In the third week of July 2025, the Central Bank of Ireland (“Central Bank”) published its updated Cross Industry Guidance on Operational Resilience (“Guidance”). The Guidance is applicable from 14 July 2025 and replaces the previous version that applied from 1 December 2021 to 13 July 2025.

The following is an overview of some of the changes:

The introduction to the Guidance has been updated and considers matters such as:

• the gradual maturing of operational resilience frameworks within regulated financial service providers (“Firms”) since the first version of the guidance was published in 2021;
• the number of significant shocks experienced by Firms in the context of ongoing change in the area of financial services, the supporting technology and relevant regulation;
• the Guidance highlights that it particularly takes account of “recent developments and valuable ongoing industry engagement”; and
• in terms of reference to what the Guidance refers to as disruptive events, it now also refers to geopolitical risks.

Section C addressing the “Concept of Operational Resilience” has been updated to refer to the fact that the Guidance is supplementary to DORA, in force since 17 January 2025, highlighting that the Guidance will be useful to all Firms, whether in scope of DORA or not, as regards strengthening operational resilience.

Section D, entitled, “Value of Operational Resilience” has been updated to include consideration of the impacts of the COVID-19 pandemic, emphasising that in a post pandemic world, companies are expected to prioritise operational resilience strategies to ensure continuity amid future crises, including cyber threats and economic instability.

Section E  of the Guidance, which deals with “International Alignment”, when referring to “advanced principles” as regards international regulatory standards, has been updated to include reference to:

• DORA; and
• ongoing work by the International Association of Insurance Supervisors (“IAIS”) regarding its development of an application paper on operational resilience objectives and toolkit.

Section F, entitled “Scope of Application”  has been updated in that it describes the Central Bank’s mandate as regards maintaining monetary and financial stability. 

In Section G, “Implementation”, reference to an “appropriate timeframe” as regards Firms being able to demonstrate that they have applied the Guidelines, has been removed.

In Section H, “Supervisory Approach” the following has been added:

“A firm should conduct and document an annual operational resilience self-assessment. These reviews should cover all aspects of the three pillars of operational resilience and be reviewed and approved by the board”.

Reference to a previous Central Bank operational resilience maturity assessment has been removed.

As regards, the individual guidelines themselves, the following is an overview of some of the changes:

Guideline 1: The Board has ultimate responsibility for the Operational Resilience of a firm

• the words “through a documented self-assessment” have been added to guideline 1, when referring to a board review of the components of the operational resilience framework on an, at least, annual basis.

Guideline 2: The Operational Resilience Framework should be embedded within a firm’s overall Governance and Risk Management Frameworks

• the title has been changed as it previously read “The Operational Resilience Framework should be aligned with a firm's overall Governance and Risk Management Frameworks”;
• it now states that the Central Bank views operational resilience and operational risk as separate but aligned disciplines with Firms expected to manage these disciplines through distinct yet aligned frameworks, where operational resilience focuses on identifying the most critical services and guides response during disruptions, and operational risk focuses on the management and control of risks that could impact operations; and
• Firms should develop a documented operational resilience framework aligned with their operational risk and business continuity frameworks.

Guideline 3: The Board reviews and approves the criteria for critical or important business

This guideline now states that the criteria should enable a firm to identify its critical or important business services and prioritise them in the event of a disruption. The Guidance goes on to refer to this being achieved through considering the impact of a disruption to a critical or important business service on its external end users through three lenses:

• impact on customer;
• impact on firm’s viability, safety and soundness; and
• impact to overall financial stability.

Guideline 5: Impact tolerances should be approved for each critical or important business service

This now refers to an expectation of the Central Bank that a firm’s board will review and approve impact tolerances at least annually, or following a disruption, to ensure they remain fit for purpose, rather than the suggestion that this should be carried out.

Guideline 8: A firm should capture third party dependencies in the mapping of critical or important business services

• instead of referring to outsourced third parties (“OPSs”), the Guidance now refers to third party service providers (“TSPS”);
• the following has been added: “A firm should also be aware of any chain outsourcing that exists for all its critical or important business services and should manage and monitor accordingly. Chain outsourcing can complicate the effective management of the critical or important business service and a firm should have clear written agreements in place regarding any chain outsourcing that may impact the provision of a critical or important business service.”;
• guideline 8 has also been updated to take account of the introduction of DORA. Guideline 8 still requires that it be read in conjunction with the Central Bank’s “Cross Industry Guidance on Outsourcing”; and
• as regards ICT services provided by a third party, Firms subject to DORA must ensure compliance with the provisions relating to the management of third party risks. Firms that are not subject to DORA should consider that the application of the measures described in that regulation represent good practice.

Guideline 9: A firm should have ICT Resilience strategies that are aligned to the operational resilience of its critical or important business services

• the previous title was,  “A firm should have ICT and Cyber Resilience strategies that are integral to the operational resilience of its critical or important business services.”;
• guideline 9 has also been updated to refer to:
  • the fact that the resilience of technology infrastructure and the protection of ICT assets should be an integral part of any operational resilience framework;
  • the fact that Firms should ensure that ICT systems and dependencies are appropriately managed to ensure a high level of digital operational resilience and support the overall operational resilience of Firms;
  • the fact that the Central Bank recognises the requirements of DORA as representing good ICT risk management, incident management, testing, third party and information sharing practices for all financial entities to ensure both the resilience of individual firms and the financial sector as a whole;
  • Firms should develop an understanding of the various roles and dependencies in relation to the management of ICT risk and should maintain a register of ICT third-party service providers in order to support the mapping under guidelines 7 and 8 of the Guidance; and
  • as part of ensuring their operational resilience, the Central Bank expects that firms that are not directly subject to DORA should consider introducing equivalent measures as part of their operational resilience in line with the nature, scale and complexity of their operations, and, in respect of their ICT risk management framework, consider at least DORA’s simplified risk management framework.

Guideline 12: The Incident Management Strategy should be fully integrated into the overarching Operational Resilience Framework

The following has been added to the Guidance: “In respect of major ICT-related incidents in line with the Digital Operational Resilience Act (DORA), firms subject to DORA should ensure compliance with the Regulations provisions on ICT-related incident management, classification and reporting.”

Finally, a small number of terms in the glossary have been removed or amended. Throughout the Guidance, there have also been some minor wording changes.

On 21 July 2025, the Department of Finance (“Department”) published a consultation (“Consultation”) on the Ireland for Finance Strategy 2026-2030 (“Strategy”).

The current Ireland for Finance Strategy, published in 2022, expires in 2026 and was largely driven by the increased prominence of fintech and sustainable finance.

Building on the success of the current strategy, the Consultation seeks feedback to inform the development of the new Strategy as regards Ireland maintaining and growing its position as a leading global hub for specialist international financial services (“IFS”).

The Consultation is linked to the Programme for Government 2025 (“Programme”), which includes a commitment to develop the Strategy, with a particular focus on the further development of the sustainable finance sector. Further commitments in the Programme, impacting financial services, include supporting innovation / enhancing competitiveness / taking advantage of opportunities in fintech.

Views

The Department aims to develop a comprehensive Strategy, for the IFS sector, that will include targeted, agile and evidence-based policy measures that will foster and improve Ireland’s international competitiveness and sustainable growth.

Accordingly, the Consultation is seeking stakeholders input on:

• the current IFS landscape and emerging trends in order to identify areas of opportunity across the short, medium and long term;
• barriers to competitiveness and growth within the context of a robust regulatory and supervisory regime; and
• measures to support sustainable growth.

The Consultation questions address areas such as:

• the operating environment for IFS firms, including the Central Bank of Ireland regulatory regime and the EU regulatory framework and domestic policy environment;
• sustainable finance, including how Ireland can position itself in the future as a sustainable finance centre;
• innovation and technology, including identification of the primary barriers to innovation in the financial sector in Ireland;
• the growth of indigenous start-up, scaling and innovative firms, including consideration of the establishment of a national fintech hub; and
• skills, talent and regional development.

Commenting on the publication of the Consultation, Minister of State for Financial Services, Credit Unions and Insurance, Robert Troy, stated:

“The new Ireland for Finance strategy will guide us to the end of the decade and beyond. It will seek to reinforce and enhance Ireland’s international competitiveness and foster sustainable growth in our international financial services sector. This is a pivotal moment for an important sector to the Irish economy, against the backdrop of an uncertain geopolitical situation. There is significant opportunity within our international financial services sector across key areas of growth like artificial intelligence, sustainable finance, and the sector’s strong regional footprint…I strongly encourage all interested parties to respond.”

Next Steps

The Consultation is open for feedback until 19 September 2025. Submissions may be forwarded by email at iffconsultation@finance.gov.ie or by post at the relevant address. The Department has stated that it will undertake extensive stakeholder engagement throughout 2025.

The Department also stated that further consultations may be carried out at a later stage. It is expected that a draft report will be forwarded to Ministers for government by Q1 2026, and the Strategy published in H1 2026. 

On 22 July 2025, the Central Bank of Ireland (“Central Bank”) issued a press release announcing that Colm Kinkaid has been appointed as Deputy Governor, Consumer & Investor Protection at the Central Bank.

Mr Kinkaid will be responsible for leading the strategic development and execution of consumer and investor protection policies. This will include engagement with stakeholders and representation of the Central Bank on domestic and international forums.

Welcoming Mr Kinkaid’s appointment, Governor of the Central Bank, Gabriel Makhlouf stated:

“Colm’s commitment to upholding the highest standards of consumer welfare and market integrity has been a hallmark of his work at Central Bank of Ireland. He will continue the Central Bank’s focus on this crucial element of our mandate." 

For more information on recent consumer protection developments, please see the Matheson Talks Financial Regulation Podcast focusing on the revised Consumer Protection Code, available here.

Next Steps

Mr Kinkaid’s appointment is effective as of 1 August 2025. 

On 18 July 2025, the European Commission (“Commission”) launched a consultation (“Consultation”) on a draft delegated regulation (“Draft Regulation”)  reviewing the Solvency II Delegated Regulation.

The Consultation aims to gather feedback regarding changes to the technical rules governing:

• the valuation of insurers’ liabilities;
• calculation of solvency requirements;
• reporting and disclosure obligations;
• group supervision; and
• other related areas.

Insurers as Key Institutional Investors

The Consultation references its communication on the savings and investment union (“SIU”) of 19 March 2025, specifically, the fact that the insurance sector is a key institutional investor due to it having trillions of assets under management. In this regard, the Consultation highlights that the insurance sector can contribute to the goals of the SIU by:

• providing long-term capital financing to businesses;
• investing in equity and certain alternative assets, namely venture capital, private equity and infrastructure; and
• contributing to securitisation by facilitating the transfer of risks outside the banking sector.

For more information on the SIU, see FIG Top 5 at 5 dated 27 March 2025.

Deterrents

The Consultation aims to remove deterrents for insurers as regards the objectives of the SIU and accordingly, the Draft Regulation proposes a dedicated treatment for long‑term equity investments by insurers that aims to encourage equity financing of European firms and facilitate their access to stable, long‑term capital.

Additionally, the Draft Regulation contains measures aimed at reducing the impact of short‑term market volatility on solvency positions.

The Draft Regulation also reduces risk factors regarding both simple, transparent and standardised (“STS”) and non-STS securitisation, with the aim of removing barriers to investments in securitisation by insurers.

Additional Matters

As part of the Commission’s simplification agenda, the Draft Regulation also contains measures targeted at burden reduction, including the reporting burden, particularly for smaller insurers with low risk business models, for example, by extending reporting deadlines and introducing greater proportionality to reduce administrative burdens.

The Draft Regulation also proposes a recalibration of capital requirements for natural catastrophe risks, taking account of the latest research regarding climate change.

Next Steps

The Consultation is open for feedback until 5 September 2025. The Commission have stated that feedback received will be taken into account when drafting the proposal, which is expected to take place in Q3 2025. 

On 22 July 2025, the European Insurance and Occupational Pensions Authority (“EIOPA”) launched two consultations related to the implementation of the Insurance Recovery and Resolution Directive (“IRRD”).

The consultations are as follows:

1. Consultation on draft regulatory technical standards (“RTS”) on the functioning of the resolution colleges under IRRD

   The RTS set out the rules for the establishment of resolution colleges and the procedures to be followed when performing their functions and tasks to prepare for resolution through resolution planning, including the assessment of resolvability.

   The RTS aim to increase the readiness of resolution colleges as regards responding to crisis situations and to enable the resolving of (re)insurance undertakings in a coordinated way. The RTS address matters such as:

   • the establishment and update of written arrangements;
   • conditions for the exchange of information;
   • joint decisions regarding resolution plans;
   • the assessment of resolvability;
   • measures to address substantive impediments; and
   • cross-border group resolution.
2. Consultation on draft implementing technical standards (“ITS”) on resolution reporting under IRRD

The ITS set out the procedures,  standard  forms and templates to be used by insurers for the provision of information to resolution authorities for the preparation of resolution plans. The RTS address matters such as:

• frequency and reference dates;
• resolution reporting formats; and
• cooperation between supervisory authorities and resolution authorities.

Next Steps

Both consultations, set out above, are open for feedback until 31 October 2025. EIOPA has stated that   it will consider the feedback received and expects to publish a final report on the consultations.