What the Ongoing Phase Means for Your Firm


Date: 13 July 2026

Featured Image

The deadline has been and gone. On 31 March 2025, the transitional period under the FCA’s operational resilience rules (PS21/3) and the PRA’s Supervisory Statement SS1/21 came to an end. By that date, in-scope firms were expected to have identified their important business services, set impact tolerances, completed mapping and scenario testing, and be able to remain within those tolerances through severe but plausible disruption.

So the work is done, right?

Not quite. The end of the transition period was not the finish line. It was the starting gun for what the regulators call the ongoing operational phase. And a year and more into that phase, the FCA has made two things very clear: It is actively reading firms’ self-assessments, and it is not always liking what it finds. In this article, we look at what the ongoing phase actually requires, what the FCA’s 2026 findings tell us, and what’s coming next.

A Quick Recap: What PS21/3 and SS1/21 Require

The UK operational resilience regime, established by FCA Policy Statement PS21/3 (“Building operational resilience”) and PRA Supervisory Statement SS1/21, is built on a handful of deceptively simple requirements. In-scope firms must:

  • Identify important business services (IBS): The services whose disruption could cause intolerable harm to clients or threaten market integrity, viewed from the consumer’s perspective, not the firm’s.
  • Set impact tolerances: The maximum tolerable level of disruption for each important business service.
  • Map dependencies: The people, processes, technology, facilities, information and third parties each service relies on.
  • Test against severe but plausible scenarios: Proving the firm can remain within its impact tolerances when things go badly wrong.
  • Maintain a self-assessment: A living document, reviewed at least annually and after material change, that the board owns and the regulator expects to be able to read.

The rules came into force on 31 March 2022. The three-year transition ended on 31 March 2025. From that point, firms moved from building their resilience programme to running it.

The Ongoing Phase: From Plan to Proof

The single biggest shift in the ongoing phase is this: the regulator no longer wants to see a plan — it wants to see a functioning programme with evidence behind it.

In practice, the ongoing phase means:

  • Mapping, testing and self-assessment must be kept current. A self-assessment last touched in March 2025 is already a red flag. Material changes — a new platform, a migration, an acquisition, a significant new third party — should trigger an update.
  • Scenario testing must keep maturing. The FCA has repeatedly signalled that testing should evolve from judgement-based discussion towards more empirical, evidenced testing, and should extend to the third parties that underpin important business services.
  • Vulnerabilities must be remediated, not just recorded. Remediation plans are expected to be approved, funded and governed — and closure evidenced through re-testing, not assertion.
  • The board must own it. Boards are expected to review and approve the self-assessment, and to be able to demonstrate that they have genuinely engaged with it.

Resilience, in other words, is no longer a project. It’s a discipline — and one the regulator is now inspecting.

What the FCA Found One Year On (March 2026)

In March 2026, roughly a year after the transition period closed, the FCA published its observations from reviewing firms’ annual operational resilience self-assessments — a mix of good practice and pointed criticism.

Where firms are doing well:

  • Strong engagement with the regime overall, with clear methodologies and rationale for defining important business services and setting impact tolerances at the better-prepared firms.
  • Genuine investment in resilience capability, with many firms treating the rules as a prompt to rethink risk rather than a box-ticking exercise.

Where firms are falling short:

  • Incomplete third-party and dependency mapping: Firms that understand their direct suppliers but not their suppliers’ suppliers, leaving concentration risk invisible.
  • Scenario testing that isn’t severe enough: Comfortable scenarios that firms know they can pass, rather than the severe-but-plausible disruptions the rules demand.
  • Stale self-assessments: Documents that contain all the required sections but lack substantive content, or that haven’t been meaningfully updated since the deadline.
  • Impact tolerances stated without justification: Numbers on a page with no evidenced rationale behind them.

The FCA has also pointed to recent real-world events as exactly the kind of scenarios firms should be testing against: major cloud-provider outages affecting the sector, and high-profile cyber attacks on household-name organisations in other industries. These aren’t theoretical tail risks any more. They’re last year’s news — and next year’s test.

The uncomfortable question for every board: If the FCA read your self-assessment tomorrow, would it read as evidence of a living programme — or as a compliance artefact frozen in March 2025?

What’s Coming Next: Incident and Third-Party Reporting from March 2027

The regime is not standing still. In March 2026, the FCA, PRA and Bank of England published final rules creating a single, unified framework for operational incident reporting and material third-party reporting (FCA PS26/2 with guidance FG26/3 and FG26/4; PRA PS7/26 and SS1/26). The new rules apply from 18 March 2027 — and the regulators have been explicit that the twelve-month runway is for preparing, not waiting.

In summary, the new regime will:

  • Define an “operational incident” with common FCA/PRA thresholds, and require an initial report as soon as practicable — generally within 24 hours of determining a threshold is met. Notably, an incident doesn’t need to affect an important business service to be reportable.
  • Introduce standard and enhanced reporting tiers, with larger and more complex firms providing intermediate updates and a comprehensive final report after resolution.
  • Require firms to notify the regulator of new or significantly changed material third-party arrangements — a definition that goes wider than traditional outsourcing.
  • Require an annual register of material third-party arrangements, submitted to the FCA.

This lands on top of the critical third parties regime (PS16/24), which addresses concentration risk at sector level, and — for firms with EU operations, group entities or ICT services to EU financial entities — the EU’s Digital Operational Resilience Act (DORA), which has applied since January 2025.

The direction of travel is unmistakable: regulators want continuous, evidenced visibility of how resilient firms actually are, with third-party dependency and concentration risk squarely in the spotlight.

What Firms Should Do Now

If the ongoing phase has a to-do list, it looks like this:

  1. Refresh the self-assessment — properly. Not a date change on the cover. Re-examine important business services, impact tolerances and their justification in light of the past year.
  2. Pressure-test your scenario testing. Would your scenarios survive the FCA’s “severe but plausible” test? Have you tested against a major cloud outage or a third-party ransomware event — the scenarios the regulator is now explicitly pointing at?
  3. Map the dependencies you’d rather not look at. Concentration on single platforms, single suppliers and shared services is now a supervisory priority across PS21/3, PS16/24 and the incoming third-party reporting regime. Find these dependencies before the regulator asks about them — or before they fail.
  4. Get ahead of March 2027. Audit which third-party arrangements would count as “material” under the new rules, and test whether your incident processes could determine reportability and produce a defensible report within 24 hours, under pressure.
  5. Measure your resilience — don’t assume it. Documentation proves you have a programme on paper. Only assessment proves the capability behind it.

From Compliance Evidence to Genuine Resilience

Here’s the trap in the ongoing phase: it’s entirely possible to maintain a compliant-looking self-assessment while your actual resilience quietly degrades — platforms age, dependencies accumulate, key people leave, and testing drifts towards the comfortable.

That’s why the most resilient firms treat measurement, not documentation, as the heartbeat of the ongoing phase.

If you’ve run cyber tabletop exercises, you’ve tested how your people respond on the day. The next step is measuring the underlying resilience beneath that response — and translating it into terms your board can act on. 

That’s precisely what our Operational Resilience Assessment is built for: a single facilitated session with your operational and board-level owners that produces a board-ready view of how resilient your critical services really are. They are scored on a five-level maturity model, mapped to your growth objectives, signposted against FCA/PRA expectations (and EU DORA where relevant), and delivered with a prioritised 12-month roadmap that drops straight into your risk register and your next self-assessment.

For the detailed technical picture behind the same findings, the evidence your IT teams need to remediate, its companion, the Technical Resilience Assessment, engages the people who build, run and recover your critical systems.

In the ongoing phase, the firms that thrive won’t be the ones with the thickest self-assessment. They’ll be the ones who can show, with evidence, that they measured their resilience, invested where it mattered, and matured — year after year.

Book a Scoping Call with us today to help us understand your exact needs. One short conversation, one measured baseline, one defensible story for your board and your regulator.

FCA Operational Resilience: Frequently Asked Questions 

1. Did the FCA operational resilience deadline pass in March 2025?

Yes. The three-year transitional period under FCA PS21/3 and PRA SS1/21 ended on 31 March 2025. By that date, in-scope firms had to have identified their important business services, set impact tolerances, completed mapping and scenario testing, and be able to remain within tolerances through severe but plausible disruption. The end of transition was not the finish line — it marked the start of the ongoing operational phase, in which the regulator expects a functioning, evidenced programme rather than a plan.

2. What is the “ongoing phase” of operational resilience?

The ongoing phase is the period after 31 March 2025 in which firms must run their resilience programme, not just build it. Mapping, testing and the self-assessment must be kept current; scenario testing must keep maturing towards more empirical, evidenced approaches; vulnerabilities must be remediated and closure evidenced through re-testing; and the board must own and genuinely engage with the self-assessment. In short, the regulator now wants proof of resilience, not documentation of intent.

3. What did the FCA find when it reviewed firms’ self-assessments in 2026?

In March 2026 — about a year after transition closed — the FCA published observations from reviewing firms’ annual self-assessments. On the positive side, it saw strong engagement, clear methodologies for defining important business services, and genuine investment in resilience. Its main criticisms were incomplete third-party and dependency mapping, scenario testing that wasn’t severe enough, stale self-assessments with sections but little substance, and impact tolerances stated without evidenced justification. The FCA pointed to recent cloud-provider outages and high-profile cyber attacks as exactly the kind of scenarios firms should be testing against.

4. What is changing with incident and third-party reporting from March 2027?

In March 2026 the FCA, PRA and Bank of England published final rules for a unified operational incident and material third-party reporting framework (FCA PS26/2 with FG26/3 and FG26/4; PRA PS7/26 and SS1/26), applying from 18 March 2027. The rules define an “operational incident” with common thresholds and require an initial report as soon as practicable — generally within 24 hours of determining a threshold is met, even where no important business service is affected. There are standard and enhanced reporting tiers, a requirement to notify new or significantly changed material third-party arrangements, and an annual register of material third-party arrangements submitted to the FCA.

5. Does an incident have to affect an important business service to be reportable?

No. Under the incoming PS26/2 framework, an operational incident can be reportable even if it does not affect an important business service, provided it meets the common FCA/PRA thresholds. This is a notable widening of scope, and firms should test whether their incident processes can determine reportability and produce a defensible report within 24 hours under pressure.

6. How does DORA relate to the UK operational resilience regime?

The EU’s Digital Operational Resilience Act (DORA) has applied since January 2025 and is relevant to firms with EU operations, group entities, or those providing ICT services to EU financial entities. It sits alongside the UK regime (PS21/3, the critical third parties regime PS16/24, and the incoming PS26/2 reporting rules). Dual-exposed firms need to reconcile both frameworks rather than treat them in isolation.

7. What should firms do now in the ongoing phase?

Refresh the self-assessment substantively rather than changing the cover date; pressure-test scenarios against severe-but-plausible events like a major cloud outage or third-party ransomware; map concentration and dependency risk before the regulator asks; audit which third-party arrangements would count as “material” under the March 2027 rules; and measure resilience rather than assume it. Documentation proves you have a programme on paper, only assessment proves the capability behind it.





Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Recent Reviews


As summer starts approaching fast, you have probably gotten your backyard all ready for people to come and hang out, or just for yourself to spend some time in the sun. However, even when everything is set up, you may realize your Wi-Fi signal strength isn’t the best out there.

In today’s digital era, this can be a major headache, especially if your home does not have a strong cellular signal either. Luckily, there is a way to extend your Wi-Fi to your backyard without buying an expensive mesh system.

The backyard is a Wi-Fi dead zone

My backyard was a graveyard for any Wi-Fi signal

If you’re like me, you have really great Wi-Fi inside your house that is fast and reliable. No matter where you are, you seem to have a strong connection that lets you browse the web and watch content.

Phone with poor cellular service on the desk while listening to music by Avril Lavigne. Credit: Nathaniel Pangaro / How-To Geek

However, when you step outside and walk a few feet into your backyard, that Wi-Fi signal disappears. Even worse, you may also be in an area with poor cellular service.

When looking for ways to fix this, many suggestions point to a mesh router setup. However, these can be expensive and often come with only a limited number of units per box. Furthermore, adding more would incur additional costs.

Additionally, when considering mesh routers, I thought about how I would incorporate them into my backyard. While I could plug one into an outlet outside, I was concerned that exposure to severe weather could damage it, even if it were under an overhang or in a gazebo.

This led me to find another workaround: repurposing my old router as an access point to extend my Wi-Fi to the backyard. This allowed me to use something I already had collecting dust and give it a new purpose.

Quiz
8 Questions · Test Your Knowledge

Mesh WiFi networks: history, tech, future
Trivia challenge

From military roots to whole-home coverage — how well do you really know mesh WiFi?

HistoryTechnologyBrandsFuture TechFun Facts

The concept of mesh networking was originally developed for use in which field before it reached consumer homes?

Correct! Mesh networking grew out of military research, particularly DARPA-funded projects aimed at creating self-healing, decentralized communications that could survive partial network destruction. The idea was that if one node went down, traffic would reroute automatically — a very useful feature on a battlefield.

Not quite. Mesh networking has its roots in military and DARPA-funded research, designed to create resilient, self-healing communications networks for battlefield use. The decentralized nature meant no single point of failure — a concept that later translated beautifully to home WiFi coverage.

What is the primary technical difference between a traditional WiFi extender and a true mesh WiFi system?

Spot on! True mesh systems use a dedicated backhaul — often a separate radio band — exclusively for node-to-node communication. This keeps the bandwidth used by your devices separate from the bandwidth used to pass data between nodes, resulting in far less congestion and much better performance than a traditional extender.

Not quite. The key differentiator is that true mesh systems use a dedicated backhaul channel between nodes, keeping device traffic and inter-node traffic separate. Traditional extenders reuse the same band for both, effectively halving available bandwidth — which is why they often disappoint in practice.

Which company is widely credited with popularizing consumer mesh WiFi when it launched its first product in 2015?

Correct! Eero launched in 2015 as one of the first consumer-focused mesh WiFi systems and essentially kicked off the home mesh revolution. Its simple app-based setup and attractive hardware stood out in a market dominated by ugly router boxes covered in antennas. Amazon later acquired Eero in 2019.

Not quite — Eero gets the credit here. Founded in 2014 and launched to consumers in 2015, Eero was a pioneer in making mesh WiFi accessible and appealing to everyday users. Its clean design and smartphone-based setup felt revolutionary compared to traditional router management interfaces.

A mesh WiFi network behaves similarly to which surprisingly ancient human communication system?

Great analogy — and you got it! Mesh networking mimics the way gossip spreads: each node receives information and passes it along to the nearest neighbor, with multiple paths available if one route is blocked. Computer scientists actually call one mesh routing method ‘gossip protocol’ for exactly this reason.

Fun guess, but the best analogy is gossip spreading through a village. In mesh networking, data hops from node to node along the best available path — just like a rumor finding its way through a crowd. Computer scientists even formally named one routing approach ‘gossip protocol’ in honor of this similarity.

WiFi 6E and WiFi 7 mesh systems introduced support for which frequency band that older mesh hardware cannot use?

Correct! WiFi 6E opened up the 6 GHz band for consumer use, giving mesh systems a much less congested slice of spectrum to use — especially valuable as a clean, fast backhaul channel. WiFi 7 expands on this further with multi-link operation, letting devices use multiple bands simultaneously.

The answer is 6 GHz. WiFi 6E was a significant leap because it unlocked the 6 GHz band — a largely empty, high-capacity range of spectrum that dramatically reduces interference, especially in apartment buildings packed with competing networks. Mesh systems use it as a super-clean backhaul highway.

Before dedicated mesh systems existed, some creative users built their own mesh-like home networks using open-source firmware called what?

Well done! DD-WRT was the go-to open-source router firmware for enthusiasts who wanted to squeeze extra performance and features out of consumer routers — including running multiple routers in coordinated configurations that resembled mesh behavior. It’s still actively developed today and has a devoted following.

Not quite — the answer is DD-WRT. This legendary open-source firmware let tech-savvy users replace the factory software on routers from brands like Linksys and Netgear, unlocking advanced features including multi-router setups that approximated mesh networking years before polished consumer mesh products existed.

Which emerging concept would take mesh networking beyond the home and create a massive, self-organizing internet built from billions of everyday devices?

Exactly right! The Internet of Things vision includes smart devices — thermostats, lights, sensors, appliances — forming spontaneous mesh networks with each other, passing data along without relying on a central router or ISP infrastructure. Standards like Thread and Matter are already pushing this concept into real homes today.

The answer is the IoT mesh. The Internet of Things roadmap envisions billions of smart devices forming organic, self-organizing mesh networks — communicating peer-to-peer without needing a traditional router as a middleman. Protocols like Thread (used in Matter-compatible smart home devices) are making this a reality right now.

What quirky real-world project demonstrated mesh networking by connecting an entire island community with a DIY WiFi mesh built mostly from recycled hardware?

Correct! Guifi.net, launched in rural Catalonia in the early 2000s, grew into one of the world’s largest community-owned mesh networks with tens of thousands of nodes. It was built by volunteers using cheap or recycled hardware to bring internet access to areas ignored by commercial ISPs — a remarkable grassroots achievement still operating today.

The answer is Guifi.net. This incredible volunteer-built mesh network in Catalonia, Spain, started in the early 2000s and eventually grew to over 35,000 active nodes, making it one of the largest community mesh networks on the planet. It proved that determined communities could build their own internet infrastructure without relying on big telecoms.

Challenge Complete

Your Score

/ 8

Thanks for playing!

Setting up your old router as an access point

Making a world difference in your Wi-Fi range

While it may seem intimidating to deal with your Wi-Fi settings since you do not want to press the wrong button and take your entire network offline, this process was surprisingly simple. All it took was finding a suitable place for the old router and connecting it to my existing network.

How to Share a Wired Ethernet Internet Connection With All Your Devices

The first thing I had to do was find a location for my old router that would provide good coverage to the backyard. Luckily, our living room is right next to the backyard, and it used to house the family computer.

As a result of that setup, an Ethernet port was already installed in the room for the computer. This gave me an easy way to connect the old router to the main router, which was located on the other side of the house.

Powerline networking adapter plugged into a wall outlet with an Ethernet cable connected. Credit: Olivier Le Moal/Shutterstock.com

If you do not have a pre-installed Ethernet port in your house, there are other ways to get a wired connection, including through your home’s electrical outlets. There are various adapters that can help with this, such as the TP-Link AV1000 Powerline Ethernet Adapter Kit.

Once you have one set up—if needed—you can connect your old router to the adapter, and it will then benefit from a wired connection.

TP-Link AV1000 Powerline Ethernet Adapter

Brand

TP-Link

Ports

1x Ethernet


For my setup, I had an old TP-Link router from before I upgraded to my current model, and getting it configured as an access point was not that difficult. All I had to do was connect it to my main router with an Ethernet cable, add it as a new device in the TP-Link Deco app, and switch its operating mode from router to access point.

The difference between router mode and access point mode is how the device handles your network. In router mode, the router connects directly to your internet line and distributes internet access to your devices. On the other hand, in access point mode, the additional router acts as a bridge between your primary router and your devices, extending your home’s wireless coverage.

Two different modes in the Deco app on an iPhone in front of a colorful background. Credit: Nathaniel Pangaro / How-To Geek

However, there is one caveat to doing this: the handoff between your main router and your access point won’t be quite as seamless as a dedicated mesh system. While you can use the exact same network name and password to let your devices automatically switch to the stronger signal, I chose a different route

With a mesh router setup, your devices can automatically switch between different nodes while remaining connected to the same Wi-Fi network. This handoff happens seamlessly in the background, so you do not have to do anything.

With an access point, you have the option to create a completely separate network name. I decided to do this, meaning I have to manually join it whenever I want to use the signal from my old router.

Connecting to an access point network on an iPhone in front of a colorful background. Credit: 

Nathaniel Pangaro / How-To Geek

At first, I was not the biggest fan of having multiple networks listed in my Wi-Fi settings and needing to manually switch between them. However, after thinking about it more, I warmed up to the idea.

Considering how infrequently I am outside compared with how often I am indoors, I realized I would spend most of my time connected to my primary network anyway.

Wi-Fi Bands

Wi-Fi 6

Ethernet Ports

6 (2 each)


Additionally, to make things easier, I gave the access point network a distinct name. This allows both me and any guests who visit to quickly identify which network provides coverage for the backyard.


Using my old router as an access point has made spending time in the backyard much more enjoyable. Before, I would sit outside with a weak signal from the house and wait for content to load at a snail’s pace.

Yet, after setting up the access point, it made a world of difference. I now have a stronger signal, faster loading times, and more reliable ways to stay connected no matter where I am on my property.

So if you’re like me and struggle with poor Wi-Fi coverage in your backyard, consider pulling your old router out of the closet and putting it to good use. It’s never too late to turn something you thought was junk into a practical solution that can save you a significant amount of money.



Source link