FCA Operational Resilience Requirements: What Changed and What's Next

The Financial Conduct Authority's (FCA) operational resilience framework continues to evolve, and 2025 marks a critical inflection point for UK financial services firms of all sizes. If you're running a professional services firm, legal practice, or financial advisory business in London, the FCA operational resilience requirements 2025 framework directly affects how you must operate—from IT infrastructure to incident response protocols. What changed, what's staying, and what your organisation needs to do now forms the core of this guide for SMBs who cannot afford to fall behind on regulatory compliance.

Understanding the FCA's Operational Resilience Regime

Operational resilience is no longer a "nice to have" addition to your compliance checklist. The FCA's framework, which took effect in phases from 2021 onwards, requires authorised firms to demonstrate they can withstand, adapt to, and recover from operational disruptions—without breaching regulatory requirements or causing harm to consumers and markets.

For London-based SMBs, this means three core pillars:

• Impact tolerances: You must define the maximum acceptable level of harm from operational disruptions (measured in time, financial loss, or reputational damage)
• Scenario testing: Regular stress-testing of your ability to survive operational shocks (cyber attacks, data centre failures, key staff absence)
• Recovery capabilities: Documented, tested plans to restore critical operations within your defined impact tolerances

What makes 2025 different is not necessarily new rules, but enforcement intensity. The FCA has shifted from a "learning phase" to active, detailed scrutiny. Firms that have treated operational resilience as a box-ticking exercise rather than a business imperative are now facing heightened supervisory attention.

Key Changes and Clarifications for 2025

Enhanced Expectations on Cyber Resilience

The FCA has made explicit that cyber resilience sits at the heart of operational resilience. This isn't limited to having a cybersecurity policy; it extends to demonstrating that your digital infrastructure—and the third-party providers who support it—can withstand and recover from sophisticated attacks.

Specifically, the FCA expects:

• Documented evidence of vulnerability assessments and penetration testing, conducted at least annually
• Clear incident response playbooks tested against realistic threat scenarios
• Defined recovery time objectives (RTOs) and recovery point objectives (RPOs) for critical systems
• Proof that your team (or external partners, such as managed IT providers) can execute recovery within these windows under pressure

For professional services and legal firms, this often means revisiting third-party IT arrangements. If you're relying on shared cloud services, an outsourced helpdesk, or managed IT support, you need contractual certainty about their resilience commitments and regular assurance that they're meeting them.

Third-Party Dependency Mapping

Another area where the FCA has tightened scrutiny is third-party risk. If your firm depends on external providers—whether cloud platforms, payment processors, or managed IT providers—you must have a clear, up-to-date map of these dependencies and be able to articulate the impact if each fails.

Many SMBs have found this harder than expected. Unlike large banks with dedicated third-party risk teams, smaller firms often discover they don't have a single, authoritative view of their critical suppliers. This year, the FCA expects better.

Board and Senior Management Accountability

The FCA has reinforced that operational resilience is not a compliance team responsibility; it sits with the board and senior management. Directors and partners must be able to demonstrate personal understanding of their organisation's impact tolerances and resilience posture. Generic delegation to IT or compliance functions will not satisfy regulatory scrutiny.

Practical Steps for London SMBs in 2025

Step 1: Define Your Impact Tolerances

Before you build anything, define it. Work with your leadership team to answer: What operational disruptions would breach our regulatory or client-facing commitments? How long can critical systems be down? What financial loss is unacceptable? What reputational damage would harm our licence?

Document these in writing. They should be specific, measurable, and clearly linked to your business model. A legal firm's tolerance for a document management system outage differs vastly from a financial adviser's tolerance for email disruption.

Step 2: Conduct a Resilience Baseline Assessment

Map your critical processes and the systems, people, and third parties they depend on. Identify gaps between your current capabilities and your impact tolerances. This is often the moment when firms realise their business continuity plans are outdated, untested, or exist only on a hard drive in someone's office.

Many organisations find it helpful to engage external expertise at this stage—not to avoid responsibility, but to bring fresh eyes and benchmarking. Firms like VantagePoint Networks can help map these dependencies and identify resilience risks that internal teams might have normalised over time.

Step 3: Test Under Realistic Conditions

The FCA expects scenario testing, and it must be genuine. This means simulating outages and disruptions that are plausible for your threat landscape. A professional services firm in London should test scenarios like:

• Loss of access to your primary office building (flooding, fire, security lockdown)
• Failure of your email or document management platform for 24–48 hours
• Key staff member(s) suddenly unavailable
• Ransomware affecting your critical data or systems

Desktop exercises are a starting point; full simulations—where teams actually try to recover systems—are more credible and more useful. Test results should be documented and findings should drive tangible improvements to your resilience posture.

Step 4: Strengthen Your Third-Party Assurance

Review your contracts with critical IT, cloud, and professional service providers. Ensure they include:

• Explicit recovery time objectives aligned to your impact tolerances
• Notification and escalation procedures for incidents
• Rights to audit and assurance (such as SOC 2 or ISO 27001 certificates)
• Defined handover procedures if the relationship ends

Don't simply collect certificates; verify they're current and actually relevant to the services you use. A managed IT provider's ISO 27001 certification is only valuable if it covers the specific infrastructure and services supporting your critical systems.

Step 5: Embed Resilience into Your Governance

Operational resilience should be a standing agenda item at board or partnership meetings. Report on testing results, remediation actions, and any changes to your resilience posture. This demonstrates to the FCA (and to yourselves) that resilience is a genuine business priority, not compliance theatre.

Looking Ahead: What Comes Next

The FCA's operational resilience regime is maturing. In 2025 and beyond, expect:

• More detailed supervisory conversations: The FCA will move beyond tick-box reviews and engage in deeper discussions about your actual resilience practices
• Tighter third-party scrutiny: Expect the FCA to ask about your suppliers' suppliers—second-layer third-party risk is increasingly on the radar
• Scenario-based enforcement: Firms that fail to recover from disruptions within their stated impact tolerances may face enforcement action, even if no regulatory rule was technically breached
• ESG integration: Climate resilience (disruptions from extreme weather, physical location risk) is becoming part of operational resilience conversations

The window for treating operational resilience as a compliance afterthought has definitively closed. Firms that take it seriously now—that invest in mapping, testing, and governance—will navigate 2025 with confidence. Those that don't will face increasingly uncomfortable questions from regulators, and worse, will be caught unprepared when disruption inevitably strikes.