In July 2025, the Central Bank of Ireland (Central Bank) published its updated Cross-Industry Guidance on Operational Resilience (Revised Guidance), marking an evolution in its regulatory expectations for regulated financial service providers (Regulated Firms).
This update reflects the maturing of operational resilience frameworks within Regulated Firms and incorporates insights from recent developments, including the implementation of the Digital Operational Resilience Act (DORA) and ongoing industry engagement.
The Revised Guidance replaces the original version issued in December 2021 and is effective from 14 July 2025. It continues to apply proportionately to all Regulated Firms based on their nature, scale, and complexity of business.
For Regulated Firms that have already aligned their operational resilience frameworks with the previous guidance and DORA, the Revised Guidance is unlikely to necessitate substantial changes. However, several notable updates have been introduced.
1. Alignment with DORA
Definitions have been updated to reflect DORA terminology. "Outsourced Service Provider" is now referred to as "Outsourced Third Party Service Provider," broadening the scope to include any third-party entity providing services to a regulated firm. A new definition of ICT risk has also been added.
The Revised Guidance includes additional references explicitly acknowledging its complementary relationship with DORA. It encourages Regulated Firms, whether directly subject to DORA or not, to adopt equivalent measures to enhance operational resilience.
2. Annual Self-Assessment
Regulated Firms are now required to conduct and document an annual operational resilience self-assessment. This assessment must cover all three pillars of operational resilience: Identify and Prepare, Respond and Adapt, and Recover and Learn. It must also be reviewed and approved by the Regulated Firm's board.
3. Operational Resilience and Operational Risk
Under Guideline 2 of the Revised Guidance, the Central Bank now refers to operational resilience and operational risk as "separate but aligned disciplines." This represents a shift from the previous view of operational resilience and operational risk as a "unified objective". This new distinction may aim to clarify the different roles that operational resilience and operational risk play within a Regulated Firm's framework. Operational resilience is positioned as a set of practical and technical measures designed to ensure continuity of operations, particularly in the face of disruptions involving third-party service providers. Operational resilience is regarded as a by-product of sound operational risk analysis. Regulated Firms should be careful to avoid merging these concepts within their internal policies and procedures.
4. Identification of Critical or Important Business Services
The Revised Guidance reaffirms that Critical or Important Business Services must be external-facing with identifiable end users. This contrasts with DORA's broader scope, which also includes internal-facing processes and functions. Regulated Firms should be mindful of these differing lenses when mapping dependencies and identifying critical or important business services under the Revised Guidance, as well as critical or important business functions under DORA.
5. ICT Resilience
Guideline 9 on ICT Resilience has been expanded. The Central Bank now expects Regulated Firms not subject to DORA to consider implementing equivalent ICT risk management measures, including DORA's Simplified Risk Management Framework on a proportionate basis.
Conclusion
The Revised Guidance signals a shift from a conceptual understanding to a more practical implementation of operational resilience. It emphasises the importance of board accountability and the need for continuous improvement, while aligning with international regulatory standards. Regulated Firms should carefully review the Revised Guidance and incorporate the necessary changes into their annual review of their operational resilience frameworks.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
