Britain’s finance regulator confirmed new incident and third-party reporting rules on Wednesday, giving firms 12 months to prepare for clearer requirements aimed at strengthening resilience against cyber attacks and third-party disruptions.
The new rules, which take effect on March 18, 2027, come after over 40% of cyber incidents reported to the Financial Conduct Authority in 2025 involved a third party, including high-profile outages at Cloudflare and AWS.
