On 15 May 2026, the Bank of England, the Financial Conduct Authority and HM Treasury issued a joint statement on frontier AI models and cyber resilience. The text is published supervisory expectation. It is not new rule text and not a consultation. It directs regulated firms to apply existing operational resilience and cyber-risk rules to risks arising from frontier AI capabilities.
The statement sits within the regulators' existing operational resilience perimeter. For PRA-authorised firms the relevant sources are the PRA Rulebook on Operational Resilience and supervisory statement SS1/21. For FCA solo-regulated firms the operative chapter is SYSC 15A. The PRA's model risk expectations in SS1/23 are also engaged. HM Treasury contributes policy direction through the Cross Market Operational Resilience Group. The joint text records that frontier model capability already exceeds a skilled human attacker in speed, scale and cost.
The direct addressees are UK-perimeter banks, insurers, asset managers, payments firms, e-money issuers and crypto-asset firms. The authorities expect board and executive understanding of frontier AI risk. They expect mapped vulnerability identification and supplier oversight that covers AI model providers and cloud hosts. They expect protective controls, including segmentation and authentication, and tested response and recovery plans. Firms should feed lessons learned into the Cross Market Operational Resilience Group.
The statement does not impose a new threshold for reporting AI-driven incidents. It does not change DORA-equivalent intra-group rules. It does not displace the FCA AI Update of April 2024 or the PRA's model risk principles. Firms should expect supervisory dialogue and possible thematic review activity. Rule-making could follow if controls remain immature.
We may advise on the application of frontier AI obligations to UK-regulated firms. We can call on a partner network of UK counsel where additional specialist input is required. Contact us to scope a piece of work. Work we undertake includes operational resilience gap assessment, AI vendor due diligence, board reporting templates, model risk policy review and incident playbooks.
Source: Bank of England, Financial Conduct Authority and HM Treasury, Joint Statement on Frontier AI Models and Cyber Resilience, 15 May 2026, https://www.bankofengland.co.uk/news/2026/may/boe-fca-and-hm-treasury-joint-statement-on-frontier-ai-models-and-cyber-resilience
The information provided is not legal, tax, investment, or accounting advice and should not be used as such. It is for discussion purposes only. Seek guidance from your own legal counsel and advisors on any matters. The views presented are those of the author and not any other individual or organization. Some parts of the text may be automatically generated. The author of this material makes no guarantees or warranties about the accuracy or completeness of the information.