How to use this tool: Rate each requirement using R Red (not in place), A Amber (partially in place), or G Green (fully in place). Regime A (incident reporting) applies to almost all regulated firms. Regime B (third party reporting) applies to enhanced/larger firms only — skip if not applicable.
PS26/2 Gap Assessment Report
0Red — Not in place
0Amber — Partially in place
0Green — Fully compliant
Ready to close these gaps?
ERM Plus has pre-built PS26/2 requirements into a fully configured, audit-ready operational resilience framework — covering both incident reporting workflows and material third party registers. Most firms reach compliance-ready in weeks.
A1 — Scope & Firm Classification Regime A
0 / 6 rated
A1.1 Scope determination
Confirm firm holds Part 4A permission or is a PSP, UK RIE, trade repository or CRA — and is therefore in scope
Permissions register / regulatory status confirmation
Determine whether firm is a standard or enhanced reporting firm under SUP 15.18.3R
Classification assessment document
Identify if firm is dual-regulated (FCA + PRA) and understand single portal submission process
Dual-regulation mapping note
A1.2 Reporting infrastructure
Register for and test access to the FCA single reporting portal (FCA Connect)
Portal access confirmation / test submission evidence
Assign named individuals with portal access and authority to submit incident reports
Portal user access records / RACI
Ensure SMF holder is identified as accountable for incident reporting obligations
SMF accountability statement / SoR update
A2 — Incident Definition & Thresholds Regime A
0 / 7 rated
A2.1 Operational incident definition
Adopt the FCA/PRA single definition of an operational incident (single or series of linked events disrupting service to an external end user or impacting data integrity/availability)
Incident policy with adopted definition
Distinguish operational incidents from planned/controlled outages (e.g. routine maintenance)
Policy with exclusion criteria / worked examples
Include data loss incidents as a reportable sub-type within the definition
Policy documentation
A2.2 Reporting thresholds
Implement threshold assessment process for consumer harm (intolerable harm from which consumers cannot easily recover)
Threshold assessment framework / decision tree
Implement threshold assessment process for safety and soundness (risk to the firm and/or other market participants)
Threshold assessment framework
Implement threshold assessment process for market stability (risk to market integrity or confidence in UK financial system)
Threshold assessment framework
Ensure internal severity thresholds do not prevent reporting of FCA-threshold-meeting incidents
Policy with explicit override clause
A3 — Reporting Process & Timelines Regime A
0 / 8 rated
A3.1 Standard reporting firms
Implement process to submit single short-form incident report (10 required questions) as soon as practicable within 24 hours of threshold determination
Incident response procedure / playbook
Establish process to contact supervisor or contact centre to withdraw a report if incident subsequently determined not to meet thresholds
Incident withdrawal procedure
A3.2 Enhanced reporting firms (additional requirements)
Implement three-phase reporting lifecycle: initial report (within 24 hours), intermediate updates, and final report
Enhanced incident reporting procedure
Ensure final report is submitted within 30 working days of incident resolution (unless exceptional circumstances apply)
Incident closure policy / tracking log
Maintain the single form to capture incident lifecycle — updating rather than creating new forms per phase
System / workflow configuration evidence
A3.3 PSP-specific requirements
PSPs: retain existing 4-hour initial reporting timeline (not the standard 24-hour window)
PSP incident procedure with 4-hour SLA
PSPs: migrate from existing PSR 2017 incident reporting regime to new unified PS26/2 regime
Migration plan / updated incident policy
Continue reporting lower-severity incidents via Principle 11 and normal supervisory channels where applicable
Escalation and reporting policy
A4 — Governance & Internal Controls Regime A
0 / 6 rated
A4.1 Policies and procedures
Maintain a firm-wide operational incident reporting policy aligned to PS26/2 and FG26/3
Approved incident reporting policy
Document clear roles and responsibilities for incident identification, escalation, and reporting
RACI / responsibility matrix
Train relevant staff on PS26/2 obligations, thresholds, and reporting timelines
Training completion records
A4.2 Testing and resilience
Test the incident reporting process end-to-end before go-live (March 2027), including portal submissions
Test exercise records
Maintain an internal incident log to capture all incidents assessed against thresholds (including those below the reporting bar)
Internal incident register
Review and align existing operational resilience framework (PS21/3) with PS26/2 reporting obligations
Gap analysis / mapping document
B1 — MTP Scope & Definition Regime B
0 / 6 rated
B1.1 Scope and applicability
Confirm firm is in scope for Regime B (enhanced SMCR, bank, designated investment firm, building society, Solvency II, CASS large, UK RIE, EMI/API, consolidated tape provider)
Scope confirmation document
Adopt the single FCA/PRA/BoE definition of a third-party arrangement
Policy with adopted definition
Define and document materiality criteria for third-party arrangements aligned to FCA statutory objectives
Materiality assessment framework
B1.2 Scoping boundaries
Apply third-country branch exclusion from notification obligations correctly (branches excluded from notifications but not from annual register)
Scoping note
Determine whether intra-group arrangements require reporting (only where there is an external third-party dependency, except UK RIEs)
Intra-group assessment
Identify all existing material third-party arrangements across the firm to establish the initial register population
Third-party inventory / initial register draft
B2 — Material Third Party Register Regime B
0 / 5 rated
B2.1 Register content and maintenance
Establish and maintain a material third-party register using the single FCA/PRA/BoE register template
Completed MTP register
Keep the register accurate and up-to-date, reflecting new, changed, and exited material arrangements
Register version history / update log
Submit the MTP register annually via the single regulatory portal
Annual submission confirmation
B2.2 Register governance
Assign clear ownership for MTP register maintenance and annual submission
RACI / owner assignment
Ensure register data is available to provide to regulators on request
Data governance policy / retrieval process
B3 — MTP Notifications Regime B
0 / 5 rated
B3.1 Notification triggers
Establish a process to identify and notify the regulator when a new material third-party arrangement is entered into
New MTP notification procedure
Establish a process to notify regulators of significant changes to existing material third-party arrangements
Change notification procedure
Establish a process to notify regulators when a material third-party arrangement is exited or terminated
Exit notification procedure
B3.2 Notification process
Use the single FCA/PRA/BoE notification template for all MTP notifications
Template in use / procedure documentation
Submit all MTP notifications via the single regulatory portal (one submission covers all relevant regulators)
Portal access / submission records
B4 — MTP Oversight & Governance Regime B
0 / 5 rated
B4.1 Third-party governance framework
Maintain a firm-wide third-party risk management policy covering materiality assessment, oversight, and PS26/2 obligations
Approved third-party risk policy
Assess concentration risk arising from material third-party dependencies (including critical third parties)
Concentration risk assessment
Ensure Board or senior management oversight of material third-party arrangements and associated risks
Board/ExCo reporting evidence
B4.2 Alignment with wider frameworks
Align MTP regime with existing outsourcing and third-party arrangements under PRA SS2/21 or FCA SYSC outsourcing rules where applicable
Cross-framework mapping document
Consider alignment with DORA obligations where firm is also subject to EU Digital Operational Resilience Act
DORA/PS26/2 alignment note