<img height="1" width="1" style="display: none" alt="" src="https://px.ads.linkedin.com/collect/?pid=1098858&amp;fmt=gif">
PRA SS2/21

Secure PRA SS2/21 compliance with software resilience

Satisfy PRA expectations for outsourcing risk management with Codekeeper's comprehensive software escrow solutions designed for UK financial services.
Book a free demo
ss2_21_hero_2x

When your critical software vendors fail under SS2/21, you face immediate operational shutdown and potential PRA enforcement actions that can restrict your business activities until you prove viable continuity capabilities.

PRA SS2/21: What you need to know

What is PRA SS2/21?

Prudential Regulation Authority (PRA) Supervisory Statement 2/21 (SS2/21) is the regulatory framework that sets out expectations for how UK financial firms should manage outsourcing and third-party arrangements.

Who needs to comply with PRA SS2/21?

SS2/21 affects all PRA-regulated entities across the UK financial services sector, including:
landmark
Banks and building societies
trending-up
Investment firms designated by the PRA
shield-check
Insurance and reinsurance firms
building-2
Groups in scope of Solvency II
globe
UK branches of foreign financial institutions
users-round-1
Credit unions and non-directive firms

Key PRA SS2/21 requirements

SS2/21 requires financial firms to implement comprehensive third-party risk management across four critical areas:
1
Governance and oversight — Establish board-approved policies with clear senior management accountability for all outsourcing decisions.
2
Risk assessment and due diligence — Identify which relationships are critical to operations and research potential providers thoroughly before signing contracts.
3
Contractual protection — Create detailed written agreements covering data security, performance standards, and audit rights.
4
Business continuity planning — Build and test practical backup plans for maintaining services when critical providers fail.

The software escrow — SS2/21 connection

Software escrow directly addresses SS2/21's core requirement by ensuring firms can sustain essential services when third-party software providers become unavailable or fail to deliver contractual obligations.

SS2/21 risk

Vendors become insolvent without transition support
Firms cannot access source code for system rebuilds
Exit strategies remain theoretical until tested
PRA finds inadequate evidence of self-sufficiency

Software escrow solution

Secure repository stores source code and documentation
Legal framework guarantees access when providers fail
Verification testing proves materials restore functionality
Regular updates ensure current system alignment

Compliance outcome

Demonstrable capability to continue without providers
Documented exit strategies satisfy PRA expectations
Evidence of due diligence in risk management
Reduced dependency on provider cooperation
Software escrow provides the technical foundation that makes SS2/21's stressed exit requirements achievable when traditional planning reaches its limits.

Let us help you with SS2/21 compliance

Understanding SS2/21 requirements is one thing — implementing the actual technical capabilities to satisfy them is another challenge entirely.
We see what you're up against:
Extending risk management to SaaS and software purchases
Proving you can restore systems independently
Maintaining oversight across sub-outsourcing supply chains
Satisfying PRA expectations for genuine exit capabilities
We've secured critical software assets for thousands of financial institutions globally. We can protect your operational resilience, too.
we_see_challenges_you_face

Codekeeper's complete solutions for SS2/21 requirements

Our software escrow services help you meet SS2/21's requirements by ensuring you can recover critical systems when third-party vendors fail.
Software Escrow

Protection scope: On-premises software

Stores your software source code and technical documentation safely so you can rebuild systems independently when vendors can't help.
Enables stressed exit strategies that work without vendor cooperation
Shows PRA you have genuine alternatives to vendor dependency
Creates documented evidence of operational self-sufficiency for regulatory review
Learn more
how_it_works_software_escrow_3x
SAAS escrow

Protection scope: Cloud-based applications

Captures everything needed to migrate cloud services, including configurations and deployment guides, when SaaS providers fail.
Covers cloud arrangements that SS2/21 now includes in scope
Provides working exit strategies for material SaaS dependencies
Shows due diligence in managing third-party risks for PRA oversight
Learn more
how_it_works_saas_escrow_3x
Continuity escrow

Protection scope: Supporting services and infrastructure

Takes over payments for critical supporting services to maintain operations when main vendor relationships are disrupted.
Prevents sub-outsourcing failures that could disrupt your operations
Gives you time to execute exit plans without immediate service loss
Supports board governance and accountability for third-party arrangements
Learn more
continuity_escrow_1x
Verification

Protection scope: All escrowed materials

Tests all stored materials to prove they actually work for recovering systems, providing the evidence SS2/21 compliance requires.
Confirms your exit strategies function in practice, not just theory
Establishes realistic timelines for system reconstruction during emergencies
Provides Software Resilience Certificates for PRA audit evidence
Learn more
how_it_works_continuity_escrow_3x-1

Prepare for SS2/21 compliance in 4 simple steps

SS2/21 requires you to prove you can restore critical systems when vendors fail. Here’s how we help you establish that capability:
1

Book your SS2/21 assessment call

We assess your current third-party dependencies and identify which arrangements need documented exit strategies under the regulation.

2

Pick your software protection level

Choose Software Escrow for on-premises systems, SaaS Escrow for cloud applications, or Continuity Escrow for supporting services.

3

We'll handle everything else — from setup to implementation

Our experts manage vendor negotiations, legal agreements, and technical deposits without disrupting your operations.

4

Get your Software Resilience Certificate

Receive formal evidence of your operational resilience capabilities, ready for PRA review and ongoing supervision.

One call. One solution. Complete software continuity for SS2/21.
Book a free demo

Codekeeper takes the complexity out of compliance

Over the years, we've helped thousands of financial institutions protect their critical software while keeping the process simple. Our solutions make regulatory requirements straightforward and manageable.
Airbus
Bayer
European parliament
General Motors
Intuit
Nestle
Pepsico
Pfizer

SS2/21 compliance timeline

clipboard-check

March 31, 2022

SS2/21 became effective for all PRA-regulated entities 
Legacy agreements should be updated at next renewal or revision
FileBadge2-1

Ongoing from 2022

Continuous compliance with third-party risk management expectations 
Regular assessment of materiality and exit strategy effectiveness

When SS2/21 expectations aren't met

Poor preparation for SS2/21 creates a domino effect where regulatory problems compound operational vulnerabilities.
octagon-alert
Formal PRA intervention
The PRA may issue directions, add new requirements, or restrict business activity if firms lack workable exit strategies.
server-off
Operational dependency
Without viable exit plans, vendor failures can stop critical services and leave firms unable to meet regulatory obligations.
ban
Authorization concerns
Failure to prove self-sufficiency can jeopardize regulatory permissions and raise doubts about your firm’s ability to operate.
eye
Enhanced regulatory scrutiny
Weak third-party risk management invites closer PRA supervision, extra monitoring, and more reporting.
user-round-x
Senior management accountability
Under SM&CR, senior managers remain personally responsible for ensuring outsourcing governance and vendor risk controls.
Software vendor dependency is now a regulatory risk. Fortify your recovery capabilities before they become your crisis.
E-BOOK

The CRA: Your Complete Compliance Guide

Fill in the form below to get expert guidance on meeting Europe's cybersecurity requirements for connected products.
the_cra_guide_1x
*E-book available only in English
Get your free CRA compliance guide

How you benefit from SS2/21 readiness

Avoid regulatory enforcement

Meet PRA expectations for third-party risk management to prevent formal directions, additional requirements, or business restrictions that could limit your operations and growth.

Protect operational continuity

Ensure important business services continue during vendor disruptions through proven exit strategies that work when traditional contingency plans fail.

Reinforce stakeholder confidence

Demonstrate to customers, partners, and shareholders that your institution can maintain services independently of third-party providers during market stress.

Strengthen board governance

Provide your board and senior management with documented evidence of adequate third-party oversight that satisfies SM&CR accountability requirements.
ss2_21_cta_2x

Build genuine exit capabilities before you need them

Our advisors will show you exactly how our software resilience solutions meet SS2/21's third-party risk management expectations.
Analysis of your current third-party dependencies
Demo of how software escrow satisfies stressed exit requirements
Practical implementation guidance without technical complexity
Actionable steps you can take today
Book a free demo

Frequently asked questions

What is the PRA SS2/21 regulation?
SS2/21 is the Prudential Regulation Authority's framework requiring PRA-regulated firms to manage outsourcing and third-party arrangements. It mandates that firms demonstrate they can maintain operations when material service providers fail.
What are the PRA fundamental rules?
The PRA Fundamental Rules are 10 principles for regulated firms covering integrity, skill and diligence, prudent conduct, adequate financial resources, effective risk management, responsible organization, regulatory cooperation, resolution preparedness, operational resilience, and financial system risk management.
When did SS2/21 come into effect?
SS2/21 became effective March 31, 2022. New arrangements from March 31, 2021, onward must comply, while legacy agreements should be updated at the next contract renewal.
What is a stressed exit plan?
A stressed exit plan covers emergency scenarios where firms must exit outsourcing agreements due to vendor failure or insolvency. It ensures continued operations when vendors cannot cooperate, unlike planned commercial exits.
Why is software escrow important for SS2/21 compliance?
Software escrow enables firms to rebuild systems when vendors fail by securing source code and documentation. It transforms theoretical exit strategies into practical capabilities that satisfy SS2/21's operational resilience requirements.
Can Codekeeper help with SS2/21 readiness?
Yes. Codekeeper provides software resilience solutions that secure critical software assets, enable stressed exit strategies, and create documentation demonstrating operational self-sufficiency for PRA compliance.

Let's build bulletproof software resilience together.

Book a demo