Operational Resilience in MiFID Investment Firms – CBI Thematic Review

What You Need to Know

The Central Bank of Ireland (the “CBI”) has published the results of its thematic assessment of operational resilience in the MiFID investment firm sector¹, finding evidence of maturing frameworks but identifying weaknesses in firms’ identification and mapping of critical or important business services, scenario testing and integration with risk frameworks.

Context and Scope

The thematic assessment builds on the CBI’s Cross-Industry Guidance on Operational Resilience (the “Guidance”) which was issued in December 2021, became effective from 1 January 2024 and was updated in July 2025 to align with the EU Digital Operational Resilience Act (“DORA”)².

While this review was directly focussed on MiFID investment firms, the CBI’s findings will also be relevant for fund management companies and other regulated firms within the scope of the Guidance.

The Guidance is structured around three pillars (Identify and Prepare; Respond and Adapt; and Recover and Learn) and sets expectations for governance, identification of critical or important services, impact tolerances, mapping of interconnections and interdependencies, ICT and cyber resilience, scenario testing, business continuity, incident management and crisis communications and post‑incident lessons learned and self‑assessment.

The review comprised an initial maturity survey and desk‑based review, followed by targeted in‑person assessments for a selection of firms.

Key Findings

The CBI observed that many of the firms reviewed now have documented operational resilience frameworks broadly aligned with the principles in the Guidance, with clear accountability residing at board level (often via board committees) and senior management holding functional responsibility.

However, the CBI also identified varying levels of maturity of operational resilience frameworks across the firms reviewed. In particular, it highlighted that firms’ identification of critical or important business services, and the mapping of how those services are delivered, lacked sufficient granularity. In addition, aspects of scenario testing were found to be deficient in terms of detail and breadth. In some cases, firms’ operational resilience frameworks were not aligned with their existing operational risk and business continuity frameworks.

Focus on Cyber and Digital Operational Resilience

Although the assessment did not specifically focus on DORA or cyber resilience, the CBI emphasised the rising cyber threat environment and expects firms to continue strengthening cyber and digital operational resilience. It was flagged that further supervisory work in this area is planned for 2026 and 2027.

Actions Required

The CBI now expects the boards and senior management of all MiFID investment firms to revisit the Guidance, including the July 2025 updates, to consider their adherence to it.

The CBI highlighted particular attention should be given to three aspects of the Guidance:

• identification of critical or important business services (Guideline 4);
• end‑to‑end mapping of how those services are delivered (Guideline 7); and
• capturing third‑party dependencies within that mapping (Guideline 8).

The overarching objective remains that firms can recover critical or important services from significant unplanned disruption while minimising the impact to customers and preserving the integrity of the financial system.

Next Steps

In terms of the respective roles of the board and senior management, the review noted that the board needs to be ultimately responsible for reviewing and approving the firm’s strategic approach to operational resilience and that senior management are responsible for implementing the operational resilience across the business.

In light of the thematic findings and the CBI’s stated priorities, firms should reassess their frameworks against the Guidance with particular emphasis on the identification of critical services, comprehensive mapping and capture of third‑party dependencies, alongside more rigorous, proportionate scenario testing integrated within risk governance and board oversight.

How We Can Help

We support MiFID investment firms and other regulated firms in designing, strengthening and evidencing operational resilience frameworks aligned with the Guidance and DORA.

We can also provide horizon scanning and practical updates on forthcoming CBI supervisory priorities across 2026 and 2027.

Further Information

Further information on our Irish Financial Services Regulatory Group and the services we provide is available on our website and in our brochure³.

If you would like further information, please liaise with your usual Maples Group Dublin contact or the persons on this page.

---

¹ https://www.centralbank.ie/docs/default-source/regulation/industry-market-sectors/investment-firms/mifid-firms/regulatory-requirements-and-guidance/thematic-assessment-operational-resilience-mifid-investment-firm-sector.pdf?sfvrsn=2cae6c1a_7

² Regulation (EU) 2022/2554

³ https://maples.com/wp-content/uploads/2025/02/Financial-Services-Regulatory-Core-Services.pdf