AIGovHub
Guide

FCA Cyber Incident Reporting & NIS2 DORA Compliance: A Financial Resilience Guide

Updated: March 26, 202610 min read8 views

This guide explains the FCA's new cyber incident and third-party reporting rules, how they integrate with NIS2 and DORA requirements, and provides a step-by-step implementation plan for financial firms to enhance operational resilience and avoid regulatory penalties.

Introduction: Navigating the New Era of Financial Cyber Resilience

The financial sector faces an unprecedented convergence of regulatory mandates aimed at fortifying cyber defenses and ensuring operational continuity. The Financial Conduct Authority (FCA) has confirmed new rules to standardize and clarify cyber incident and third-party reporting requirements for regulated firms. This regulatory update is not an isolated development; it aligns with broader European Union frameworks like the NIS2 Directive (Directive (EU) 2022/2555) and the Digital Operational Resilience Act (DORA) (Regulation (EU) 2022/2554), which apply from 17 October 2024 and 17 January 2025, respectively. For financial institutions operating in or with the EU, understanding the interplay between the FCA's requirements, NIS2, and DORA is critical for compliance and resilience.

This comprehensive guide will help financial firms navigate this complex landscape. You will learn the specifics of the FCA's new reporting obligations, how they integrate with NIS2 and DORA, the key components of an effective compliance program, and actionable steps for implementation. We will also analyze recent, high-profile breaches to illustrate common compliance gaps and demonstrate how tools like AIGovHub can automate compliance tracking and alerting.

Prerequisites for Compliance

Before diving into the new rules, ensure your organization has foundational elements in place. These are not just best practices but are often referenced or required by the regulations discussed.

  • Basic Cybersecurity Hygiene: Implement core controls like multi-factor authentication, regular patch management, network segmentation, and endpoint detection and response (EDR).
  • Existing Incident Response Plan (IRP): Have a documented plan that outlines roles, communication protocols, and recovery procedures. This will need updating to meet new reporting timelines.
  • Third-Party Inventory: Maintain a complete and current inventory of all third-party service providers, especially those with access to your data or critical systems.
  • Risk Assessment Framework: A process to identify, assess, and prioritize cyber risks, including those stemming from your supply chain.
  • Management Awareness: Ensure senior leadership and the board understand their accountability under these new regimes, particularly NIS2's management accountability requirements.

Step 1: Understanding the Regulatory Landscape and Deadlines

The FCA's new rules aim to make reporting processes clearer, more consistent, and easier to follow, addressing gaps in existing frameworks. While the exact FCA implementation dates should be verified with the regulator, these rules are part of a global trend demanding faster, more transparent disclosure of cyber incidents.

They must be viewed in conjunction with two major EU regulations:

  • NIS2 Directive: Member states had until 17 October 2024 to transpose this directive into national law. It applies to "essential" and "important" entities across 18 sectors, including many financial market infrastructures. It mandates risk management measures, incident reporting (24-hour early warning, 72-hour formal notification), and strict supply chain security. Penalties can reach up to EUR 10 million or 2% of global annual turnover for essential entities.
  • DORA (Digital Operational Resilience Act): This regulation is directly applicable across the EU from 17 January 2025. It specifically targets financial entities (banks, insurers, investment firms, payment institutions, crypto-asset service providers under MiCA). DORA requires a comprehensive ICT risk management framework, incident reporting, advanced resilience testing (including threat-led penetration testing), and rigorous third-party ICT risk management.

Key Integration Point: For a UK-based firm with EU operations, an incident may trigger reporting obligations to the FCA under its new rules, to an EU national competent authority under NIS2, and to an EU financial regulator under DORA. Your incident response plan must account for these potentially overlapping and stringent timelines.

Step 2: Key Components of the New Compliance Requirements

Incident Detection and Assessment

Regulations are moving beyond mere response to requiring proactive detection capabilities. NIS2 and DORA emphasize the need for systems to detect anomalies and potential incidents. The first step in meeting any reporting deadline is knowing an incident has occurred. Firms must implement continuous monitoring and have clear criteria for what constitutes a "reportable incident." This likely includes any event that leads to a significant loss of data confidentiality, integrity, or availability, or that disrupts critical services.

Notification Timelines and Content

This is where the rules get specific and demanding. While the FCA's precise timelines will be clarified in its final rules, we can look to NIS2 and DORA for the direction of travel:

  • NIS2: Requires an early warning within 24 hours of becoming aware of a significant incident, followed by a full notification within 72 hours, and a final report within one month.
  • DORA: Mandates that financial entities report major ICT-related incidents to competent authorities "without undue delay." Regulatory technical standards will define major incidents and detailed reporting templates.

Your reporting procedures must be able to gather necessary information—impact assessment, root cause, affected data, mitigation measures—within these compressed timeframes.

Third-Party and Supply Chain Risk Management

This is arguably the most critical and challenging component. The FCA's focus on third-party reporting, NIS2's supply chain security obligations, and DORA's dedicated third-party ICT risk management title all highlight that your security is only as strong as your weakest vendor.

Requirements include:

  1. Conducting thorough due diligence before onboarding critical vendors.
  2. Ensuring contracts mandate security standards, audit rights, and incident notification obligations from the vendor to you.
  3. Continuously monitoring the cyber risk posture of key suppliers.
  4. Having exit strategies to ensure operational resilience if a critical vendor fails.

Step 3: Learning from Recent Breaches – The Marquis Case Study

The August 2025 ransomware attack on Marquis Software, a provider of customer relationship management tools to financial institutions, is a textbook example of the risks these new regulations aim to mitigate.

The Incident: Threat actors exploited a vulnerability in Marquis's SonicWall firewall, compromising the personal and financial data of at least 672,075 individuals and disrupting operations at 74 U.S. banks. The breach was linked to a separate September 2025 incident at SonicWall's cloud backup service.

Compliance Gaps Illustrated:

  • Third-Party Risk Management Failure: The banks were impacted not by a direct breach of their systems, but through a vendor (Marquis), which itself was compromised via another vendor (SonicWall). This cascading failure highlights the need for deep supply chain scrutiny.
  • Incident Reporting and Transparency: Independent estimates suggested the victim count could have been between 788,000 and 1.35 million, higher than initial disclosures. This underscores the challenge of accurate and timely impact assessment for reporting.
  • Operational Disruption: The attack caused significant service disruption, a key concern for DORA's operational resilience mandate.
  • Legal and Regulatory Fallout: Marquis faced over 36 consumer class action lawsuits and sued SonicWall for gross negligence. This shows how cyber incidents quickly escalate into severe legal, financial, and reputational crises.

This case makes it clear: robust vendor risk management and integrated incident response plans are no longer optional.

Step 4: Step-by-Step Implementation Plan

Policies and Governance

  1. Update the Incident Response Plan (IRP): Integrate the new reporting timelines (aligning with FCA, NIS2, and DORA expectations). Define clear roles for legal, compliance, PR, and IT teams during an incident. Include specific playbooks for third-party-originated incidents.
  2. Formalize Third-Party Risk Management (TPRM) Policy: Establish a lifecycle approach to vendor risk: classification, due diligence, contract security annexes, continuous monitoring, and termination. Assign clear ownership, often to the CISO's office with oversight from risk and compliance.
  3. Enhance Board Reporting: Develop regular dashboards for the board and senior management covering cyber risk posture, status of critical third parties, and lessons learned from incidents (internal and industry-wide).

Tools and Technology

Manual processes will not suffice under 24-72 hour reporting deadlines. Consider integrating the following:

  • Security Information and Event Management (SIEM) / Extended Detection and Response (XDR): For centralized log collection, correlation, and automated alerting to speed up detection.
  • Incident Response Platforms: Tools to orchestrate response workflows, manage evidence, and facilitate communication during a crisis.
  • Vendor Risk Management Platforms: Solutions to automate vendor questionnaires, monitor for vendor-related security news, and maintain an audit trail of due diligence.
  • Compliance Automation Platforms: This is where AIGovHub's platform provides significant value. It can help track regulatory deadlines from multiple jurisdictions (FCA, NIS2, DORA), map your controls to requirements, and send automated alerts for upcoming obligations or when regulatory changes occur.
  • SOC 2 Readiness Tools: While SOC 2 is an attestation report (not a certification) based on AICPA's Trust Services Criteria, it is often a baseline requirement from enterprise clients. Platforms like Drata and Vanta can help automate evidence collection for security controls, which also supports compliance with the control requirements under NIS2 and DORA. Contact these vendors for pricing.

Monitoring and Testing

  • Conduct Regular Incident Response Tabletop Exercises: Test your updated IRP quarterly, including scenarios involving third-party failures. Involve legal and communications teams to practice reporting workflows.
  • Perform Threat-Led Penetration Testing (TLPT): DORA specifically requires financial entities to undergo TLPT (similar to red teaming) at least every three years. Start planning for this now.
  • Audit Third-Party Compliance: For your most critical vendors, move beyond questionnaires to request independent audit reports like SOC 2 Type II or ISO/IEC 27001:2022 certificates. ISO 27001 is an international, certifiable standard for Information Security Management Systems.

Common Pitfalls to Avoid

  • Treating Regulations in Silos: Avoid creating separate programs for FCA, NIS2, and DORA. Integrate them into a unified cyber resilience and operational resilience framework.
  • Underestimating Third-Party Risk: Do not assume large, brand-name vendors are secure. The Marquis-SonicWall chain shows risk exists at all levels. Conduct due diligence proportionate to the vendor's access and criticality.
  • Focusing Only on Direct Reporting: Remember that your obligation includes ensuring your critical vendors can and will notify you of incidents affecting your data or services promptly, so you can meet your own reporting deadlines.
  • Neglecting Documentation: In the event of an audit or investigation, regulators will expect a clear audit trail of decisions, risk assessments, and actions taken. Automate evidence collection where possible.

Frequently Asked Questions (FAQ)

How do the FCA rules differ from NIS2 and DORA?

The FCA rules are specific to firms it regulates in the UK, focusing on reporting clarity. NIS2 is an EU directive (transposed into national law) with a broad sectoral scope, emphasizing baseline security and incident reporting. DORA is an EU regulation directly applicable to financial entities, providing a comprehensive, sector-specific rulebook for digital operational resilience, including strict third-party and testing rules. A UK firm with EU operations may need to comply with all three.

What is the difference between an incident report under these rules and a personal data breach report under GDPR?

They are related but distinct. A cyber incident report under FCA/NIS2/DORA focuses on the operational impact, disruption, and threat to the integrity of financial services. A GDPR personal data breach notification (required within 72 hours to a supervisory authority under Article 33) is triggered specifically by a breach of personal data confidentiality. The same event may require both reports, but with potentially different content and sent to different authorities.

Are there tools to help manage compliance across these frameworks?

Yes. Governance, Risk, and Compliance (GRC) platforms can be invaluable. For example, AIGovHub's platform is designed to track regulatory intelligence across domains like cybersecurity, providing a centralized view of obligations from FCA, NIS2, DORA, and others. It can help automate control mapping, deadline tracking, and alerting, reducing the manual burden on compliance teams. For more on managing multi-framework compliance, see our guide on governance for emerging technologies.

What are the penalties for non-compliance?

Penalties are severe. NIS2 allows for fines up to EUR 10 million or 2% of global annual turnover for essential entities. DORA grants national authorities powers to impose administrative penalties. The FCA has its own enforcement powers, including unlimited fines. Beyond fines, the reputational damage and loss of customer trust, as seen in the Marquis case, can be devastating.

Next Steps and Conclusion

The convergence of FCA, NIS2, and DORA requirements marks a new, more demanding chapter for cybersecurity and operational resilience in finance. Compliance is not a one-time project but requires an integrated, ongoing program centered on proactive risk management, robust vendor oversight, and tested incident response capabilities.

Start by conducting a gap analysis against the anticipated FCA rules and the hard deadlines of NIS2 (applicable now) and DORA (applicable from 17 January 2025). Prioritize updating your incident response plan and third-party risk management framework. Leverage technology to automate monitoring, evidence collection, and regulatory tracking.

To stay ahead of these evolving requirements and automate your compliance tracking, explore AIGovHub's regulatory intelligence platform. It provides real-time updates on FCA, NIS2, DORA, and other global regulations, helping you ensure continuous compliance and focus on building genuine resilience.

This content is for informational purposes only and does not constitute legal advice.