Regulation

Operational resilience under the new PRA framework: what changed in 2026.

Mar 2026 · 12 min read · By the Regulatory Practice

The Prudential Regulation Authority's March 2026 update to SS1/21 closes the implementation window opened five years ago and replaces aspirational language around "important business services" with measurable, evidenced obligations. The headline change is not new — firms must remain within impact tolerances for severe but plausible scenarios — but the supporting machinery has been substantially rebuilt.

1. Impact tolerances are now quantitative by default

Where the 2021 framework permitted qualitative tolerances for hard-to-measure services, the 2026 update requires a numeric ceiling for every important business service. Boards must approve the methodology, and the methodology must be re-tested annually against live incident data.

2. Third-party concentration is treated as a first-order risk

The revised Chapter 4 aligns the PRA's expectations with the EU's DORA and requires firms to map fourth-party dependencies for any service classified as critical. In practice, this means cloud, payment-rail and identity providers must be evidenced down to the underlying sub-processor.

3. Self-assessments are now supervisor-led

The annual self-assessment, previously an internal document, is now submitted as a structured return. Supervisors will challenge the underlying scenarios, and firms should expect targeted s.166 reviews where impact tolerances appear undertested.

What boards should do now

We recommend three actions before the next reporting cycle: rebase the impact tolerance methodology against the new quantitative guidance, refresh the third-party map to fourth-party depth for every critical service, and rehearse a severe-but-plausible scenario end-to-end with both technology and operations in the room.