Are Your Investment Firm’s Operations Ready for the Future? The Central Bank of Ireland Says It’s Time to Act.
The financial landscape is evolving at breakneck speed, and the Central Bank of Ireland (CBI) is urging MiFID investment firms to keep pace. On January 12, 2026, the CBI released its Thematic Assessment of Operational Resilience in the MiFID Investment Firm Sector, a comprehensive review of how firms are preparing for the inevitable disruptions that come with a digital-first world. But here's where it gets controversial: while many firms have made strides, the CBI identified critical gaps that could leave them vulnerable.
This assessment, part of the CBI’s ongoing supervisory efforts outlined in its Regulatory and Supervisory Outlook 2025, dives deep into how firms are implementing the CBI’s cross-industry guidance on operational resilience. This guidance, first introduced in December 2021 and updated in July 2025 to align with the Digital Operational Resilience Act (DORA), defines operational resilience as a firm’s ability to not just withstand, but also adapt, recover, and learn from operational disruptions that threaten critical business services. Think of it as building a financial fortress that can weather any storm, from cyberattacks to system failures.
And this is the part most people miss: The CBI’s assessment wasn’t just about ticking boxes. It aimed to answer two crucial questions: Do firms have robust operational resilience frameworks in place, and are their boards and senior management truly accountable for their effectiveness?
The good news? Many firms are on the right track. The CBI commended those with frameworks aligned with the guidance and supervisory expectations. Boards are taking ultimate responsibility, delegating tasks to committees, and ensuring senior management is actively involved. Regular reporting and board-level challenges are also becoming the norm.
However, the CBI didn’t pull punches when it came to areas needing improvement. They highlighted deficiencies in:
Identifying Critical Services: Firms need a clearer understanding of which services are truly mission-critical and require the highest level of protection.
Mapping Service Delivery: The CBI found that some mapping exercises lacked the detail needed to pinpoint vulnerabilities in the service delivery chain, making it harder to develop effective remediation plans.
Scenario Testing: While firms are conducting scenario tests, the CBI wants to see a broader range of scenarios considered and a deeper level of analysis.
Risk Management Integration: Operational resilience shouldn’t exist in a silo. The CBI emphasizes its connection to existing risk management and business continuity frameworks.
The CBI’s message is clear: Firms need to go beyond compliance and embrace a culture of continuous improvement. This means revisiting their operational resilience frameworks, particularly in light of the DORA updates, and paying close attention to specific guidelines:
- Guideline 4: Clearly identify your critical and important business services.
- Guideline 7: Map out the intricate web of how these services are delivered, including dependencies on third-party providers.
- Guideline 8: Don’t forget the role of third parties – their vulnerabilities are your vulnerabilities.
While the assessment didn’t specifically focus on DORA or cyber resilience, the CBI made it clear that these areas remain top priorities. With technology advancing rapidly and cyber threats becoming increasingly sophisticated, firms must strengthen their cyber and digital operational resilience. The CBI plans to conduct further supervisory work in this area in 2026-2027, so firms need to be prepared.
At Arthur Cox, we understand the challenges firms face in navigating this complex regulatory landscape. Our team has extensive experience advising regulated firms on operational resilience, cybersecurity, and related regulatory requirements. If you’re re-evaluating your operational resilience framework in response to the CBI’s expectations, we’re here to help.
But what do you think? Is the CBI’s approach too stringent, or is it a necessary push for a more resilient financial system? Let us know in the comments below. The future of financial stability depends on this conversation.
