FCA Cyber Security Requirements for Edinburgh Firms

This FCA cyber security requirements Edinburgh guide covers the requirements and how to meet them. The FCA’s operational resilience regime reached its full compliance deadline on 31 March 2025. Since that date, every FCA-regulated firm – including Edinburgh-based IFAs, wealth managers, insurance brokers, and accountancy practices with a Part 4A permission – must be able to demonstrate it can remain within its self-set impact tolerances for each important business service it delivers. The transition window is closed.

Alongside PS21/3, the FCA published its Critical Third Parties framework (effective January 2025) and a consultation on Operational Incident and Third-Party Reporting (CP24/28, December 2024). The regulator has signalled clearly that technology and cyber resilience are now central to its supervisory agenda – not peripheral IT concerns. For Edinburgh’s concentrated cluster of financial services firms, that means cyber security is now a board-level compliance obligation, not a task to be delegated to an IT contractor.

This article sets out exactly what the rules require, what happens when things go wrong, and where to start if your firm is still catching up.

What Are the FCA’s Core Cyber Security Requirements?

43% of UK businesses experienced a breach, validating the FCA’s strict enforcement of operational resilience, according to the DSIT Cyber Security Breaches Survey (2025). Regulated firms in Edinburgh must prove they can withstand and recover from these inevitable attacks.

DSIT-linked reporting says 20% of UK businesses experienced cybercrime in 2025, underlining why FCA-regulated firms are facing stronger pressure around operational resilience and third-party risk. The FCA does not publish a single cyber security rulebook. Instead, cyber obligations sit across three overlapping frameworks. SYSC (Senior Management Arrangements, Systems and Controls) requires firms to identify, manage, and monitor operational risks including information security. PS21/3 mandates operational resilience for important business services. Principle 11 obliges firms to deal with the regulator openly and report material incidents promptly.

Under SYSC 7.1, all FCA-regulated firms must establish policies and procedures to manage their exposure to operational risks. The FCA Handbook notes that firms should have regard to established information security standards – for example, NCSC Cyber Essentials and ISO/IEC 27001 are both referenced as appropriate benchmarks. Cyber risk is treated as a subset of operational risk. As a result, the governance structures and board oversight expected for operational resilience apply equally to cyber threats.

The FCA’s approach is principles-based rather than prescriptive. That means the regulator looks for evidence of governance, risk assessment, testing, and remediation – not simply a certificate. Furthermore, firms that demonstrate a documented cyber risk framework, tested incident response procedures, and active board engagement will be better positioned during any supervisory review. In short, evidence of process matters more than possession of a single certification.

What Does FCA Operational Resilience (PS21/3) Mean for Edinburgh Firms?

URM Consulting (2026) found that the average ICO fine reached £1.45 million in 2025, heavily punishing financial firms for preventable data loss. You must prioritise immediate remediation for internet-facing systems to avoid joint regulatory action from the ICO and FCA.

Specifically, the policy applies to banks, building societies, insurers, recognised investment exchanges, enhanced scope SM&CR firms, and payment and e-money institutions. That scope covers the bulk of Edinburgh’s regulated sector: IFAs, discretionary investment managers, insurance brokers, and any firm with a payment services permission. An accountancy practice regulated solely by a professional body rather than the FCA may fall outside scope. However, any firm holding FCA permissions should assume it is in scope.

The Five PS21/3 Obligations

PS21/3 sets out five core obligations for regulated firms. First, identify your important business services. Second, set maximum impact tolerances for disruption to each service. Third, map the people, processes, technology, facilities, and data those services depend on. Fourth, test your ability to remain within tolerances under plausible disruption scenarios – including cyber attack, data corruption, and loss of technology. Fifth, continuously manage third-party risk. Firms must maintain a self-assessment document evidencing compliance with each requirement.

In its May 2024 insights publication, the FCA noted that many firms had mapped their important business services but had underestimated the severity of plausible scenarios. Additionally, the FCA flagged that remediation plans must be fully funded and governed, not simply documented. As a result, Edinburgh firms that mapped services in 2022 should revisit their self-assessment to confirm it reflects current infrastructure and third-party arrangements.

Does DORA Apply to UK-Based Financial Firms?

The FCA’s PS21/3 guidelines (2025) shows that Firms must map 100% of their critical third-party IT dependencies to comply with impact tolerance rules. You cannot outsource your regulatory accountability; if your IT provider fails, your firm is held entirely responsible.

DORA vs PS21/3: Key Differences for UK Firms

Therefore, Edinburgh firms considering EU expansion, or those relying on EU-based cloud providers or outsourced ICT, should take legal advice on their DORA exposure before assuming they are out of scope. The supply chain element of DORA – which imposes obligations on critical ICT third-party providers – can create indirect obligations even where the firm itself is UK-only.

What Are the Minimum Technical Controls the FCA Expects?

The FCA’s Cyber Coordination Group published its 2024 insights in late 2024, identifying vulnerability management and patching as areas where regulated firms most commonly fall short (FCA supervisory guidance, 2025). The FCA expects firms to categorise zero-day vulnerabilities as the highest priority and to treat critical vulnerability response as an incident-style process, not a scheduled maintenance task.

Drawing on SYSC requirements, FCA supervisory guidance, and NCSC Cyber Essentials, the table below summarises the controls most regulated firms are expected to maintain:

Technical Controls at a Glance

Principles-Based Approach: What This Means in Practice

This table is not an exhaustive checklist. The FCA’s principles-based approach means a firm with compensating controls and strong governance may satisfy requirements through different means. The table reflects the controls most commonly examined during supervisory engagement.

What Happens If Your Firm Suffers a Cyber Incident?

URM Consulting enforcement data (2026) reports that Reporting obligations after a cyber incident run on two separate tracks. Edinburgh financial firms need to be clear on both, because the FCA and the ICO have different triggers, timelines, and scope.

ICO Notification: The 72-Hour Rule

Under UK GDPR Article 33, if a cyber incident involves a personal data breach – which most ransomware attacks and data exfiltration events will – the firm must notify the ICO within 72 hours of becoming aware of it. The ICO expects notification even without full details; a follow-up report can supplement the initial submission. Importantly, failure to notify within 72 hours is itself a breach that can attract a fine, separate from the underlying incident. For example, the ICO fined Capita £14 million in October 2025 for failings arising from its March 2023 ransomware breach, affecting 6.6 million people.

FCA Notification: Principle 11 and SUP 15.3

The FCA track is distinct. Under Principle 11 and SUP 15.3, firms must notify the FCA of any material operational incident. A successful cyber attack that disrupts an important business service or results in client data loss will typically be material. There is no fixed 72-hour clock for FCA notification; instead, the obligation is to report as soon as the firm identifies the incident as material. Firms with a named FCA supervisor should contact that supervisor directly. Dual-regulated firms must notify both the FCA and the PRA.

Additionally, CP24/28 – the FCA’s December 2024 consultation on Operational Incident and Third-Party Reporting – proposes a more structured notification framework. Firms should monitor the outcome of that consultation, as it will formalise the reporting obligations that currently rely on SUP 15.3 interpretation.

How Does Cyber Essentials Fit Into FCA Compliance?

According to FCA supervisory guidance (2025), cyber Essentials is the UK Government’s baseline cyber security certification scheme, designed and governed by the NCSC. It covers five control areas: firewalls, secure configuration, access control, malware protection, and patch management. Cyber Essentials Plus adds an independent technical audit by a certification body.

Cyber Essentials is not explicitly mandated by the FCA – there is no rule that states all firms must hold the certification. However, the regulator and the NCSC both treat it as a recognised minimum baseline. Furthermore, FCA supervisory guidance has referenced NCSC standards as an appropriate benchmark for information security arrangements. In practice, firms holding Cyber Essentials certification are better placed to demonstrate they have addressed the technical controls expected under SYSC 7.1 and the operational resilience framework.

Cyber Essentials Plus is more suitable for financial services firms because it involves independent third-party verification rather than self-assessment. Specifically, the NCSC notes that Plus provides a higher level of assurance for organisations holding sensitive data. Holding the certification does not guarantee FCA compliance. A firm could still fail PS21/3 requirements if its impact tolerance testing or incident response framework is inadequate. Nevertheless, it provides a defensible baseline and simplifies documentation during supervisory engagement.

Moreover, renewal is annual, which aligns with the FCA’s expectation that cyber security controls are continuously maintained and not treated as a one-time exercise.

What Should a Small Edinburgh IFA or Wealth Manager Do First?

For a small Edinburgh IFA or wealth manager – perhaps a firm of five to twenty people operating under an appointed representative or direct authorisation – the PS21/3 requirements can look disproportionate, according to FCA supervisory guidance (2025). The regulator’s intention, however, is that the framework scales with the firm. A small firm’s important business services might be limited to client portfolio reporting, custody of client assets, and financial advice delivery. Its impact tolerances will reflect its size and client base. The documentation required is proportionate to the scope of services.

The most practical starting point is identifying your important business services. For most small wealth managers, that means the systems and processes through which you deliver regulated advice and manage client assets. Work backwards from the client outcome – what technology, people, and third parties does each service depend on? That dependency map is the foundation of both PS21/3 compliance and a meaningful cyber risk assessment.

Priority Controls and Incident Planning

From there, prioritise the controls most likely to prevent the most common incidents. Specifically, ransomware and business email compromise account for the majority of financial sector cyber incidents. Therefore, MFA on email accounts, cloud platforms, and remote access – combined with tested offline backups – will address the dominant attack vectors before you invest in more advanced controls.

Next, formally document your incident response plan: who does what in the first hour, first 72 hours, and first week after a breach. Ensure that plan includes the ICO 72-hour notification trigger and the FCA material incident assessment. Additionally, test it at least annually against a plausible scenario such as a ransomware attack locking your practice management system.

If your firm has not yet completed a PS21/3 self-assessment, start with a structured review of the five requirements against your current operations. Virtually Pro works with Edinburgh-based financial services firms on exactly this – combining technical IT support with the compliance documentation your FCA supervisor will expect to see.

What Is Related Articles?

• Cyber Security guide Edinburgh
• Cyber Essentials certification Scotland
• GDPR Cyber Security obligations

Frequently Asked Questions

Do all FCA-regulated firms need to comply with cyber security rules?

Yes. Every FCA-authorised firm is subject to SYSC 7.1 operational risk management requirements, which include cyber and information security. PS21/3 operational resilience obligations apply to banks, insurers, investment firms, enhanced SM&CR firms, and payment and e-money institutions. Additionally, all regulated firms are subject to UK GDPR if they process personal data, which imposes security and breach notification requirements independently of FCA rules.

What is the penalty for FCA cyber security non-compliance?

The FCA can impose financial penalties, public censure, and in serious cases suspension or withdrawal of a firm’s permissions. FCA penalties can reach millions of pounds for significant failures. Separately, the ICO can fine firms up to £17.5 million or 4% of global annual turnover for serious UK GDPR breaches. For example, the Capita case at £14 million illustrates the upper end of that range for large organisations.

How quickly must financial firms report a cyber breach to the FCA?

There is no fixed deadline equivalent to the ICO’s 72-hour rule. Instead, the FCA requires prompt notification of material operational incidents under Principle 11 and SUP 15.3. In practice, firms should notify the FCA as soon as the incident is assessed as material – typically within 24 to 72 hours. For personal data breaches, the ICO’s 72-hour clock runs in parallel from the moment the firm becomes aware of the breach.

What is the difference between FCA operational resilience and DORA?

PS21/3 is UK law, administered by the FCA and PRA, applying to UK-regulated financial entities. DORA, by contrast, is EU law applying to EU-regulated financial entities. Both regimes require ICT risk management, resilience testing, and incident reporting. However, DORA is more prescriptive – it includes mandatory threat-led penetration testing for significant entities and detailed third-party contract provisions. UK-only firms are not legally required to comply with DORA; UK firms with EU operations or EU-based ICT providers may have DORA obligations for those activities.

Does Cyber Essentials certification satisfy FCA cyber requirements?

No – but it helps. Cyber Essentials demonstrates that a firm has addressed five core technical controls that the FCA and NCSC treat as a minimum baseline. Nevertheless, it does not satisfy the full scope of FCA requirements: PS21/3 mapping, testing, and self-assessment go beyond what Cyber Essentials covers. Furthermore, SYSC governance requirements include board-level oversight and incident response procedures the certification does not assess. Cyber Essentials Plus is therefore best viewed as a necessary foundation, not a complete answer.

Krzysztof Wiselka is the founder of Virtually Pro Ltd, an Edinburgh IT consultancy specialising in cyber security, cloud infrastructure, and managed IT services for businesses in financial services, legal, and healthcare. Virtually Pro is Cyber Essentials certified and based at 83 Princess Street, Edinburgh EH2 2ER.