map directly to operational resilience requirements around resource mapping, third-party risk management, and incident response.

Cyber Essentials addresses five specific technical controls against commodity cyber attacks. The NCSC is clear that ISO 27001 and Cyber Essentials are not equivalent and cannot be substituted for each other without examining the specific scope and controls assessed. They address different threat scenarios. But together, they cover a significant portion of the baseline that regulated firms need to evidence about their technology suppliers.

Where operational resilience goes beyond both: Impact tolerance setting, important business service identification, scenario testing of severe-but-plausible disruptions, and the new regulatory reporting requirements have no direct equivalent in ISO 27001 or Cyber Essentials. These are additive requirements specific to the financial services regulatory framework.

The numbers

The PRA regulates 1,292 firms and groups (708 deposit-takers and 584 insurers), according to the PRA Business Plan 2025/26. The FCA authorises approximately 55,000 firms across all activities, though the PRA operational resilience requirements target the larger, more systemically important institutions within that population.

Eight categories of firm are in scope: banks, building societies, designated investment firms, insurers, recognised investment exchanges, enhanced SMCR firms, payment and e-money institutions, and (once designated) Critical Third Parties.

No public enforcement actions specifically for operational resilience non-compliance have been published as of April 2026. The regulators have used supervisory engagement rather than formal enforcement so far, but the FCA has stated it is engaging directly with firms on specific findings from its one-year-on review.

What to do now

For regulated firms, operational resilience is an ongoing programme. The March 2027 incident reporting deadline is 11 months away. Firms need to build reporting infrastructure, define incident thresholds, compile third-party registers, and integrate these with existing risk management frameworks.

For technology suppliers serving financial services clients, every certification and documented control you hold reduces the compliance burden on your clients. ISO 27001, Cyber Essentials Plus, documented BCP and DR plans, and incident response procedures are the baseline that regulated firms need to see from their supply chain.

Naq automates compliance across ISO 27001, Cyber Essentials, GDPR, and 17 other frameworks from a single platform. Evidence collected for one framework maps automatically to overlapping standards, so suppliers serving multiple regulated sectors avoid documenting the same controls separately for each. Over 300 integrations handle evidence gathering, and in-house compliance experts provide support where automation alone is not enough.

Book a demo to see how it works for financial services suppliers.

Written by
The Naq Team
Share
Share
Compliance
NHS DTAC
DCB 0129
ISO 27001
How To Stay On Top Of Compliance
October 15, 2025
Compliance
GDPR
Cyber Essentials
NHS DSPT
Securing Trust: Building Cyber Resilience in FemTech
April 22, 2025
Compliance
NHS DSPT
Cyber Essentials
Supply Chain Security and the new Cyber Resilience Bill
July 18, 2024
Compliance
GDPR
ICO calls on accountants to help SMEs with data compliance
February 25, 2024
Newsletter

The latest in compliance and cybersecurity direct to your inbox

Sign up now
Connect with us

Streamline compliance & accelerate your growth

Book a 15-minute demo and discover how Naq can take the complexity out of your compliance.
Book a demo
arrow_forward
Product
Platform OverviewAutomated ComplianceRisk ManagementClinical Risk ManagementTrainingMulti-framework ManagementComprehensive SupportFrameworks
Solutions
BuildGrowScaleHealthDefenceFinanceBusiness to EnterpriseBusiness to Government
Resources
All ResourcesBlogCase StudiesGuidesNaq in the News
Company
ContactAboutVacanciesPartnershipsMedia
Taking complexity out of compliance.
Connect with us
© Copyright 2024 - Naq Cyber UK Ltd.   © Copyright 2024 - Naq Cyber B.V.
Responsible Disclosure
Cookie Policy
Terms of Service
Privacy Policy