Feature Business Continuity
Your BCP Activation Just Became a Regulatory Notification Trigger: What FCA/PRA PS26/2 Requires by March 2027
The FCA and PRA published PS26/2 in March 2026, establishing a new operational incident reporting regime that hardwires regulatory notification into BCP activation. Financial institutions with UK operations have until March 18, 2027 to comply. Here's what needs to change in your BCP.
Table of Contents
TL;DR
- On March 18, 2026, the FCA and PRA published PS26/2 and PS7/26, establishing a new operational incident reporting regime that explicitly links BCP activation to regulatory notification
- Firms must notify via FCA Connect within 24 hours of determining an incident is reportable; payment service providers face a 4-hour window from detection
- BCP activation is named as a “significant change” requiring a regulatory update — your BCP flowchart needs a notification obligation decision point built in
- Third-party reporting expanded: material non-outsourcing arrangements now require pre-contractual notification, not just outsourcing
- March 18, 2027 implementation deadline — 12 months from publication
Your business continuity plan tells your team what to do when something breaks. Activate the BCP. Convene the crisis team. Invoke your recovery procedures. Execute the plan.
What most BCP activation flowcharts don’t tell you: call your regulator.
When the FCA and PRA published PS26/2 and PS7/26 on March 18, 2026, they established something most BCP programs weren’t built to handle. Under the new unified operational incident and third-party reporting regime, BCP activation is explicitly identified as a “significant change” that requires a regulatory update — when the triggering incident meets the notification thresholds. That update must happen within 24 hours of your firm determining the incident is reportable. For payment service providers, the clock runs even faster: 4 hours from first detection.
Your BCP procedures need a new step. Financial institutions with UK operations have until March 18, 2027 to put it there.
What PS26/2 Actually Changed
The FCA, PRA, and Bank of England have had notification expectations for significant operational incidents for years. What PS26/2 creates is a unified, explicit, rule-based framework that replaces previous guidance with binding requirements and defined timelines.
Three things changed materially:
Notification timing is now a rule, not a principle. The prior framework relied on Principle 11 (relations with regulators) and supervisory expectations about “timely” notification. PS26/2 defines timely: 24 hours from determination for FCA-regulated firms. 4 hours from detection for payment service providers. The previous “we’ll notify when we have enough information” posture is no longer defensible.
BCP activation is named as a notification trigger. This is the detail that will catch BCP owners off guard. The new regime explicitly identifies BCP activation as a “significant change” that requires a regulatory update during an ongoing incident. The moment your crisis team decides to activate your BCP, that decision is also supposed to prompt a notification assessment. Your incident command structure needs to run two tracks simultaneously: technical containment and regulatory notification.
Third-party reporting scope is significantly broader. Previously, outsourcing arrangements of certain types required notification. PS26/2 extends this to material non-outsourcing third-party arrangements — and requires notification early in the decision-making process, before contractual commitment. If your firm is evaluating a new critical vendor relationship, the notification obligation may attach before you’ve signed the contract.
The Incident Definition: What Triggers the Notification
Under PS26/2, a reportable operational incident is one that:
- Disrupts the delivery of services to external end users; or
- Compromises the availability, authenticity, integrity, or confidentiality of data held for external users
The threshold requires the incident to be “significant” — meaning it has meaningful impact on the firm’s services or on user data, at a scale assessed against the firm’s particular size and service profile. The final rules include additional materiality guidance, but the essential test is: did this affect real users, or did it create real risk to their data?
An extended system outage that takes your UK banking platform offline qualifies. A significant data breach at a vendor processing UK customer data qualifies. A BCP activation in response to a physical site event that disrupts service delivery to UK clients qualifies. A brief internal IT issue that had no user impact and was resolved before customers noticed does not.
The notification clock for the 24-hour window starts when the firm determines the incident is reportable — not when the incident began. For PSPs, the 4-hour clock starts from first detection, period.
What Your BCP Needs to Change Before March 2027
Most business continuity plans follow a structure like this: trigger event → activate BCP → execute recovery procedures → resume operations. The regulatory notification step, when it appears at all, is typically after-the-fact documentation.
PS26/2 changes that sequence for UK-regulated firms. Here’s what the updated flow needs to include:
| BCP Step | What Changes Under PS26/2 |
|---|---|
| Incident detection | PSPs must track from detection; all others from determination of significance |
| Initial triage | Add notification obligation assessment: does this meet reporting thresholds? |
| Crisis team activation | Notification decision must be documented with timestamp |
| BCP activation decision | If incident is reportable, BCP activation = additional notification trigger (significant change) |
| Recovery execution | Ongoing notification updates as significant changes occur |
| Regulatory communication | FCA Connect submission within 24 hours of determination (not after recovery) |
The practical implementation means your crisis team lead — whoever chairs your incident management or BCP activation call — needs a checklist item that explicitly asks: “Is this a reportable incident? If yes, who is filing the FCA Connect notification and on what timeline?” That question needs to be asked in the first meeting, not three days later when recovery is complete.
This should also feed into your annual BCP review triggers. The PS26/2 implementation deadline in March 2027 is a firm date for updating both the plan and the activation procedures.
US Firms with UK Operations: This Is Your Problem Too
If you work at a US-headquartered bank, asset manager, payment firm, or fintech with UK regulatory authorization, PS26/2 applies to your UK entity’s operations. Your group BCP framework needs to account for jurisdiction-specific notification obligations that now differ materially between the US and the UK.
Under the FFIEC 36-hour notification rule, US banking organizations must notify their primary federal regulator within 36 hours of determining a significant computer security incident occurred. Under PS26/2, your UK entity must notify via FCA Connect within 24 hours of determining an incident is reportable — a stricter timeline with a broader incident scope that extends beyond cybersecurity to all operational disruptions.
Firms running unified incident response and BCP across jurisdictions need to build jurisdiction-specific notification lanes. When an incident affects both your US and UK operations, you’re managing two notification clocks simultaneously: the 36-hour federal clock and the 24-hour FCA clock. The faster one sets the pace, and the clocks don’t sync.
CIRCIA’s 72-hour reporting requirements add another clock for covered critical infrastructure entities. The trend across jurisdictions is unmistakable: notification windows are contracting, and “we needed more information” is becoming less defensible as an explanation for delayed notification.
The Third-Party Angle: Vendor Onboarding Just Got More Complicated
The third-party changes in PS26/2 are the element most TPRM programs weren’t designed to handle.
Prior to PS26/2, UK outsourcing rules focused primarily on designated “material outsourcing” arrangements — formal delegations of operational functions to third parties. The new regime extends notification obligations to material non-outsourcing third-party arrangements. An important operational dependency on a SaaS platform that isn’t technically an outsourced function might still require pre-engagement regulatory notification.
More significantly: the timing requirement moved forward. Notification of new material third-party arrangements must happen early in the decision-making process, before contractual commitment. Your vendor procurement process, which probably includes a TPRM review stage before signing, now needs a regulatory notification decision point inserted before that stage.
For firms managing supply chain incidents where disruption originates at a vendor — exactly the scenario PS26/2 was designed to address — the pre-contractual notification requirement adds a preventive layer. Regulators see the arrangement before it becomes an incident.
Why US Regulators Are Watching
PS26/2 represents the most structurally significant operational incident reporting framework published by a major financial regulator in 2026. The FCA and PRA moved from principles to rules, from aspirational to binding, and from after-the-fact documentation to pre-incident framework requirements.
The FFIEC is watching. The 36-hour notification rule has been in effect since 2022, but the direction of regulatory travel on both sides of the Atlantic is toward more explicit requirements, tighter timelines, and examination scrutiny of notification infrastructure built before incidents happen — not assembled during them.
The operational resilience frameworks developing in both jurisdictions share a common premise: regulators want firms that can keep operating under adverse conditions, and they want to know immediately when that capability is being tested. Your BCP is no longer purely an internal recovery document. For UK-regulated firms, it is now a notification trigger.
So What?
PS26/2 takes effect March 18, 2027. Here’s what needs to happen before that deadline:
For firms with UK regulatory authorization: Map your existing BCP activation procedures against the PS26/2 notification requirements. Identify the gaps — specifically, where your activation flowchart currently has no regulatory notification step. Update your incident command structure to include a notification obligation assessment at the triage stage. The FCA Connect submission process needs to be tested before the regulation goes live, not learned for the first time during an actual incident.
For firms with material UK third-party arrangements: Audit your vendor onboarding workflows against the new pre-contractual notification requirement. Identify any arrangements that may qualify as material non-outsourcing third-party arrangements under the expanded definition.
For US-only firms: This is a leading indicator. The trajectory of US regulatory development on operational incident reporting — from the FFIEC 36-hour rule to the CIRCIA framework — mirrors what the UK just formalized. Building a notification-ready BCP now costs the same as building one after US regulators get there.
The call to activate your BCP is no longer a purely internal decision. Build the regulatory notification step in before March 2027 — not after the FCA calls to ask why they heard about it late.
Sources:
- FCA PS26/2: Operational Incident and Third Party Reporting
- PRA PS7/26: Operational Incident and Third-Party Reporting
- Regulation Tomorrow: FCA, PRA and BoE Issue Policy Statements on Operational Resilience
- Macfarlanes: Operational Incident and Third-Party Reporting — The FCA’s New Framework Under PS26/2
- Sidley: UK Operational Incident and Third-Party Reporting Rules — What Firms Should Do Now
The Business Continuity & Disaster Recovery (BCP/DR) Kit includes BCP activation checklists, incident notification timelines, crisis team flowcharts, and recovery procedure templates — built for practitioners managing regulatory notification obligations alongside technical recovery.
◆ Need the working template?
Start with the source guide.
These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.
◆ Related template
Business Continuity & Disaster Recovery (BCP/DR) Kit
BCP and DR templates with BIA, recovery procedures, and a standalone tabletop exercise kit.
◆ Immaterial Findings · Weekly
Sharp risk & compliance insights. No fluff.
◆ FAQ
Frequently asked questions.
What is FCA/PRA PS26/2 and when does it take effect?
Does PS26/2 apply to US-headquartered banks and fintechs with UK operations?
What types of incidents must be reported under the new FCA/PRA rules?
How does the PS26/2 notification window work in practice?
What changed in the third-party reporting requirements under PS26/2?
How does the UK PS26/2 24-hour notification rule compare to the US FFIEC 36-hour rule?
Author
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
◆ Related framework
Business Continuity & Disaster Recovery (BCP/DR) Kit
BCP and DR templates with BIA, recovery procedures, and a standalone tabletop exercise kit.
◆ Keep reading
Related posts.
Business Continuity
Power and Telecommunications Resilience: What the 2026 FFIEC BCM Booklet Requires You to Document and Test
The 2026 FFIEC BCM Booklet elevated power and telecommunications resilience from a supporting concern to a standalone examination focus. Here's what examiners now look for in generator testing, telecom redundancy documentation, and alternate site utility independence.
Jul 4, 2026
Business Continuity
BCP Update Triggers: When FFIEC Requires You to Revise Your Business Continuity Plan Between Annual Reviews
Annual BCP review isn't enough. The FFIEC BCM Handbook and ISO 22301 both identify specific events that require mid-cycle plan updates. Here's the six-trigger framework that keeps your program defensible year-round.
Jun 25, 2026
Business Continuity
Third-Party Dependent BCP: What FFIEC BCM and OCC 2023-17 Require You to Verify About Vendor Continuity
Collecting a vendor's BCP and verifying it are not the same thing. FFIEC BCM and the 2023 interagency third-party guidance both require institutions to actively assess critical vendor resilience — and bank examiners know the difference. Here's what the verification standard actually requires.
Jun 14, 2026