1. Central Bank updates cross industry guidance on operational resilience
In the third week of July 2025, the Central Bank of Ireland (“Central Bank”) published its updated Cross Industry Guidance on Operational Resilience (“Guidance”). The Guidance is applicable from 14 July 2025 and replaces the previous version that applied from 1 December 2021 to 13 July 2025.
The following is an overview of some of the changes:
The introduction to the Guidance has been updated and considers matters such as:
- the gradual maturing of operational resilience frameworks within regulated financial service providers (“Firms”) since the first version of the guidance was published in 2021;
- the number of significant shocks experienced by Firms in the context of ongoing change in the area of financial services, the supporting technology and relevant regulation;
- the Guidance highlights that it particularly takes account of “recent developments and valuable ongoing industry engagement”; and
- in terms of reference to what the Guidance refers to as disruptive events, it now also refers to geopolitical risks.
Section C addressing the “Concept of Operational Resilience” has been updated to refer to the fact that the Guidance is supplementary to DORA, in force since 17 January 2025, highlighting that the Guidance will be useful to all Firms, whether in scope of DORA or not, as regards strengthening operational resilience.
Section D, entitled, “Value of Operational Resilience” has been updated to include consideration of the impacts of the COVID-19 pandemic, emphasising that in a post pandemic world, companies are expected to prioritise operational resilience strategies to ensure continuity amid future crises, including cyber threats and economic instability.
Section E of the Guidance, which deals with “International Alignment”, when referring to “advanced principles” as regards international regulatory standards, has been updated to include reference to:
- DORA; and
- ongoing work by the International Association of Insurance Supervisors (“IAIS”) regarding its development of an application paper on operational resilience objectives and toolkit.
Section F, entitled “Scope of Application” has been updated in that it describes the Central Bank’s mandate as regards maintaining monetary and financial stability.
In Section G, “Implementation”, reference to an “appropriate timeframe” as regards Firms being able to demonstrate that they have applied the Guidelines, has been removed.
In Section H, “Supervisory Approach” the following has been added:
“A firm should conduct and document an annual operational resilience self-assessment. These reviews should cover all aspects of the three pillars of operational resilience and be reviewed and approved by the board”.
Reference to a previous Central Bank operational resilience maturity assessment has been removed.
As regards, the individual guidelines themselves, the following is an overview of some of the changes:
Guideline 1: The Board has ultimate responsibility for the Operational Resilience of a firm
- the words “through a documented self-assessment” have been added to guideline 1, when referring to a board review of the components of the operational resilience framework on an, at least, annual basis.
Guideline 2: The Operational Resilience Framework should be embedded within a firm’s overall Governance and Risk Management Frameworks
- the title has been changed as it previously read “The Operational Resilience Framework should be aligned with a firm's overall Governance and Risk Management Frameworks”;
- it now states that the Central Bank views operational resilience and operational risk as separate but aligned disciplines with Firms expected to manage these disciplines through distinct yet aligned frameworks, where operational resilience focuses on identifying the most critical services and guides response during disruptions, and operational risk focuses on the management and control of risks that could impact operations; and
- Firms should develop a documented operational resilience framework aligned with their operational risk and business continuity frameworks.
Guideline 3: The Board reviews and approves the criteria for critical or important business
This guideline now states that the criteria should enable a firm to identify its critical or important business services and prioritise them in the event of a disruption. The Guidance goes on to refer to this being achieved through considering the impact of a disruption to a critical or important business service on its external end users through three lenses:
- impact on customer;
- impact on firm’s viability, safety and soundness; and
- impact to overall financial stability.
Guideline 5: Impact tolerances should be approved for each critical or important business service
This now refers to an expectation of the Central Bank that a firm’s board will review and approve impact tolerances at least annually, or following a disruption, to ensure they remain fit for purpose, rather than the suggestion that this should be carried out.
Guideline 8: A firm should capture third party dependencies in the mapping of critical or important business services
- instead of referring to outsourced third parties (“OPSs”), the Guidance now refers to third party service providers (“TSPS”);
- the following has been added: “A firm should also be aware of any chain outsourcing that exists for all its critical or important business services and should manage and monitor accordingly. Chain outsourcing can complicate the effective management of the critical or important business service and a firm should have clear written agreements in place regarding any chain outsourcing that may impact the provision of a critical or important business service.”;
- guideline 8 has also been updated to take account of the introduction of DORA. Guideline 8 still requires that it be read in conjunction with the Central Bank’s “Cross Industry Guidance on Outsourcing”; and
- as regards ICT services provided by a third party, Firms subject to DORA must ensure compliance with the provisions relating to the management of third party risks. Firms that are not subject to DORA should consider that the application of the measures described in that regulation represent good practice.
Guideline 9: A firm should have ICT Resilience strategies that are aligned to the operational resilience of its critical or important business services
- the previous title was, “A firm should have ICT and Cyber Resilience strategies that are integral to the operational resilience of its critical or important business services.”;
- guideline 9 has also been updated to refer to:
- the fact that the resilience of technology infrastructure and the protection of ICT assets should be an integral part of any operational resilience framework;
- the fact that Firms should ensure that ICT systems and dependencies are appropriately managed to ensure a high level of digital operational resilience and support the overall operational resilience of Firms;
- the fact that the Central Bank recognises the requirements of DORA as representing good ICT risk management, incident management, testing, third party and information sharing practices for all financial entities to ensure both the resilience of individual firms and the financial sector as a whole;
- Firms should develop an understanding of the various roles and dependencies in relation to the management of ICT risk and should maintain a register of ICT third-party service providers in order to support the mapping under guidelines 7 and 8 of the Guidance; and
- as part of ensuring their operational resilience, the Central Bank expects that firms that are not directly subject to DORA should consider introducing equivalent measures as part of their operational resilience in line with the nature, scale and complexity of their operations, and, in respect of their ICT risk management framework, consider at least DORA’s simplified risk management framework.
Guideline 12: The Incident Management Strategy should be fully integrated into the overarching Operational Resilience Framework
The following has been added to the Guidance: “In respect of major ICT-related incidents in line with the Digital Operational Resilience Act (DORA), firms subject to DORA should ensure compliance with the Regulations provisions on ICT-related incident management, classification and reporting.”
Finally, a small number of terms in the glossary have been removed or amended. Throughout the Guidance, there have also been some minor wording changes.