Are Your Investment Firm’s Operations Ready for the Future? The Central Bank of Ireland Says It’s Time to Act.
The financial landscape is evolving at breakneck speed, and the Central Bank of Ireland (CBI) is ensuring investment firms are keeping pace. On January 12, 2026, the CBI released its Thematic Assessment of Operational Resilience in the MiFID Investment Firm Sector, shedding light on how well firms are prepared for the challenges of a rapidly changing environment. But here’s where it gets controversial: while many firms are on the right track, the CBI identified critical gaps that could leave some vulnerable to operational disruptions.
This assessment, part of the CBI’s broader supervisory strategy outlined in its Regulatory and Supervisory Outlook 2025, dives deep into how MiFID firms have implemented the CBI’s cross-industry guidance on operational resilience. This guidance, first published in December 2021 and updated in July 2025 to align with the Digital Operational Resilience Act (DORA), defines operational resilience as the ability of a firm—and the financial sector as a whole—to identify, prepare for, respond to, adapt, recover from, and learn from operational disruptions that threaten critical business services. Think of it as a financial firm’s immune system, constantly adapting to new threats.
And this is the part most people miss: the CBI’s assessment wasn’t just about ticking boxes. It aimed to answer two crucial questions: Are firms’ operational resilience frameworks meeting the CBI’s expectations? And are boards and senior management truly accountable for their design and effectiveness? The findings were a mixed bag.
On the positive side, many firms had frameworks aligned with the CBI’s guidance, with boards taking ultimate responsibility and senior management playing a key role. Regular reporting and board-level challenges were also commendable practices. However, the CBI flagged several areas needing improvement, including:
- Identifying critical business services: Firms need a clearer understanding of which services are truly essential.
- Mapping service delivery: The CBI found that some mapping exercises lacked detail, making it harder to identify vulnerabilities and plan for disruptions.
- Scenario testing: The range and depth of scenarios tested were often insufficient to prepare for real-world challenges.
- Alignment with risk management: Operational resilience should build on existing risk management and business continuity frameworks, not operate in isolation.
Here’s the kicker: While the assessment didn’t focus specifically on DORA or cyber resilience, the CBI made it clear that these areas remain top priorities. With technology advancing rapidly and threats becoming more sophisticated, firms must strengthen their cyber and digital operational resilience. The CBI plans to ramp up supervisory efforts in 2026–2027, so firms need to act now.
What does this mean for your firm? The CBI expects all MiFID firms to revisit their compliance with the guidance, particularly the DORA-related updates from July 2025. Key guidelines to focus on include:
- Guideline 4: Identify your critical or important business services.
- Guideline 7: Map out how these services are delivered.
- Guideline 8: Capture third-party dependencies in your mapping.
But here’s a thought-provoking question: As firms increasingly rely on a small number of third-party ICT providers, are we creating new vulnerabilities? The CBI’s emphasis on concentration risk suggests this is a growing concern. How prepared is your firm to handle a disruption in these critical services?
At Arthur Cox, we understand the complexities of operational resilience, cyber security, and regulatory compliance. If your firm is re-evaluating its frameworks in light of the CBI’s expectations, we’re here to help. Let’s ensure your operations are not just resilient, but future-proof. Reach out today—your firm’s readiness starts now.
