14/01/2026
Insights Blog

On 12 January 2026 the Central Bank of Ireland (the CBI) published the outcome of its Thematic Assessment of Operational Resilience in the MiFID Investment Firm Sector. The thematic assessment focused on how MiFID firms have implemented the CBI’s cross industry guidance on operational resilience for regulated financial service providers (the Guidance) and was carried out as part of the CBI’s supervisory work and in line with the CBI’s priorities as set out in its Regulatory and Supervisory Outlook 2025 (as to which see our separate briefing here).

The Central Bank considers operational resilience to be “the ability of a firm, and the financial services sector as a whole, to identify and prepare for, respond and adapt to, recover and learn from an operational disruption that affects the delivery of critical or important business services”. The Guidance aims to enhance the operational resilience of firms and of the financial services sector as a whole. It was originally published in December 2021, came into effect on 1 January 2024 and was recently updated in July 2025 to ensure alignment with the Digital Operational Resilience Act (DORA) (see our separate briefing here). The key objectives of the CBI’s thematic assessment were to ascertain whether: (i) operational resilience frameworks are in place which meet the CBI’s expectations as set out in the Guidance; and (ii) firms’ boards and senior management are accountable for the design and operating effectiveness of operational resilience frameworks and strategy.

CBI Findings

In terms of positives, the CBI found that many of the MiFID firms that were included in the assessment had operational resilience frameworks that were aligned with the Guidance and with the CBI’s supervisory expectations. In most instances, the boards of the firms had ultimate responsibility for operational resilience, with delegation to appropriate committees and functional responsibility at senior management level. The CBI also noted good practices in terms of regular management information reporting and challenge at board and senior management level. However, the CBI also found some deficiencies, and recommended enhancements in the following areas:

  • the identification of critical or important business services;
  • mapping of how critical or important business services are delivered;
  • scenario testing (level of detail and range of scenarios considered); and
  • alignment with existing risk management frameworks.

In terms of mapping, the CBI noted that certain mapping exercises that they reviewed lacked the necessary level of granularity, which impeded the ability of firms to identity vulnerabilities in the chain of delivery of a business service and to prepare appropriate remediation plans. On risk management, the CBI highlighted that “operational resilience is an evolution of operational risk and business continuity management and, as such, should be aligned with existing or developing frameworks in these areas.”

Next Steps / CBI Expectations

In terms of next steps, the CBI expects all MiFID firms and their boards and senior management to revisit and consider their compliance with the Guidance, including the DORA related updates made in July 2025. In particular, the CBI has highlighted that attention should be given to the below Guidelines following the outcome of the thematic assessment:

  • Guideline 4 – A firm should identify its critical or important business services.
  • Guideline 7 – A firm should understand and map out how its critical or important business services are delivered.
  • Guideline 8 – A firm should capture third party dependencies in the mapping of critical or important business services.

While the thematic assessment did not specifically focus on DORA, or on firms’ cyber resilience or digital operational resilience, the CBI has also highlighted that cyber and digital operational resilience remain key areas of focus for the CBI, and they intend to conduct further supervisory work in this area in 2026 – 2027. The CBI is conscious that firms are operating in an increasingly complex and dynamic environment. Technology is evolving rapidly, threats are becoming increasingly sophisticated, and there is concentration risk with ICT services being centralised in a relatively small number of third-party providers. In light of this, the CBI expects that firms will continue to strengthen their operational resilience frameworks, in particular in the areas of cyber and digital operational resilience, to ensure that that they have the necessary tools to enable them to recover their critical or important business services from operational disruptions, while minimising negative impacts and protecting customers. Firms should take note of the above and review their operational resilience frameworks now, in preparation for further supervisory engagement in the coming year.

Our team at Arthur Cox has extensive experience and expertise in advising regulated firms on operational resilience, cyber security and associated regulatory requirements. For firms that are re-assessing and updating their operational resilience frameworks in light of the CBI’s expectations, please feel free to get in touch as we would be delighted to help.