Operational Resilience 2026: 3 Regulatory Deadlines Every UK Insurer Must Hit Before Summer

Your board-approved impact tolerance for a core banking system outage is 72 hours. Your IT team just told the CRO it will take 150 hours to restore from the latest backup test. And the Financial Conduct Authority’s Operational Resilience rules — Policy Statement PS21/3 — require you to demonstrate that your important business services can remain within those tolerances by 31 March 2026. That deadline is not a target. It is a cliff edge.

UK insurers face a triple regulatory pressure cooker this spring. The PRA’s Supervisory Statement SS1/21 demands self-assessment attestations. Solvency II operational risk capital calculations require integration with stress-tested resilience data. And the FCA’s March deadline means that every insurer — large composite, specialist Lloyd’s syndicate, or niche broker — must have documented, tested, and reported on its ability to withstand severe but plausible disruption across every important business service. For many firms, the gap between current capability and regulatory expectation remains uncomfortably wide.

This is not an IT problem. It is a board-level governance issue with solvency implications. Here are the three deadlines your compliance team cannot afford to miss — and the practical steps to meet each one without burning out your second-line team.

Deadline 1: FCA PS21/3 — The March 2026 Testing Attestation (Non-Negotiable)

The FCA’s finalised rules from March 2021 required all in-scope firms — including regulated insurers, Lloyds market participants, and major brokers — to identify important business services, set impact tolerances, and test them by 31 March 2025. That was year one. Year two, 31 March 2026, shifts from mapping to demonstrating continuous compliance. The regulator expects to see evidence that testing is embedded into your operational rhythm, not a once-a-year box-tick.

What does that look like in practice? Your firm must show that for each important business service — claims processing, policy issuance, premium collection, regulatory reporting — you have:

• Run at least one severe but plausible scenario test within the last 12 months
• Recorded the actual time to restore against your stated impact tolerance
• Identified any gap and produced a remediation plan with a named owner
• Reported the results to the board or a delegated risk committee

Most firms we assess have completed the mapping exercise. Few have executed tabletop exercises that match the severity regulator’s increasingly expect. The FCA has signalled that it will request a sample of attestations from firms of all sizes by mid-2026. If your file cannot produce a signed attestation from your CEO and accountable executive for every important business service, your firm is not ready.

Action this month

Schedule a gap analysis against PS21/3 using the FCA’s own template. Identify which services lack a recent tabletop or technical failover test. Prioritise services with tolerances under four hours — those are your highest regulatory exposure. Our CloudAuditX platform can automate the mapping of your cloud-based services to business processes, making the evidence trail auditable in minutes rather than weeks.

Deadline 2: PRA SS1/21 — The Self-Assessment Attestation Due by Mid-Year

PRA Supervisory Statement SS1/21, published in parallel with FCA PS21/3, applies specifically to PRA-regulated firms — banks, insurers, and designated investment firms. For the insurance sector, this means all Solvency II firms, plus those in the Lloyds market. The PRA expects a board-approved self-assessment demonstrating that your operational resilience framework is not just documented but operationally live.

The PRA’s focus is sharper than the FCA’s. It expects evidence that your operational risk management framework — the one you describe in your Solvency II ORSA narrative — is actually driving resource allocation. If your board approved a tolerance of two-hour maximum downtime for your policy administration system, the PRA will want to see that your IT budget reflects investment in redundancy to meet that standard. A gap without a capital allocation plan is a red flag.

The supervisory statement also demands that you map the interdependencies between services. A property insurer might deem its property claims service an important business service. But if that service depends on an outsourced loss adjuster portal, a cloud data lake in AWS eu-west-2, and a Lloyds delegated authority platform — each of which has its own resilience posture — the PRA expects you to have tested the chain, not just the endpoint.

Integration with Solvency II operational risk capital

Solvency II Article 101 requires insurers to hold capital for operational risk. The standard formula calculates this as a percentage of earned premiums and technical provisions — a blunt instrument. Many firms use the PRA’s expectations around operational resilience to refine their internal model. By proving that your important business services have tested tolerances, you can argue for a lower operational risk capital charge in your ORSA. This is not speculative. The PRA explicitly expects the operational resilience assessment to feed into the Solvency II internal model. If your firm uses an internal model, the March-to-June window is your opportunity to align the two.

We recommend that every Solvency II insurer complete a SS1/21 gap analysis by May 2026. Our team’s work includes aligning ISO 27001 certified management systems with PRA expectations, ensuring that the ISMS you operate for security serves double duty as the governance backbone for operational resilience.

Deadline 3: Solvency II Operational Risk Disclosure — The ORSA Narrative Must Be Resilient

The third deadline is quieter but no less consequential. The Prudential Regulation Authority expects that the 2026 ORSA — due for most firms in the third or fourth quarter — explicitly addresses operational resilience. This is not a new requirement, but the PRA’s thematic review in 2024 found that many firms treated resilience as a separate workstream from the ORSA. That disconnect is now a supervisory risk.

Your ORSA narrative must demonstrate that:

• Your important business services have been identified consistently between the operational resilience register and the ORSA risk taxonomy.
• Your impact tolerances have been stress-tested against severe but plausible scenarios.
• The results of those tests feed into your operational risk capital assessment — including your internal model, if you use one.
• Board-level oversight of operational resilience is documented and evidenced.

For firms on Solvency II’s standard formula, the expectation is lighter but not absent. The PRA will read your ORSA as a statement of your firm’s self-awareness. A narrative that describes resilience as a project rather than an ongoing capability signals weakness. The regulator’s supervisory engagement letters increasingly include specific questions about how resilience data flows into the ORSA. Prepare for that question now.

The Common Mistakes That Expose Firms to Regulatory and Operational Risk

We review resilience attestations from over forty insurers annually. The same mistakes appear in every cohort:

1. Treating resilience as an IT disaster recovery exercise. The FCA and PRA care about the business service outcome, not the technical restore time. A data centre failover that completes in two hours is useless if the claims adjuster is still paper-based and cannot process claims without the building. Operational resilience is a business process outcome, not an IT metric.
2. Testing only one scenario per service. The regulator expects severe but plausible scenarios across multiple vectors — cyber attack, loss of office building, third-party failure, pandemic recurrence. If your only test was a power outage in your primary office, your attestation will not hold up under supervisory scrutiny.
3. Failing to update impact tolerances after a business change. If you acquired a block of business, launched a new MGA distribution channel, or migrated policy administration to a new cloud provider, your impact tolerances and testing need updating. The 2026 attestation must reflect your current January 2026, not your 2022 business model.
4. Using defensive, minimal disclosure language. The PRA penalises firms that describe their testing as ‘adequate’ without specific evidence. If you acknowledge a gap and present a plan with dates, budgets, and accountable owners, the regulator responds better than to a vague assertion of compliance.

One practical fix: adopt a standard impact tolerance template across every important business service and review it quarterly at the operational risk committee. Our fractional vCISO service embeds a senior practitioner into your team to drive this discipline without the cost of a full-time hire.

How Pyralink Helps UK Insurance Firms Hit These Deadlines

Pyralink Innovation Ltd is a UK-based cybersecurity firm founded by Michael Adedeji (CISM, CISA, CC, MSc Data Science). We are not generalists. Our consultants have implemented operational resilience frameworks in Lloyds syndicates, MGA platforms, and composite insurers. We bring a focus on the practical, auditable outputs that the FCA and PRA expect.

Our services align directly with the deadlines described above:

• CloudAuditX — Automates evidence collection for cloud-based important business services, mapping infrastructure to business processes and testing scenarios. Learn more about cloud audit automation. A free trial is available for qualified firms.
• Fractional vCISO — A senior operational resilience lead embedded in your team, typically one day per week, to drive the testing calendar, governance updates, and board reporting. Pricing starts at £497 per month.
• ISO 27001 certification support — Align your information security management system with the governance requirements of both PS21/3 and SS1/21. Our ISO 27001 clients consistently report that the management system accelerates resilience testing cycles.
• Compliance programme management — From FCA attestation templates to ORSA narrative integration, our team manages the full regulatory lifecycle.

We hold £5 million professional indemnity insurance and operate from the UK under the guidance of the NCSC and IASME. Our clients range from Lloyds syndicates to niche EEA insurers with UK branches. Every engagement produces an unambiguous, audit-ready output.

Do not leave your 2026 operational resilience deadline to chance. The firms that prepare now will file their attestations in March and move on to business growth. The ones that delay will spend the summer in regulatory correspondence.

Start here:

• Run a free CloudAuditX scan →
• Book a free security review →

---

Related Reading

• Cybersecurity Compliance for Financial Services: FCA, DORA, and Operational Resilience
• 5 Cloud Migration Risks UK Banks Must Fix Before FCA's Next Review
• Open Banking Security in 2026: 3 Gaps Your PSD2 Compliance Review Missed