Operational resilience requires financial firms to identify their important business services and ensure they can survive adverse scenarios without breaching impact tolerances. The FCA’s operational resilience regime applies to UK-authorised firms. Bratby Law advises payment institutions, e-money institutions and other payment service providers on building operationally resilient frameworks that satisfy UK regulatory expectations. Firms with operations in the European Union must also comply with the Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, which took effect on 17 January 2025. DORA is an EU regulation that does not apply directly in the UK, but UK payment firms with EU business must satisfy both frameworks in parallel.

When does operational resilience become an issue?

Operational resilience obligations apply to FCA-authorised payment institutions, e-money institutions and other payment service providers designated as important institutions under the Financial Stability (Amendment) Order 2021. The framework becomes an issue at several distinct trigger points. First, if your firm is FCA-authorised and active in UK payments, you are subject to the FCA’s operational resilience expectations regardless of size. Second, if you have operations in the EU or provide services to EU customers, DORA compliance is mandatory and sits alongside UK requirements. Third, if you outsource critical functions such as payment processing, settlement, data storage or customer authentication to third-party providers, you must ensure operational resilience contractually. Fourth, you must manage operational incident reporting obligations: the new incident reporting framework published by the FCA and PRA in March 2026 introduces stricter timelines and wider scope than before. Fifth, if your firm relies on a service provider designated as a Critical Third Party under the FCA and PRA regime (which took effect on 1 January 2025), you must implement additional controls and participate in scenario testing organised by regulators. The Critical Third Party regime and the new incident reporting framework create a materially changed landscape for payment firms managing operational risk in 2026 and beyond.

Why operational resilience matters now

The operational resilience landscape shifted in 2025 and is now being tested in practice. The FCA’s original deadline for firms to demonstrate they could remain within impact tolerances for important business services passed on 31 March 2025. Payment firms that did not meet this deadline are under regulatory scrutiny. In March 2026, the FCA and PRA published PS26/2, a new operational incident and third-party reporting framework that takes effect on 18 March 2027. This framework imposes a four-hour reporting obligation for payment service providers that detect significant operational incidents, far tighter than the 24-hour window that applies to other financial firms. This new timeline requires payment institutions to have incident detection, escalation and reporting procedures in place immediately.

The Critical Third Party regime came into force on 1 January 2025. The FCA, PRA and Bank of England published final rules in November 2024 and expect to announce the first Critical Third Party designations during 2026. These designations will apply to cloud service providers, data centres and software vendors critical to the UK financial system. Once designated, a Critical Third Party becomes subject to regulatory oversight that extends beyond traditional outsourcing regulation. Payment firms that use the services of a Critical Third Party must be prepared to meet supervisory expectations around testing, incident reporting and information access. A Memorandum of Understanding between the UK financial regulators and the European Commission, signed in January 2026, establishes joint oversight of Critical Third Parties that serve both UK and EU firms, reducing the risk of regulatory fragmentation.

For firms active in both the UK and EU, parallel compliance with DORA has become mandatory. DORA took effect on 17 January 2025 for all EU financial institutions and UK firms with EU operations. DORA and the UK operational resilience regime are broadly aligned but contain material differences in scope, definitions and enforcement mechanisms. Treating UK compliance as sufficient for DORA is a common error that leaves gaps in European risk management. The combination of new UK incident reporting timelines, the imminent first wave of Critical Third Party designations and parallel DORA compliance creates immediate operational complexity for payment firms with international operations.

Where payment firms get operational resilience wrong

Payment firms often treat operational resilience as an IT project rather than as the governance discipline that regulators expect. Assigning ownership to the technology function and viewing resilience as a compliance document creates institutional risk. Operational resilience is fundamentally about ensuring that the board can demonstrate that critical services survive stress. This requires ownership at board level, annual board reporting, and governance processes that challenge assumptions and test scenarios in realistic conditions.

A second error is identifying important business services too narrowly. Payment firms frequently identify payment processing itself but miss the broader chain: customer onboarding, fraud detection, settlement, reporting and dispute resolution are all important to the continuity of payment services. Narrow mapping leads to impact tolerances that do not reflect actual customer and market risk. Similarly, firms often set impact tolerances without understanding the true dependencies in their operations. An impact tolerance of two hours for settlement is meaningless unless the firm has actually tested whether it can isolate settlement from other systems and whether third-party providers can operate at that speed if the firm’s own systems fail.

Outsourcing arrangements frequently lack adequate contractual protections for operational resilience. Standard outsourcing terms address availability and performance but do not address the specific scenario where a third-party provider fails partially or completely, or where a regulator requires rapid intervention in the provider’s systems. Impact tolerances and testing expectations must be embedded in outsourcing contracts, with penalties and termination rights reflecting regulatory expectations. Payment firms also commonly test only cyber attack scenarios, overlooking the failure modes that regulators expect to be considered: provider insolvency, data centre loss, loss of key individuals at a provider, regulatory intervention in the provider’s jurisdiction, and shared infrastructure failures that affect multiple providers simultaneously.

A further error is assuming that UK operational resilience compliance automatically satisfies DORA requirements. The two frameworks have similar objectives but different definitions of “critical function”, different governance requirements and different reporting obligations. A firm that is compliant with UK requirements may fail DORA compliance in respect of system redundancy, testing scope or incident notification timelines. Payment firms with EU operations must conduct a separate gap analysis and remediate accordingly. Finally, firms are unprepared for the new incident reporting timelines. The four-hour payment service provider reporting window is a material change from prior expectations. This requires incident response playbooks that separate detection, escalation and regulatory notification and ensures that the firm can gather information about the nature and severity of an incident within four hours rather than 24.

What good looks like

Operational resilience frameworks that work in practice rest on clear governance. The board owns operational resilience policy, approves impact tolerances annually, receives regular reporting on whether the firm remains within tolerances, and approves testing scenarios and results. This is not a compliance activity delegated to the second line: it is a board-level governance obligation akin to capital adequacy or liquidity management. The framework documentation is concise and decision-focused, not a lengthy compliance binder. A good framework identifies important business services by mapping the full payment processing chain from customer onboarding through settlement and reconciliation. This mapping identifies the minimum viable operations required to serve customers without material disruption. Impact tolerances are calibrated to the firm’s customer base and market role: a wholesale payments hub needs different tolerances than a retail payments acquirer. The firm then tests whether it can actually operate within those tolerances under stress. This testing is not a simulation exercise but involves actually shutting down systems, disconnecting from providers and observing whether the firm can continue to process payments within the tolerance.

Outsourcing agreements contain explicit operational resilience protections. These address incident notification, testing participation, data and system access, change control and termination rights if the provider experiences material operational stress. The firm has designed incident response procedures that distinguish between three phases: detection, investigation and reporting. The detection phase identifies the incident and gathers preliminary information about severity. The investigation phase (conducted in parallel) gathers detailed information necessary for regulatory reporting. The reporting phase pushes information to regulators within the four-hour window. For firms with EU operations, the framework includes a documented gap analysis showing how UK operational resilience requirements differ from DORA and how the firm addresses each gap. This analysis is updated annually and reviewed by the board. The result is an operationally resilient firm that is transparent with regulators about its risk profile and has actually tested its ability to survive the scenarios that matter.

When to instruct an operational resilience specialist

Instruct specialist advice when designing or reviewing operational resilience from first principles, particularly if your current framework has not been tested in practice or was built for a smaller or less complex operation. A board-level assessment of your operational resilience framework, including challenge to your impact tolerance assumptions and your scenario testing, benefits from external perspective and benchmarking against peer practice. If you outsource critical functions, have specialist counsel review your outsourcing agreements specifically for operational resilience risks: gaps in notification obligations, testing access and termination rights create material exposure. If you have EU operations, conduct a gap analysis between your UK framework and DORA with specialist support to avoid the cost and reputational damage of discovering a material gap during FCA or ESMA supervision. If you are subject to the Critical Third Party regime or believe you may become designated, seek specialist advice on the supervisory expectations and contractual protections required. Finally, if you are designing new incident response procedures to meet the four-hour payment service provider reporting window, have the procedures reviewed by counsel to ensure they are operationally feasible and that roles and escalation pathways are clear.

How Bratby Law helps with operational resilience

Bratby Law advises payment institutions, e-money institutions and payment service providers on operational resilience across six core services. First, we assist in designing operational resilience governance frameworks that satisfy FCA expectations and embed board-level oversight. Second, we work with payment firms to map important business services, particularly the payment processing chain from onboarding to settlement, to ensure that impact tolerances are calibrated to genuine business criticality and dependency. Third, we assist in developing and stress-testing impact tolerance settings with scenarios that reflect cyber attack, provider failure, data centre loss and key person dependencies, ensuring that the tolerances are operationally achievable. Fourth, we review outsourcing and third-party risk management frameworks, particularly the contractual protections in place for operational resilience scenarios such as provider failure, regulatory intervention or shared infrastructure breakdown. Fifth, we design incident reporting procedures tailored to the four-hour payment service provider reporting timeline under PS26/2, including detection, investigation and escalation processes. Sixth, for firms with EU operations, we conduct gap analyses between UK operational resilience requirements and DORA, identifying material differences in scope and expectations and advising on remediation. Finally, we advise on the implications of the Critical Third Party regime and the supervisory expectations that apply to firms reliant on designated Critical Third Parties.

Frequently asked questions about operational resilience

Does DORA apply to UK payment firms?

DORA is an EU regulation and does not apply directly to UK-regulated payment firms. However, UK payment firms with operations in the EU, including those providing services across borders to EU customers or maintaining EU subsidiaries and branches, must comply with DORA. Similarly, UK payment firms that outsource critical functions to EU-based providers or use EU cloud services may fall within DORA’s scope depending on their operational footprint. The safe approach is to assume that DORA applies if your firm has any material EU business.

What are the UK operational resilience requirements for payment firms?

The FCA requires UK-authorised payment firms to identify important business services, set impact tolerances (the maximum time the firm can operate outside normal parameters without breaching customer or market expectations), and test that the firm can remain within those tolerances under stress. Impact tolerances must be set by the board, documented, and tested at least annually. The firm must also design recovery and resolution procedures and be able to demonstrate to the FCA that these procedures are credible. Operational resilience is a board-level governance obligation, not an IT function.

What is the new incident reporting framework?

The FCA and PRA published PS26/2 in March 2026, effective from 18 March 2027. The new framework introduces differential reporting timelines, with a four-hour window for payment service providers and longer windows for other categories of regulated firm. Payment service providers must report operational incidents involving ICT systems, cyber attacks, third-party failures or other events that have a material impact on important business services. The four-hour window runs from detection, meaning payment firms must have detection procedures, incident investigation capacity and regulatory reporting processes in place immediately.

What is the Critical Third Parties regime?

The Critical Third Party regime, which took effect on 1 January 2025, allows the FCA, PRA and Bank of England to designate third-party service providers as Critical Third Parties if their failure would threaten financial stability. Once designated, a Critical Third Party becomes subject to direct regulatory oversight including audit rights, incident reporting, scenario testing and information access. The regulators expect to announce the first designations during 2026, likely to include major cloud providers and software vendors. Firms dependent on a Critical Third Party must implement enhanced risk management and participate in regulator-organised resilience testing.

How quickly must payment firms report operational incidents?

Under the new framework effective 18 March 2027, payment service providers must report significant operational incidents to the FCA within four hours of detection. This applies to incidents involving ICT systems, cyber attacks, third-party failures or other events affecting important business services. The four-hour window is a material tightening from the previous 24-hour expectation. Payment firms must design incident detection and escalation processes to meet this timeline and be able to provide preliminary notification within four hours even if detailed investigation continues after reporting.

What is the difference between UK operational resilience and DORA?

Both frameworks aim to ensure that financial firms can survive operational stress, but they differ in scope, governance requirements and enforcement. DORA defines “critical functions” more broadly than the FCA’s “important business services” and imposes more detailed system redundancy, testing and documentation requirements. DORA requires annual disclosure of critical third-party dependencies and mandates testing of outsourcing arrangements at least annually. Enforcement differs: DORA is enforced by National Competent Authorities in each EU Member State, while the FCA supervises UK requirements. Payment firms subject to both must address the differences through separate gap analysis and remediation.

Do outsourcing arrangements need to address operational resilience?

Yes. FCA expectations and regulatory good practice require that outsourcing agreements for critical functions include explicit operational resilience protections. These must address incident notification and escalation, access to systems and data for audit and scenario testing, change control processes, testing participation by the provider, and termination rights if the provider experiences material operational stress. Standard outsourcing agreements frequently lack these protections and must be amended to reflect operational resilience expectations.

When should I review my operational resilience framework?

Review your framework immediately if you have not completed impact tolerance testing under realistic stress conditions, if your framework predates 2024, if you have significantly expanded your services or third-party dependencies, or if you have not yet designed procedures to meet the four-hour incident reporting timeline under PS26/2. At minimum, the board should review and reapprove operational resilience policy and impact tolerances annually, and testing results should be reported to the board at each review cycle. If you have EU operations, review your DORA compliance position in parallel with your UK operational resilience assessment.

Related payments regulation pages

See also our other payments regulation pages:

• Payments Regulation
• Authorisation and Licensing
• Open Banking and Variable Recurring Payments
• PSR and Scheme Governance
• Safeguarding and Consumer Duty
• E-Money Regulation and EMI Compliance