FCA Operational Resilience: IT That Meets the Regulatory Standard
Full compliance has been required since March 2025. Your important business services must operate within impact tolerances, and your IT infrastructure is the foundation that makes that possible.
Key Requirements
Identify Important Business Services
You must identify and document the services your firm provides that, if disrupted, could cause harm to consumers, market integrity, or the firm's safety and soundness. IT systems underpinning these services become critical dependencies.
Set Impact Tolerances
For each important business service, you must define the maximum tolerable level of disruption. This is expressed as a time limit — for example, a trading platform must be restored within two hours. Your IT infrastructure must be designed to meet these tolerances.
Scenario Testing
Firms must conduct regular scenario testing to verify they can remain within impact tolerances during severe but plausible disruptions. Tests must cover technology failures, cyber attacks, third-party provider outages, and data integrity events.
Mapping Dependencies
Every resource that supports an important business service must be mapped, including IT systems, data assets, third-party providers, facilities, and key personnel. The mapping must be detailed enough to identify single points of failure.
Continuous Self-Assessment
Operational resilience is not a one-off project. The FCA expects firms to continuously review and improve their resilience capabilities, updating impact tolerances, dependency maps, and testing programmes as the business and threat landscape evolve.
Board and Senior Management Accountability
The board must own the firm's operational resilience strategy. Senior managers under the SM&CR regime are individually accountable for ensuring important business services remain within impact tolerances.
The Compliance Deadline Has Passed
The FCA’s operational resilience framework is no longer a future obligation. Since 31 March 2025, every FCA-regulated firm must be able to demonstrate that its important business services can remain within defined impact tolerances during severe but plausible disruptions.
The three-year transition period that began in March 2022 is over. Firms that treated this as a documentation exercise, identifying services and setting tolerances on paper without investing in the underlying technology resilience, are now exposed. The FCA has been clear: it expects operational resilience to be demonstrated, not just described.
For most financial services firms, the technology infrastructure managed by their IT provider is the single largest determinant of whether important business services remain within tolerance during a disruption. If your IT goes down, your business services go down with it.
What the FCA Actually Expects
The framework is built on a straightforward logic chain.
First, identify the services your firm provides that matter most. These are services whose disruption would cause harm to consumers, threaten market integrity, or compromise the firm’s safety and soundness. For a wealth manager, this might be client portfolio access and trade execution. For a payment firm, it is transaction processing. For an advisory firm, it could be regulatory reporting and client communication.
Second, set impact tolerances for each service. An impact tolerance is the maximum period of disruption the firm can absorb before harm becomes intolerable. This is not a recovery time objective buried in an IT disaster recovery plan. It is a board-level commitment that defines how quickly a service must be restored.
Third, map every dependency that supports each important business service. IT systems, data stores, cloud platforms, network connectivity, third-party providers, physical facilities, and key personnel must all be documented. The mapping must be granular enough to identify single points of failure and concentration risks.
Fourth, test whether you can actually stay within tolerance. Scenario testing must cover technology failures, cyber attacks, third-party outages, and data integrity events. Tests must be realistic, documented, and repeated regularly. Results must drive improvement.
Fifth, keep improving. The FCA does not expect perfection. It expects a credible, ongoing programme of resilience improvement informed by testing, incidents, and changes to the business.
Where IT Infrastructure Meets Regulatory Expectation
Most important business services depend on a chain of technology components: servers, networks, cloud platforms, applications, data backups, and the security controls protecting all of them. When the FCA asks whether you can restore a service within your impact tolerance, it is really asking whether your IT infrastructure can recover that quickly.
This means your managed IT provider is not just a vendor. They are a critical dependency in your regulatory compliance programme.
The monitoring that detects a failure in minutes rather than hours directly reduces your time to recovery. The backup and disaster recovery capability that restores data to a known good state determines whether you can recover at all. The incident management process that classifies, escalates, and resolves issues in a structured way produces the evidence your compliance team needs when the FCA asks questions.
Ad-hoc IT support arrangements, where problems are fixed reactively and documentation is an afterthought, are fundamentally incompatible with the FCA’s operational resilience expectations.
How Nerdster Supports Your Resilience Programme
We work with FCA-regulated firms across London to ensure the technology layer of their operational resilience programme is robust, tested, and documented.
Our approach begins with dependency mapping. We document every IT system, application, and third-party service that supports your important business services. We identify single points of failure and concentration risks, then design remediation plans to address them.
We implement monitoring and alerting aligned to your impact tolerances. If your tolerance for a client-facing platform is four hours, our alerting is configured to escalate within minutes of an issue, not hours. Our incident management process is designed to classify disruptions against your defined tolerances and trigger the appropriate response.
We design and maintain disaster recovery capabilities that are tested against your specific scenario requirements. Tabletop exercises, technical failover tests, and full recovery simulations are scheduled and documented. When your compliance team needs evidence that recovery capabilities work, the test results are current and accessible.
We also provide the documentation and reporting that boards and senior managers need to discharge their SM&CR responsibilities. Quarterly resilience reports cover incident trends, testing outcomes, dependency changes, and improvement actions.
The FCA’s operational resilience framework and DORA share common ground. Firms that build a robust IT resilience capability once, designed to meet both frameworks, avoid duplicating effort and cost. We help you build that unified foundation.
FAQ
Frequently asked questions
When did FCA operational resilience rules become fully enforceable?
The FCA's operational resilience framework became fully enforceable on 31 March 2025. Firms were given a three-year transition period from March 2022 to identify important business services, set impact tolerances, and build the capability to remain within them. There is no further transition period — firms must now demonstrate compliance on an ongoing basis.
How does FCA operational resilience relate to DORA?
The FCA's framework and DORA share the same underlying principle: financial firms must be able to withstand, respond to, and recover from operational disruptions. DORA is more prescriptive about ICT-specific requirements including incident reporting timeframes, third-party contract clauses, and resilience testing methodologies. Firms subject to both must align their programmes, and the UK-EU MoU signed in January 2026 supports regulatory cooperation between the regimes.
What counts as an important business service?
An important business service is one whose disruption could cause intolerable harm to consumers, market integrity, or firm safety and soundness. Examples include client order execution, payment processing, client reporting, custody and safeguarding of assets, and regulatory reporting. The firm determines which services qualify, but the FCA expects rigorous justification.
What scenario tests does the FCA expect?
Scenario tests must cover severe but plausible disruptions including major IT system failures, successful cyber attacks, critical third-party provider outages, loss of key facilities, and data corruption events. Tests should be conducted regularly, with results documented and used to drive improvement.
How does managed IT support our operational resilience programme?
Your managed IT provider controls the technology layer that underpins most important business services. Proactive monitoring, documented recovery procedures, tested backup and disaster recovery capabilities, and structured incident management directly support your ability to remain within impact tolerances.
What happens if we cannot stay within our impact tolerances?
If a disruption exceeds your stated impact tolerances, the FCA will examine whether the firm had taken reasonable steps to build resilience. Failures to identify important business services, inadequate testing, or insufficient investment in technology resilience can result in supervisory action, including enforcement proceedings under the SM&CR.
Need compliance guidance?
Book a free compliance review and we'll assess your readiness against the latest requirements.