As laid out in their Regulatory & Supervisory Outlook (February 2025), ensuring that ‘Firms are resilient to the challenging macro environment’ remains high on the agenda for the Central Bank of Ireland (“Central Bank”) and is recognised as a key supervisory priority area for 2025/26. Of particular focus to the Central Bank is a review of how regulated firms have uplifted and enhanced their Operational Resilience Frameworks through the effective implementation of  the Digital Operational Resilience Act (“DORA”), which took effect in January of this year.

While a revision of the Cross Industry Guidance on Operational Resilience (December 2012) was not expected so soon, the Central Bank have this month published an updated version of their guidance (the “Revised Guidance”) to incorporate changes which have “been informed by recent developments and valuable ongoing industry engagement”, including DORA.

For the avoidance of doubt, the Revised Guidance applies to all firms regulated by the Central Bank (herein referred to as “Firms”) in a manner which is proportionate to the nature, scale and complexity of their business.

Key Changes Introduced

For those Firms who have already established a robust Operational Resilience Framework in line with the both the prior Central Bank guidance and DORA, the Revised Guidelines should not require a material uplift of existing processes and documents. However, for those Firms who are not currently subject to DORA, such as fund administrators, certain payment and e-money institutions, and sub-threshold AIFMs, the Revised Guidance may be more impactful.

Some of the most significant changes and amendments introduced under the Revised Guidance are as follows:

Guideline 2: The Operational Resilience Framework should be embedded within a firm’s overall Governance and Risk Management Frameworks.

Under the revised text of Guideline 2, the Central Bank appears to suggest that Firms who currently document their approach to i) operational resilience and ii) operational risk and business continuity ‘in one holistic framework’ may now need to separate these into two ‘distinct yet aligned frameworks.’

While further clarity may become available in due course on whether the Central Bank expects firms to maintain two separate frameworks, we would encourage Firms to start reflecting on how they currently document their i) operational resilience and 2) operational risk and business continuity frameworks. That is, whether the Firm has established a standalone framework document covering both areas or, instead, has explicitly recognises that their frameworks are made up of a collection of policy and procedures documents which collectively form each respective framework.

In either case, we would expect that a concise overarching document which highlights the specific policy and procedure documents which underpin the Firm’s approach to i) operational resilience and ii) operational risk and business continuity, as well as the roles and responsibilities of the internal and external stakeholders involved in the governance and implementation of the relevant framework, should generally align with the revised text of Guideline 2.

Guideline 4: A firm should identify its critical or important business services.

While not a change per se, the Central Bank has re-emphasised the lens to be applied by Firms when identifying critical or important business services under Guideline 4 of the Revised Guidance, noting that:

“Critical or important business services are external facing and should have an identifiable external end user. Whereas, processes, functions and business lines are internal facing and may form part of the chain of activities that support the delivery of a service.”

This lens differs significantly from that applied under DORA where the focus is on both internal and external facing processes, functions and business lines which underpin the Firm’s financial performance, the soundness or continuity of its services and activities, or which contribute to the continued compliance of the Firm with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law.

Firms should therefore be cognisant of this difference when identifying their critical or important business services under the revised Guidelines and their critical or important business functions under DORA, and mapping the dependencies of the same.

Guideline 9: A firm should have ICT Resilience strategies that are aligned to the operational resilience of its critical or important business services. 

Under Guideline 9, the Central Bank makes clear their expectation that:

“firms that are not directly subject to DORA should nevertheless consider introducing equivalent measures as part of their operational resilience in line with the nature, scale and complexity of their operations, and, in respect of their ICT risk management framework, consider at least DORA’s Simplified Risk Management Framework.”

By encouraging all regulated firms to introduce measures equivalent to those prescribed by DORA, the Revised Guidance could have a significant impact on those entities, including fund administrators, payment and e-money institutions, and sub-threshold AIFMs, who were previously excluded from the direct application of DORA but who now may now reasonably conclude that certain steps should be taken by them to proportionately apply prescriptive requirements of DORA so as to meet local regulatory expectations.

Next Steps

Unlike the original guidance which allowed for a two-year transition period, the Central Bank has not provided any indication of the deadline for compliance with the Revised Guidance. Instead, management bodies are expected “review the Revised Guidance and adopt appropriate measures to strengthen and improve their Operational Resilience Frameworks and their effective management of operational resilience in line with [the Revised Guidance]. Regulated firms should be able to demonstrate that they have applied [the Revised Guidance].”

In the absence of any specified deadline, we recommend that Firms implement any required changes as part of the annual review of their Operational Resilience Framework. For those Firms who may now need to consider how to proportionately apply the requirements of DORA for the first time, both the Arthur Cox Governance and Consulting and Technology and Innovation teams remain on hand to support you on your compliance journey.