As crypto moves from the margins to the mainstream of the UK financial system, regulatory uncertainty is giving way to structured supervision, authorisation and enforcement. BCLP’s Emerging Themes 2026 crypto series tracks this transition in real time — from the expansion of the regulatory perimeter, through new conduct and market integrity regimes, to the operational and governance expectations that will define participation in regulated crypto markets. This article focuses on the latest step in that progression: the FCA’s publication of its perimeter guidance in Consultation Paper CP26/13, a critical development in translating legislative intent into practical compliance obligations as the UK’s new crypto regime takes shape.

UK regulators have not yet fully exercised the breadth of their powers to address shortcomings in organisational cyber‑security measures—but that restraint is unlikely to continue. The policy statements published on 18 March 2026 by the FCA, PRA and Bank of England, introducing a new single regime for operational incident and third‑party reporting, signal the direction of travel. The framework—under which firms must report serious cyber and operational incidents through a unified portal and provide structured information on their critical third party (CTP) dependencies—reflects the UK regulators’ sharpened focus on digital risk, system resilience, and their recognition of the vulnerabilities inherent in  complex technological supply chains. This shift sits alongside the UK government’s broader agenda. As the Cyber Security and Resilience (Network and Information Systems) Bill (NIS Bill) progresses and HM Treasury (HMT) prepares to designate major technology providers as CTPs using its FSMA powers, firms can expect a step‑change in supervisory expectations. Cyber‑security, data protection and operational resilience disciplines must now operate as a single, evidence‑based ecosystem capable of withstanding assertive regulatory challenge. The coming year will require firms not only to demonstrate alignment on paper, but to evidence—consistently and credibly—that controls work in practice. This article is the first in our three part Emerging Themes in Financial Regulation & Disputes 2026 series. We examine the evolving regulatory and risk landscape shaping cyber and operational resilience expectations for the year ahead—and set out practical priorities for financial services firms seeking to respond proactively. Our accompanying articles will examine (i) the evolving cyber litigation risks facing financial services firms and (ii) operational resilience and the growing influence of CTP designations.

Consistent with patterns from past administrations, we expect U.S. securities enforcement to accelerate modestly in 2026. The SEC and FINRA will likely focus increasingly on cases about foreign actors, artificial intelligence (AI), and other emerging technologies, alongside traditional areas of enforcement with an emphasis on addressing investor harm.