The CBI's Operational Resilience Thematic Assessment

In January 2026, the Central Bank of Ireland (CBI) published its findings of its thematic assessment on Operational Resilience in the MiFID firms sector in a report, dated December 2025 (the Report). The key objectives of this thematic assessment carried out on a sample of MiFID firms was to ascertain whether:

• Operational resilience frameworks meet the CBI’s expectations set out in Cross Industry Guidance on Operational Resilience (now aligned with the Digital Operational Resilience Regulation and Directive, or DORA) (the Guidance); and
• Firms’ boards and senior management are accountable for the design and operating effectiveness of operational resilience frameworks and strategy.

The Report is a welcome industry communication and reflects the CBI’s commitment to transparency and clearly communicating its regulatory expectations. Whilst the Report relates to MiFID firms, Operational Resilience continues to be a cross-sectoral strategy priority for the CBI for 2026.

Key Findings and Regulatory Expectations

The Report identify good and bad practices of inspected firms:

Good Practices

• Operational resilience frameworks documented largely in line with the Guidance and CBI’s expectations;
• The Board is responsible for operational resilience with delegation to appropriate committees of the board;
• Functional responsibility for operational resilience is at senior management level;
• Regular management information reporting and challenge at board and senior management level.

Bad Practices

The inspections identified varying levels of maturity across frameworks in the sample selected:

• Insufficient documentation and mapping of how critical or important business services are delivered;
• Insufficient scenario stress testing;
• Operational resilience framework not aligned with existing risk management frameworks.

CBI Call for Action

The CBI expects firms and their boards and senior management to revisit their compliance with the Guidance. Firms must ensure that operational resilience is embedded in strategic decision-making, with robust frameworks that are regularly tested and aligned with both risk management and business continuity planning. Particular attention is required in mapping third-party dependencies and ensuring comprehensive oversight of outsourced service providers—an area of acute relevance under DORA’s requirements.

The CBI makes it clear that the purpose of the Guidance is to communicate to the boards and senior management teams their responsibilities when designing and managing operational resilience, and when considering operational resilience as part of their risk management and investment decisions to ensure these frameworks are well designed, operate effectively and are sufficiently robust.

Cyber Security, DORA, Digitalisation and Accountability: The Interconnected Regulatory Landscape

Whilst the Report focuses on operational resilience, in the Report, the CBI states that it will carry out further supervisory work on DORA, cyber resilience and digital operational resilience in 2026 and 2027.

This regulatory priority is reflective of the increasing digitalisation of financial services, the growing reliance on third-party ICT providers and the growth of innovative traditional financial services, fintechs, and crypto-asset service providers (CASPs) operating in Ireland and Europe.

The influence of the individual accountability framework (IAF) permeates throughout the Report. The CBI’s expectations place explicit responsibility for operational resilience at the board and senior management level, reinforcing the need for clear accountability and demonstrable leadership from the top. This aligns with broader European trends towards enhanced individual accountability and governance standards.

The Report provides a helpful action list of regulatory priorities for the future of financial services operational resilience supervision in Ireland and Europe. Firms that act now to strengthen their operational resilience, align with DORA, and embed accountability at the highest levels will not only meet regulatory expectations but also enhance their competitive advantage in a rapidly changing market.

Simmons & Simmons: Supporting Clients Across Ireland and Europe

At Simmons & Simmons, our Irish and pan-European teams are at the forefront of advising clients on the practical implementation of operational resilience frameworks that meet both CBI and EU regulatory expectations. Our Financial Services Regulatory practice, and Digital Business Practice spans the full spectrum of operational resilience, DORA compliance, cyber resilience and digital operational resilience, enabling us to support our international clients in navigating the complex and interconnected regulatory landscape.

Our multidisciplinary approach brings together regulatory, technology, and risk management expertise, ensuring that our clients are well-positioned to respond to the European supervisory agenda and to thrive in an increasingly dynamic and digital financial ecosystem.

For further insights or to discuss how Simmons & Simmons can support your firm’s operational resilience journey, please contact our Dublin or European Financial Service Regulatory teams.