🇬🇧 PRA Guidance high

SS1/26 – Operational resilience: Incident reporting

Published 18 March 2026 | United Kingdom

AI Analysis

Executive Summary

SS1/26 outlines the PRA's expectations for firms to report operational incidents via a structured three-phase process (initial, intermediate, final) as mandated in the PRA Rulebook's Regulatory Reporting Part, Chapter 24, to enhance UK financial sector resilience by capturing incidents risking firm safety, policyholder protection, or stability. This matters because it standardizes reporting, enabling timely PRA oversight and reducing inconsistencies in incident data collection across regulated entities. #

What Changed

- Introduces clear reporting thresholds in Regulatory Reporting Rule 24.2: Firms must report if an incident poses risks to UK financial stability, firm safety/soundness, or (for insurers) policyholder protection; factors include operational/financial contagion, service disruptions, data loss to external users, or regulatory/media attention. - Mandates a phased reporting approach (Rule 24.1-24.4): Initial report as soon as practicable (expected within 24 hours of threshold determination); intermediate updates for significant changes (e.g., impact escalation, BCP activation, resolution); final report within 30 working days of resolution (or 60 if impracticable). - Excludes near-misses (potential events without disruption/data loss to external users); aligns with but does not replace Fundamen

What You Need To Do

Assess incidents against PRA thresholds (e
Submit phased reports using specified fields
Maintain processes for prompt classification, data gathering, and submission while prioritizing resolution; continue ad-hoc supervisory notifications if needed
Review internal policies to align severity ratings with PRA thresholds; document assessments
For critical third-party (CTP) incidents, both firms and CTPs report uniquely

Key Dates

18 March 2026 - Publication date of SS1/26.

18 March 2027 - Effective date; firms must comply with reporting requirements. DEADLINE

Within 24 hours - Expected submission of initial phase report after determining threshold met (as soon as practicable).

Each significant change - Intermediate phase update(s), including at resolution.

Within 30 working days of resolution - Final phase report (extendable to 60 working days if impracticable).

Compliance Impact

Urgency: High – With effectiveness just over one year away (18 March 2027), firms must urgently map incident management frameworks to new thresholds/phases, update policies, train staff, and test reporting (e.g., via simulations), as non-compliance risks enforcement under PRA rules and heightened scrutiny on resilience amid rising cyber/operational threats. This elevates operational resilience fro

Who is Affected

UK banks, building societies, PRA-designated investment firms, UK branches of overseas banksUK Solvency II firms, Society of Lloyd’s, and its managing agents

References

Summary

Supervisory statement 1/26

Sectors

Banking & Credit Insurance & Pensions Capital Markets & Trading

Topics

Operational Resilience / Outsourcing Reporting & Disclosure

Relevant Firm Types

BankInsuranceAll Firms

View Original on PRA Back to Feed