Operational Resilience in MiFID Investment Firms – CBI Thematic Review

This week, the Central Bank of Ireland (the “CBI“) published the results of its thematic assessment of operational resilience in the MiFID investment firm sector, finding evidence of maturing frameworks but identifying weaknesses in firms’ identification and mapping of critical or important business services, scenario testing and integration with risk frameworks.

The thematic assessment builds on the CBI’s Cross-Industry Guidance on Operational Resilience (the “Guidance“) which was issued in December 2021, became effective from 1 January 2024 and was updated in July 2025 to align with the EU Digital Operational Resilience Act (“DORA“).

The review comprised an initial maturity survey and desk‑based review, followed by targeted in‑person assessments for a selection of firms.

The feedback states that many of the firms reviewed now have documented operational resilience frameworks broadly aligned with the principles in the Guidance, with clear accountability residing at board level (often via board committees) and senior management holding functional responsibility.

However, the CBI also identified varying levels of maturity of operational resilience frameworks across the firms reviewed. In particular, it highlighted that firms’ identification of critical or important business services, and the mapping of how those services are delivered, lacked sufficient granularity. In addition, aspects of scenario testing were found to be deficient in terms of detail and breadth. In some cases, firms’ operational resilience frameworks were not aligned with their existing operational risk and business continuity frameworks.

Although the assessment did not specifically focus on DORA or cyber resilience, the CBI emphasised the rising cyber threat environment and expects firms to continue strengthening cyber and digital operational resilience. It was flagged that further supervisory work in this area is planned for 2026 and 2027.

Actions Required

• The CBI now expects the boards and senior management of all MiFID investment firms to revisit the Guidance, including the July 2025 updates, to reassess their frameworks against it with particular emphasis on the identification of critical services, comprehensive mapping and capture of third‑party dependencies, alongside more rigorous, proportionate scenario testing integrated within risk governance and board oversight.
• The CBI highlighted particular attention should be given to three aspects of the Guidance:
  • identification of critical or important business services (Guideline 4);
  • end‑to‑end mapping of how those services are delivered (Guideline 7); and
  • capturing third‑party dependencies within that mapping (Guideline 8).
• The overarching objective remains that firms can recover critical or important services from significant unplanned disruption while minimising the impact to customers and preserving the integrity of the financial system.

In terms of the respective roles of the board and senior management, the review noted that the board needs to be ultimately responsible for reviewing and approving the firm’s strategic approach to operational resilience and that senior management are responsible for implementing the operational resilience across the business.