The Central Bank of Ireland (CBI) has set the stage for a transformative journey towards operational resilience in the financial sector, with a recent assessment revealing both progress and areas for improvement. The focus? MiFID investment firms and their ability to withstand operational disruptions.
The Big Picture: Ensuring Operational Resilience
On January 12, 2026, the CBI unveiled the results of its Thematic Assessment, examining how MiFID firms have implemented operational resilience guidelines for financial service providers. This assessment, a crucial part of the CBI's supervisory work, aligns with its 2025 Regulatory and Supervisory Outlook (https://www.arthurcox.com/insights/central-bank-regulatory-supervisory-outlook-2025-banks-payment-and-e-money-firms-retail-credit-firms-investment-firms-and-securities-markets/).
Operational resilience, as defined by the CBI, is the capacity of a firm and the financial sector to anticipate, respond to, and recover from operational disruptions while learning from them. The Guidance, initially published in December 2021 and updated in July 2025 to align with the Digital Operational Resilience Act (DORA) (https://www.arthurcox.com/insights/operational-resilience-2-0-how-dora-is-reshaping-operational-resilience-in-ireland/), aims to fortify the resilience of firms and the financial sector as a whole.
Assessment Findings: A Mixed Bag
The CBI's assessment revealed that many MiFID firms had operational resilience frameworks aligned with the Guidance and supervisory expectations. These firms demonstrated board-level responsibility for operational resilience, with appropriate delegation and senior management oversight. Regular management reporting and board-level challenges were also observed as good practices.
But here's where it gets controversial—the CBI also identified areas for improvement. These included:
- Identifying Critical Services: Ensuring firms accurately identify their critical or important business services.
- Mapping Service Delivery: Mapping the delivery process of critical services with sufficient detail.
- Scenario Testing: Enhancing the level of detail and range of scenarios considered in testing.
- Risk Management Alignment: Aligning operational resilience with existing risk management frameworks.
The CBI emphasized that operational resilience is an evolution of operational risk management and business continuity, requiring alignment with existing frameworks.
What's Next? CBI's Expectations
The CBI expects all MiFID firms and their leadership to re-evaluate their compliance with the Guidance, including the DORA updates from July 2025. Specifically, they should focus on:
- Guideline 4: Identifying critical or important business services.
- Guideline 7: Understanding and mapping the delivery of these services.
- Guideline 8: Incorporating third-party dependencies in the mapping process.
While the assessment didn't directly address DORA or cyber/digital resilience, the CBI underscored their ongoing importance. They plan to intensify supervisory efforts in these areas in 2026-2027, recognizing the evolving technological landscape and increasing sophistication of threats. The CBI expects firms to bolster their cyber and digital operational resilience frameworks to effectively recover from disruptions, minimize impacts, and protect customers.
Action Required: Strengthening Resilience
Firms are encouraged to review and enhance their operational resilience frameworks, especially in the cyber and digital domains. With the CBI's heightened focus on these areas, firms should proactively prepare for upcoming supervisory engagements. Arthur Cox's team stands ready to assist regulated firms in navigating these complexities, ensuring compliance, and building robust operational resilience strategies.
