Operational resilience to remain a key focus of the CBI following thematic assessment of MiFID firms

On 12 January 2026, the Central Bank of Ireland (Central Bank) published the findings of a thematic assessment of operational resilience in the MiFID investment firm sector, focusing in particular on firms’ implementation of the Central Bank’s Cross Industry Guidance on Operational Resilience (Guidance).

The findings note that, although operational resilience frameworks are continuing to mature across the sector, they are at differing stages of development. While the Central Bank sets out the positive actions firms have taken in this context, along with areas requiring improvement, its observations and recommendations are not as granular as we have seen in previous publications.

The implementation of these findings is particularly important as the Central Bank made clear in its Regulatory and Supervisory Outlook Report 2025 that enhancing operational resilience across the financial sector was a key priority for 2025 and 2026. Significantly, the Central Bank has now indicated, following the thematic assessment, that it intends to conduct further supervisory work in 2026 and 2027 to assess firms’ cyber resilience and digital operational resilience.

We understand that the Central Bank carried out several ICT assessments of less significant credit institutions and investment firms during 2025, in addition to ICT reviews of significant credit institutions as part of the supervisory review and evaluation process. We anticipate that ICT risk assessments and inspections will continue into 2026 as the Central Bank remains focused on compliance with the Digital Operational Resilience Regulation (DORA) in its post-implementation phase. Particular care should be taken when carrying out and documenting the annual review of the ICT risk management framework (in accordance with Article 6(5) of DORA), as we understand that the Central Bank is considering how this report can be utilised in its supervisory work.

Background

The Central Bank published the Guidance on 1 December 2021, and firms were expected to be able to evidence adherence within two years of its publication. The Guidance was subsequently updated and republished in July 2025 to include updates primarily to align with DORA.

In 2022, the Central Bank carried out an operational resilience maturity assessment to gain an understanding of the level of preparedness across the financial services sector in advance of the Guidance coming into effect. The 2022 assessment included several MiFID investment firms and determined that those firms were in the early stages of developing operational resilience frameworks.

In 2025, the Central Bank conducted a thematic assessment of operational resilience frameworks across a sample of MiFID investment firms.

Objectives and format of the 2025 thematic assessment

The key objectives of the thematic assessment were to ascertain whether the sample of firms assessed have:

• operational resilience frameworks that meet the supervisory expectations set out in the Guidance
• boards and senior management that are accountable for the design and effectiveness of operational resilience frameworks and strategy

There were two phases to the thematic assessment. The first phase comprised of a desk-based review of firms’ operational resilience framework documentation and completed operational resilience maturity assessment surveys, including a comparison with firms’ responses during the 2022 assessment, where applicable. Following completion of the first phase review, some firms were brought forward to the second phase. Those firms were subject to in-person inspection meetings to gain a deeper understanding of the firms’ operational resilience frameworks.

Thematic assessment findings

The Central Bank identified the following positive findings during the assessment:

• A maturing of operational resilience frameworks across firms, with many firms’ operational resilience frameworks documented largely in line with the Guidance.
• In most instances, firms’ boards are ultimately responsible for operational resilience, with delegation to appropriate committees of the board. In addition, functional responsibility for operational resilience is at senior management level within firms.
• Good practices of regular management information reporting and challenge at board and senior management levels were observed in a number of firms.

However, the following deficiencies and areas for improvement were also identified:

• Deficiencies were observed in relation to the robustness of certain firms’ consideration of scenario testing, including the level of detail and range of scenarios considered.
• Some firms’ operational resilience frameworks are not aligned with their existing risk management frameworks. The Central Bank expects the management of operational risk and the management of operational resilience to be aligned and integrated into a firm’s governance structures.
• Enhancements are required to some firms’ approaches to identifying critical or important business services and mapping how these services are delivered. Instances arose where critical or important business services were identified, but the documentation and mapping of the necessary people, processes, information, technology, facilities and third-party service providers required to deliver each business service lacked the necessary level of granularity. The Central Bank expects comprehensive mapping to enable a firm to identify vulnerabilities in the chain of delivery of a business service and allow for remediation plans to be designed.
• While the thematic assessment did not specifically focus on DORA, cyber resilience or digital operational resilience, the Central Bank expects all firms to further build up their operational resilience to ensure they are sufficiently resilient from a cyber and digital perspective to withstand disruptions or incidents in the future.

Next steps

The Central Bank expects all MiFID investment firms, with board and senior management oversight, to review their operational resilience frameworks against the Guidance, considering the updates made in July 2025 to align with DORA.

When firms are reviewing their operational resilience frameworks against the Guidance, the Central Bank emphasised that particular attention should be given to guidelines relating specifically to identifying and mapping critical or important business services (guidelines 4, 7 and 8).  

Conclusion

The Central Bank’s thematic assessment underscores that, while many MiFID investment firms have made tangible progress, all firms should undertake a gap analysis that prioritises effective scenario testing, comprehensive identification and mapping of critical or important business services and close alignment of relevant risk management frameworks. With further supervisory engagement signalled for 2026 and 2027, taking proactive steps now will better position firms to demonstrate a mature, embedded approach to operational resilience in the years ahead.

For further information on how to enhance your firm’s operational resilience framework, please contact Eoin O’Connor, Partner, Patrick Brandt, Partner, Eimear O’Brien, Partner, Louise Hogan, Partner, Ciara Brady, Senior Associate, Sarah Lee, Senior Practice Development Lawyer, or your usual ALG contact.

Date published: 22 January 2026