Financial services is the most heavily regulated sector for cybersecurity — and for good reason. Banks, insurers, asset managers, payment firms, and fintech companies hold sensitive financial data, process high-value transactions, and underpin critical economic infrastructure. A cyber incident at a financial services firm can cascade rapidly, affecting consumers, counterparties, and market stability. In 2026, the regulatory bar is higher than ever, and the consequences of non-compliance — both financial and operational — are severe.
This guide covers the key cybersecurity and operational resilience regulations affecting financial services firms operating in or from the UK, the EU, and Singapore, with practical steps for achieving and demonstrating compliance.
UK: FCA Operational Resilience (PS21/3)
The FCA's operational resilience framework, established through Policy Statement PS21/3 published in March 2021, came fully into force on 31 March 2025. This means all in-scope firms must now be operating within their impact tolerances for each important business service. The FCA has been actively reviewing compliance since this deadline, and the regulator's published observations from the first year of full enforcement — including insights from the July 2024 CrowdStrike outage — provide valuable guidance on what effective operational resilience looks like in practice.
What the Framework Requires
The FCA's operational resilience rules, set out in SYSC 15A of the FCA Handbook, require firms to:
- Identify important business services — those services which, if disrupted, could cause intolerable harm to consumers or threaten market integrity. This assessment must be business-led, not IT-led, and should reflect the firm's specific operating context, customer base, and market role.
- Set impact tolerances — the maximum tolerable disruption for each important business service, measured in time. The FCA expects firms to set tolerances that are specific, measurable, and challenging but achievable. For example, a retail bank might set a tolerance of 4 hours for core account access but 24 hours for less critical services like historic statement requests.
- Map dependencies comprehensively — firms must document the people, processes, technology, facilities, information, and third parties that support each important business service. This mapping must be kept current as the business evolves.
- Conduct scenario testing — firms must test their ability to remain within impact tolerances under severe but plausible scenarios. The FCA expects at least one major scenario test annually, covering scenarios such as ransomware attacks, cloud provider failure, data centre loss, and extended power outages.
- Report to the board — the board must receive and challenge operational resilience reporting, including the results of scenario testing, identified vulnerabilities, and proposed remediation investments. This is not a tick-box exercise: the FCA expects boards to demonstrate active oversight and challenge.
- Learn from incidents — the FCA's post-CrowdStrike observations highlighted the importance of post-incident reviews and implementing improvements identified from real-world disruptions, not just from planned scenario tests.
Who Is in Scope?
The operational resilience rules apply to a broad range of firms, including banks and building societies, PRA-designated investment firms, life and general insurers, Recognised Investment Exchanges, enhanced scope Senior Managers and Certification Regime (SM&CR) firms, entities authorised under the Payment Services Regulations 2017, electronic money institutions, and consolidated tape providers. If your firm falls into any of these categories — or if you provide outsourced or managed services to firms that do — these requirements affect your business.
Post-March 2025 Compliance: Gaps the FCA Is Identifying
Since the March 2025 deadline, the FCA has been actively reviewing firms' operational resilience arrangements. Common findings from FCA supervisory engagement include:
- Incomplete dependency mapping — many firms have identified important business services but have not fully mapped the underlying technology, third-party, and people dependencies. Mapping is not a one-time exercise; it must be kept current as the firm changes.
- Impact tolerances that are too generous — some firms have set tolerances that would allow disruption for days or weeks, which the FCA considers unlikely to prevent intolerable harm to consumers.
- Insufficient scenario severity — scenario tests that simulate only minor disruption do not demonstrate resilience against the severe but plausible scenarios the FCA expects. Firms should consider scenarios including simultaneous failures, supply chain cascades, and prolonged loss of critical services.
- Weak board challenge — the FCA has noted that some boards accept operational resilience reports without meaningful challenge, which undermines the accountability framework that PS21/3 was designed to create.
Critical Third Party (CTP) Oversight
Since November 2024, the FCA, Bank of England, and PRA have had statutory powers to oversee the resilience of critical third parties serving the financial sector. This regime, established under the Financial Services and Markets Act 2023, applies to technology service providers whose failure could threaten financial stability or confidence in the UK financial system. While the CTP regime directly regulates the third party, firms retain full accountability for their own operational resilience — including risks arising from CTP dependencies. Firms cannot outsource their resilience obligations.
EU: DORA — Digital Operational Resilience Act
The Digital Operational Resilience Act (DORA) is an EU regulation that applies to EU-based financial entities and their critical ICT third-party providers. It is critical to understand that DORA is an EU regulation — it does not directly apply to UK-only financial entities. UK firms may be affected if they operate an EU-authorised entity, serve EU customers, or are contracted as a critical ICT provider to an EU financial entity.
DORA's requirements are structured around five pillars:
- ICT risk management — firms must establish and maintain a comprehensive ICT risk management framework covering identification, protection, detection, response, recovery, and learning. This framework must be documented, tested, and reviewed at least annually.
- ICT-related incident reporting — firms must classify incidents by severity and report major ICT-related incidents to the competent authority: initial notification within 4 hours, intermediate report within 24 hours, and final report within one month. This 4-hour window is among the tightest in global financial regulation and demands automated detection and triage capability.
- Digital operational resilience testing — firms must conduct regular testing proportionate to their size and risk profile. Systemically important entities must conduct threat-led penetration testing (TLPT) every three years, following a framework aligned with the European Central Bank's intelligence-led testing methodology.
- ICT third-party risk management — DORA introduces enhanced requirements for managing risks from ICT service providers, including contractual provisions for access, audit, and termination rights. Providers designated as "critical" by the European Supervisory Authorities are subject to direct oversight, including the power to impose penalties for non-compliance.
- Information sharing arrangements — DORA encourages and provides legal safe harbour for firms to share cyber threat intelligence with trusted peer organisations, helping to strengthen collective defence across the EU financial sector.
Singapore: MAS Technology Risk Management Guidelines
The Monetary Authority of Singapore's Technology Risk Management (TRM) Guidelines, updated most recently in June 2024, set comprehensive requirements for financial institutions on technology risk governance, security controls, operational risk management, and cyber resilience. Key requirements include conducting annual Business Impact Assessments, maintaining cyber incident response and recovery plans with defined escalation procedures, and ensuring board-level oversight of technology risk. For UK-headquartered financial institutions with Singapore operations, compliance with MAS TRM is additional to UK regulatory obligations.
FCA Cyber Coordination Groups and CBEST
The FCA operates cyber coordination groups that convene firms of similar characteristics — for example, retail banks or investment managers — to discuss common threats, share defence strategies, and coordinate responses to sector-wide incidents. Participation is voluntary but offers significant intelligence-sharing value. For systemic firms, the CBEST programme provides a framework for intelligence-led penetration testing conducted by NCSC-approved testers. CBEST assessments simulate the tactics, techniques, and procedures of specific threat actors targeting the firm, providing a more realistic test of security controls than standard penetration testing.
Building a Cross-Jurisdiction Compliance Programme
For financial services firms operating across multiple jurisdictions, the compliance challenge is significant. An internationally active firm may need to satisfy FCA operational resilience rules, DORA requirements (for EU operations), MAS TRM (for Singapore), and local data protection laws in each jurisdiction. Our consultants help firms build harmonised compliance programmes that establish a single set of controls mapped across multiple regulatory requirements, reducing duplication and ensuring consistent security outcomes.
How Our Team Supports Financial Services Firms
Our consultants provide specialist cybersecurity support for financial services firms, including FCA operational resilience gap assessments (including post-March 2025 remediation planning), DORA readiness for EU-regulated entities, incident response plan development, scenario testing and tabletop exercises, CTP dependency analysis, and ongoing vCISO services with board-level reporting. Our founder's CISM and CISA certifications reflect deep expertise in governance and audit within highly regulated sectors.