Are Your Investment Firm’s Operations Ready for the Future? The Central Bank of Ireland Says It’s Time to Act.
The financial landscape is evolving at breakneck speed, and the Central Bank of Ireland (CBI) is urging MiFID investment firms to keep pace. On January 12, 2026, the CBI released its Thematic Assessment of Operational Resilience in the MiFID Investment Firm Sector, a comprehensive review of how firms are preparing for the unexpected. This assessment, part of the CBI’s ongoing supervisory efforts and aligned with its 2025 Regulatory and Supervisory Outlook, dives deep into the operational resilience frameworks of these firms. But here’s where it gets controversial: while many firms are on the right track, the CBI has identified critical gaps that could leave some vulnerable to disruptions. And this is the part most people miss: operational resilience isn’t just about surviving a crisis—it’s about thriving afterward, learning from it, and emerging stronger.
The CBI defines operational resilience as the ability of a firm—and the financial sector as a whole—to identify, prepare for, respond to, adapt, recover from, and learn from operational disruptions that threaten critical business services. The CBI’s cross-industry guidance, first published in December 2021 and updated in July 2025 to align with the Digital Operational Resilience Act (DORA), sets the bar for these standards. But why does this matter? Because in an era of rapid technological advancement and increasingly sophisticated threats, firms that fail to adapt risk not only their own stability but also the trust of their customers.
What Did the CBI Find?
On the positive side, many MiFID firms have implemented operational resilience frameworks that align with the CBI’s expectations. Boards are taking ultimate responsibility, delegating tasks to committees, and ensuring senior management is accountable. Regular reporting and robust challenges at the board level are also commendable practices. However, the CBI identified areas needing improvement, including:
- Identifying Critical Business Services: Firms must clearly define which services are essential to their operations and customer commitments.
- Mapping Service Delivery: Understanding how these critical services are delivered is crucial, but some firms’ mapping exercises lacked the detail needed to identify vulnerabilities.
- Scenario Testing: The range and depth of scenarios tested were often insufficient to prepare for real-world disruptions.
- Alignment with Risk Management: Operational resilience should build on existing risk management and business continuity frameworks, not operate in isolation.
What’s Next for MiFID Firms?
The CBI is clear: firms must revisit their compliance with the updated guidance, particularly the DORA-related changes from July 2025. Key guidelines to focus on include:
- Guideline 4: Identify critical or important business services.
- Guideline 7: Map out how these services are delivered.
- Guideline 8: Capture third-party dependencies in the mapping process.
While the assessment didn’t specifically address cyber resilience or DORA, the CBI emphasizes that these areas remain a priority. With technology evolving rapidly and ICT services increasingly centralized among a few providers, firms must strengthen their cyber and digital operational resilience. The CBI plans further supervisory actions in 2026–2027, so now is the time for firms to act.
A Thought-Provoking Question for You:
As firms navigate this complex environment, how can they balance innovation with resilience? Is it possible to stay ahead of threats without stifling growth? We’d love to hear your thoughts in the comments.
At Arthur Cox, our team specializes in guiding regulated firms through the complexities of operational resilience, cybersecurity, and regulatory compliance. If you’re reassessing your frameworks in light of the CBI’s expectations, we’re here to help. Let’s ensure your firm not only meets the standards but sets the benchmark for the industry.
