CBI 2026 Regulatory and Supervisory Outlook: What Investment Firms Need to Know

Introduction

The Central Bank of Ireland (“CBI”) has published its Regulatory & Supervisory Outlook Report 2026 (the “Report”), setting out its strategic priorities and planned supervisory activities for the year ahead.

This note summarises the key issues arising from the Report that are of particular relevance to MiFID investment firms operating in Ireland.

Overarching Supervisory Priorities for 2026

The CBI has identified five overarching priorities for 2026 that will shape its supervisory engagement with regulated firms, including those in the funds sector:

1. Maintaining and building resilience to geopolitical risks and macro-financial uncertainties, including work on operational resilience, cyber security and financial resilience in the face of a volatile macro-environment.
2. Securing consumer and investor interests, with a particular focus on how firms operate, digitalisation and financial crime.
3. Responding to technology-driven transformations, including the expanding use of artificial intelligence (“AI”), digital money and tokenisation and the implications of these changes for firms and the financial system.
4. Helping to address environmental and societal transitions underway, including sustainable finance and protection gaps.
5. Enhancing how the CBI regulates and supervises, including evolving supervisory approaches, improvements to gatekeeping and delivering on simplification.

Key Supervisory Focus Areas for the Investment Firms Sector

The CBI’s supervisory focus for the investment firms sector in 2026 is organised around five key areas:

1. Operational and Cyber Resilience – Operational resilience and cyber risk management remain areas of heightened supervisory focus. A recent CBI thematic assessment found varying degrees of maturity of operational resilience frameworks across the sector.

The CBI expects all firms to act on its assessment findings and to build on their existing operational resilience foundations to ensure they are sufficiently resilient to withstand future disruptions or incidents. For more details on the thematic assessment findings, see our previous update.

Planned supervisory activities include:

• • Ongoing focus on the outcomes of the thematic assessment of operational resilience, including follow-up engagement with firms across the sector.
  • Ongoing engagement with firms on IT risk management frameworks, Digital Operational Resilience Act implementation and cyber resilience.

2. Conflicts of Interest – The identification and management of conflicts of interest remains a key focus area for the CBI. This is also a key focus area for ESMA, which has announced a Common Supervisory Action (“CSA”) on conflicts of interest in the distribution of financial instruments.

Planned supervisory activities include:

• • Participation in the CSA on conflicts of interest in the distribution of financial instruments.
  • Firm-specific feedback and an industry communication on the findings of the CSA work and the CBI’s supervisory expectations.

3. Treatment of Investors – The CBI notes that the implementation of the revised Consumer Protection Code (“Code”) should be a priority item for all firms. While it is noted that the Code does not apply in its entirety to this sector, firms will need to embed the guidance on securing customer interests and the protection of consumers in vulnerable circumstances into their operations.

Planned supervisory activities include:

• • A cross-sectoral thematic review on the identification and treatment of customers in vulnerable circumstances.
  • A thematic review of complaints handling.
  • Embedding the Code and related guidance into supervisory practices and firm engagements.
  • Deployment of an enhanced Conduct of Business return.

4. Artificial Intelligence – The CBI observes that the use of AI in investment services can bring efficiencies and new capabilities, but it also raises material risks to investors and to market integrity if not deployed in a manner that has due regard to investors’ interests. Firms are expected to treat AI like any other material technology risk by adopting robust governance, risk management and compliance frameworks.

This includes ensuring model validation, ongoing monitoring, testing and incident readiness. Where firms are utilising third-party AI service providers, they must have appropriate governance and controls frameworks in place to mitigate against the relevant risks.

Planned supervisory activities include:

• • Industry engagement to continue to develop an understanding and assessment of AI use cases in the sector to inform supervisory approach and expectations, with an AI focus also being brought to all thematic reviews.

5. Financial Crime – The CBI has noted Anti-Money Laundering/Countering the Financing of Terrorism (“AML/CFT”) control weaknesses across the sector. Inadequate controls create an increased risk that the financial system will be misused for money laundering and terrorist financing, weakening the integrity of the Irish financial system.

Firms are expected to have robust controls in place to reduce the likelihood of frauds and scams occurring and to demonstrate fair outcomes for investors who fall victim.

The CBI also notes that Suspicious Transaction Order Report (“STOR”) submissions from the sector have increased in volume with some improvement in quality, however concerns remain about the effectiveness of market surveillance systems and procedures to detect and assess possible market manipulation or insider trading.

Planned supervisory activities include:

• • Firms with higher impact ML/TF ratings may be subject to inspections and/or review meetings during 2026.
  • Firms will be required to complete an enhanced Risk Evaluation Questionnaire (“REQ”), which will capture detailed quantitative and qualitative risk information on ML/TF risk and the quality of AML/CFT controls.
  • Reviews of venue and firm trade surveillance implementations and frameworks, working with industry to improve STOR submission and quality.
  • Thematic review of a sample of investment firms to be included in a market abuse frameworks and surveillance thematic review (alongside other sectors).

Conclusion

The Report signals a continued regulatory and supervisory focus on the fundamentals of sound governance, effective risk management and operational resilience.

For investment firms, the key areas of focus remain operational and cyber resilience, conflicts of interest and the treatment of investors, AI governance and financial crime prevention.

The CBI will continue to focus on SREP assessments, with a targeted review of the business models of a cohort of SREP category 2 firms commencing in Q2 2026.

There will be a continuing focus on assessing the effectiveness of governance and risk management arrangements and culture and “tone from the top” in firms. A particular focus will be placed on board accountability and how firms have embedded their responsibilities under the IAF/SEAR and how they are putting investors’ interests at the heart of their business.

Firms should proactively review their frameworks in these areas in anticipation of the CBI’s planned thematic reviews, the ESMA CSA on conflicts of interest and ongoing supervisory engagements throughout 2026.

Further Information

For further information, please liaise with your usual Maples Group contact or the persons listed on this page.