
The UK central bank, the Bank of England (BoE), has launched a consultation around a number of regulatory plans that should strengthen digital resilience oversight and reporting in Britain.
The consultation paper published by the BoE sets out the Prudential Regulation Authority’s (PRA) recent proposals “to set requirements in rules and expectations for firms to report operational incidents and their material third-party arrangements,” the banking authority said in a statement.
The PRA, alongside the financial services watchdog, the Financial Conduct Authority (FCA), aim to introduce new rules that will bring the UK in line with key regulations across Europe, most notably the Digital Operational Resilience Act (DORA), which is coming into effect later this month, on January 17.
“[It] proposes to establish a framework for timely, accurate and consistent reporting of certain operational incidents, and notification and reporting of material third-party arrangements,” the BoE clarified.
The Bank stressed “the proposals set out clear and robust requirements and expectations for regulatory reporting which aim to support the operational resilience of the UK financial sector and enhance understanding of sector threats and vulnerabilities.”
The new rules “align closely” with international standards such as DORA, analysed John Ho, head of legal and financial markets at Standard Chartered Bank.

“The final rules, when implemented, will not only strengthen the resilience of the services that critical third parties provide to individual firms, but will improve the resilience of the UK financial services sector as a whole,” he explained.
Ho added: “By strengthening resilience and promoting market stability, this will ensure the UK is an attractive place to do business.”
The BoE highlighted that the proposed regulatory regime would apply to all UK banks, building societies, most investment firms and branches of overseas banks, most solvency firms and any other PRA-regulated firms.
The Prudential Regulation Authority is a UK financial services regulatory body, formed as one of the successors to the Financial Services Authority (FSA). It is responsible for the prudential regulation and supervision of banks, building societies, credit unions, insurers and major investment firms.
The Bank is inviting all relevant parties to submit their responses and share their views before March 13 of this year.
Pandemic pause
The BoE said it is “a key priority” to improve the operational resilience of firms and protect the wider financial sector from the impact of operational disruptions as the digital infrastructure of many banks, finance firms and the wider industry has become more complex.
“As the financial sector becomes increasingly interconnected, complex and dynamic, strengthening operational resilience enables firms and the financial sector to more effectively deal with risks to prevent, adapt, respond to, recover, and learn from operational disruptions,” the Bank said.
The BoE stressed the financial services sector is in need of new rules and regulation, referring to a 2019 Treasury Select Committee report which examined 2018 IT failures in the financial services sector.
The report made a number of recommendations for UK regulators, including that the Bank, PRA and FCA should assess the accuracy and consistency of incident reporting data, clarify standards, guidance and definitions for industry and consider the need to expand current reporting requirements.
The PRA responded to the TSC report by publicly committing to review its regulatory reporting requirements for operational resilience, however the regulator postponed the introduction of incident reporting proposals due to the Covid–19 pandemic, as it did not want to place additional burden on firms “during a challenging period,” as the BoE put it.
Basically, the latest incident reporting proposals “seek to address the relevant recommendations made in the TSC report,” the Bank clarified.
“The final rules will improve the resilience of the UK financial services sector as a whole.”
– John Ho
The Bank’s consultation comes only two months after, in November 2024, PSR published a regulatory regime for the supervision of critical third parties (CTPs).
“It recognises the risk that severe disruption arising from certain third parties could pose to the safety and soundness of firms, policyholder protection and the financial stability of the UK,” the BoE stressed.
“To support the identification of CTPs and assess where critical nodes of failure could arise, the PRA needs to collect adequate data on firms’ material third-party arrangements,” it added.
Disclosure rule dropped
Interestingly, the BoE dropped a controversial vulnerability disclosure rule only two months ago.
In November 2024, the banking authority withdrew proposals that would force third-party players to disclose vulnerabilities.
In fact, the BoE acknowledged that requiring third-party firms to “openly” announce or share IT vulnerabilities would “go against plans to reduce risks”.
“In various parts of the regulators’ draft rules and draft supervisory statement, ‘vulnerability’ was used in a general, ordinary-language sense,” the Bank wrote.
It explained that “respondents were particularly concerned about potential requirements or expectations on critical third parties to disclose unremedied vulnerabilities – in the cyber-security sense – to the regulators and to the firms they provide systemic third party services, as this could increase the risk of threat actors exploiting these vulnerabilities, which would go against the overall objective.”

The Bank said, after reviewing all uses of the term in its frameworks and overall rules, it had replaced the word ‘vulnerability’ with “areas of improvement”, as well as removing “any requirements and expectations” to “disclose unremedied vulnerabilities (in the cyber-security sense) to the regulators and to the firms they provide systemic third party services to.”
Discussing the rules on his LinkedIn account, Francesco Fulcoli, chief compliance and risk officer at Flagstone, posted that “disruptions caused by cyber-attacks, power outages, or system failures could cascade through the financial system, undermining public confidence and economic stability.”
“The new regime complements existing operational resilience and outsourcing rules. Firms must still ensure they manage risks effectively, but the oversight regime adds an essential layer of protection by directly regulating the resilience of CTPs.”
International efforts
There has been increasing focus internationally on strengthening operational resilience.
In developing the proposals, the PRA “understands that firms may be subject to a number of reporting requirements from regulatory authorities in other jurisdictions,” the Bank wrote in its consultation document.
Therefore, the Bank noted that the policy has been designed “to be as interoperable as possible with similar existing and future regimes,” such as the EU’s DORA and the Financial Stability Board’s Format for Incident Reporting Exchange (FIRE).

Acknowledging the various regulatory efforts in a range of different jurisdictions, Jack Armstrong, a partner at EY specialised in operational resilience, called the UK proposals “a necessary evolution of the UK regulations to enhance visibility of operational resilience and systemic risks across the sector.”
He added: “[They] aim to standardise incident reporting and ensure information is shared with regulators in a timely and consistent manner,” London-based Armstrong explained.
To do this, they outline a range of definitions and guidelines, such as the definition of ‘operational incidents’.
In other words, a proposed definition of single events or a series of linked events that impact service delivery to external end users or compromise the availability, authenticity, integrity, or confidentiality of data.
In addition, firms must determine if an incident meets the thresholds for significant impact.
“These thresholds should align with the level at which an operational incident poses a risk to regulatory objectives, such as consumer harm, UK financial system stability, firm safety and soundness or policyholder protection,” Armstrong, who leads EY’s UK financial services operational resilience solution, pointed out.
Phased approach
In the UK, the regulators suggest a phased reporting approach for incidents that meet defined thresholds, such as the initial report being submitted to the PRA within 24 hours of determining that an incident has breached the threshold, while the FCA demands it to be “as soon as practical”.
However, both regulators require an intermediate report whenever there are significant changes in the incidents status.
Finally, both watchdogs demand a final report within 30 working days post-incident resolution, extendable to 60 working days if necessary.
“This report must include a full impact assessment, lessons learned and root causes,” Armstrong noted.
He added that “given firms’ increasing reliance on third-party services, the proposals expand the scope of reporting to include material outsourcing and non-outsourcing third-party arrangements and outline following definitions and guidelines.”
“Given firms’ increasing reliance on third-party services, the proposals expand the scope of reporting.”
– Jack Armstrong
Firms must determine if an arrangement is ‘material’ based on it’s the third parties’ risk to regulatory objectives, such as consumer harm, UK financial system stability, firm safety and soundness or policyholder protection in the event of failure or disruption.
Moreover, firms must maintain and annually submit a structured register of material third-party arrangements to ensure accurate records, Armstrong explained.
Finally, firms must notify regulators of material third-party arrangements requiring high due diligence, risk management, or governance, using a standardised template aligned with the register.
EU’s DORA rules
Armstrong touches on the question whether firms can leverage the changes implemented for DORA as he explained that “while DORA focuses on high-impact incidents on critical or important functions, these proposals cover a broader range of operational incidents.”
He added: “Both share underlying data similarities, allowing firms to leverage DORA capabilities for UK incident reporting.”
The DORA rules aim to strengthen oversight, operational resilience and the relationship between banks and other financial institutions and the firms that manage, run, test and update their software infrastructure.
The European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA) have been tasked to jointly establish, roll out and enforce the EU’s new ICT framework.
“Some banks are still facing challenges in implementing basic security controls and many key areas remain insufficiently developed in certain banks.”
– ECB
Both DORA and UK regulations emphasise third-party risk management but differ in detail.
“The alignment between annual register requirements may reduce firms’ implementation effort and will ensure transparency and accountability,” Armstrong said.
While DORA comes into force in less than 10 days, the UK is still in its early stages as the consultation period runs until 13 March 2025, with new rules set for implementation no earlier than the second half of 2025 by the FCA and the second half of 2026 by the PRA.
Overall, Armstrong called the UK consultation paper “a significant step towards strengthening the operational resilience of the UK financial sector.”
In fact, by establishing a robust framework for reporting operational incidents and third-party arrangements, “the PRA aims to enhance oversight and support the operational resilience of the UK financial sector,” he concluded.
European-wide warning
As the implementation deadline for DORA draws near, on 17 January so in less than 10 days, banks and financial firms across Europe are rushing to make sense of the new rules and, perhaps more importantly, to be fully compliant by the end of January 2025.
Many European banks are still not yet prepared for DORA. At least that was the stark warning from the European Central Bank (ECB) at the end of last year.
The ECB stated that a host of banks across Europe still face major IT challenges and their software testing practices are not up to scratch.
In fact, IT security risk assessment frameworks at numerous European financial institutions are in need of an upgrade, according to the central bank.
The ECB, the central bank of the European Union countries which have adopted the euro, wrote in a damning article in its latest compliance newsletter that “some banks are still facing challenges in implementing basic security controls and many key areas remain insufficiently developed in certain banks.”
The central bank stressed “these areas include security testing, vulnerability management, network segmentation, security detection, response and recovery capabilities and identity and access management.”
Moreover, “IT security risk assessment frameworks require significant improvement,” the ECB observed.
As DORA’s deadline rapidly approaches, Jonathan Armstrong, a partner at Punter Southall Law and expert in compliance and technology regulation and not related to EY’s Jack Armstrong, agrees with the ECB and warns firms should not underestimate the impact of the new regulation.
“Many banks rely on a few key services providers, meaning that one incident could have an effect on financial services across the EU.”
– Jonathan Armstrong
“DORA is a regulatory framework designed to strengthen the resilience of the financial sector against digital disruptions,” explained Armstrong, pointing out it applies to banks, insurers, investment firms, and other financial institutions, as well as to key third-party service providers, like cloud computing services.
“At its core is the recognition that financial systems across the EU are part of each country’s critical national infrastructure,” he continued, adding that “many financial services organisations rely on a few key services providers, meaning that an incident compromising one of those providers could have a significant effect on financial services across the EU.”
Armstrong singled out the global digital CrowdStrike drama, when – in July – millions of computers went down, primarily in the US, following a faulty software test. It demonstrated how “interconnected the global infrastructure is,” he added.
“DORA has caused concern in the financial services, tech and cyber security communities so it’s important for businesses to understand fully their responsibilities,” Armstrong wrote in recent legal analysis.
Penalties and measures
From January 17, EU Member States will be responsible for establishing the penalties and remedial measures under DORA, which can apply to both natural and legal persons.
Additionally, Member States can apply the penalties or remedial measures of a legal entity to members of its management body and other responsible individuals.
“Member States may also choose to establish criminal penalties for breaches of DORA. In this respect DORA mirrors another recent compliance trend with a concentration on personal liability in an effort to reinforce cybersecurity measures,” Armstrong observed.

DORA spells out detailed criteria for the classification, management, and reporting of ICT risks.
It also includes comprehensive recurring testing of these systems and a set of requirements for managing and monitoring ICT-related risks in the finance sector.
What is important to note is that the new regulation expands its scope beyond traditional financial institutions to include the management of technology services by third parties and organisations such as insurance companies and reinsurers.
The DORA regulation sets out specific requirements with regards to ICT risk management and governance, incident reporting, third-party risk management as well as operational resilience testing and threat sharing.
With regards to this last element, ICT systems must be tested regularly to evaluate their performance, identify vulnerabilities, and repair them in a timely manner.
In addition, financial institutions must establish agreements to share information and intelligence about threats and vulnerabilities.
Armstrong was keen to stress that any organisation that is in the DORA regime, or provides services to those that are, will need to consider how to meet its responsibilities under DORA.
“This is likely to be a significant project for most and will include steps such as a gap analysis, to focus on the work that needs to be done, training on operational resilience, which is likely to include the IT team, communications professionals and the compliance function.”
He said that for banks and financial services organisations, “working out key dependencies, mapping devices and storage locations” may be vital, namely, to ensure that compliant contracts are in place with all third-party providers.
In summary, Armstrong warns that by January 17 “financial services firms are required to have in place sound, effective and comprehensive strategies, processes and systems that enable them adequately to comply with the applicable operational resilience requirements.”
REGULATION & COMPLIANCE
Looking for more news on regulations and compliance requirements driving developments in software quality engineering at financial firms? Visit our dedicated Regulation & Compliance page here.
NEXT MONTH

DO NOT MISS

QA FINANCIAL FORUM LONDON 2024: RECAP
In September, QA Financial held the London conference of the QA Financial Forum, a global series of conference and networking meetings for software risk managers.
The agenda was designed to meet the needs of software testers working for banks and other financial firms working in regulated, complex markets.
Please check our special post-conference flipbook by clicking here.
READ MORE
- Automation is rapidly taking hold of banks’ QA strategies
- ‘Let’s redefine what quality assurance means’, says QA Mentor CEO
- Deep Dive: why do most AI testing projects fail to scale?
- Leapwork co-founder warns ‘AI is not in a state we can rely on’
- Ozone API eyes Australian banks with ProductCloud deal
Why not become a QA Financial subscriber? It’s entirely FREE
* Receive our weekly newsletter * Priority invitations to our Forum events *