Updates to the Central Bank of Ireland's OpRes Guidance

During July 2025, the Central Bank of Ireland (Central Bank) updated its Cross Industry Guidance on Operational Resilience (OpRes Guidance).  

Background and timing

In the revised OpRes Guidance the Central Bank notes that there has been a gradual maturing of operational resilience frameworks within firms, industry shocks and ongoing change in financial services since the original OpRes Guidance was published in December 2021. Updates to the OpRes Guidance have been informed by these recent developments and ongoing industry engagement. 

The OpRes Guidance continues to apply to all regulated financial services providers (Firms) and can be applied in a proportionate manner based on the nature, scale and complexity of each Firm's business. 

No express lead-in time is provided for in the OpRes Guidance for Firms to demonstrate compliance with the updated obligations (unlike the 2021 OpRes Guidance, which required Firms to be able to demonstrate application within two years). 

Notable updates

1. Annual self-assessment – New requirement to support board review

Guideline 1 has been amended to require that the board's annual review of the Operational Resilience Framework is 'through a documented self-assessment'. 

The OpRes Guidance continues to require Firms to document and update written self-assessments highlighting how they meet current operational resilience policy requirements on at least an annual basis. These reviews are to cover all aspects of the three pillars of operational resilience (identify and prepare, respond and adapt, recover and learn).

The annual operational resilience self-assessment, and the requirement for it to be board reviewed and approved, is also emphasised in Section H of the OpRes Guidance.

2. Operational resilience and operational risk – Distinct disciplines

While the 2021 OpRes Guidance indicated the Central Bank viewed the management of a Firm’s operational risk and resilience as a unified objective, enacted through aligned frameworks or one holistic framework, the updated OpRes Guidance departs from this. 

Guideline 2 of the OpRes Guidance now provides that these are separate but aligned disciplines. Firms are expected to manage these disciplines through distinct (yet aligned) frameworks, where:

(a) operational resilience focuses on identifying the most critical services and guides response during disruptions; and 

(b) operational risk focuses on the management and control of risks that could impact operations.

Accordingly, Firms must develop a documented operational resilience framework aligned with its separate operational risk and business continuity frameworks.

3. Identification of critical or important business services – External facing only

Guideline 4 now clarifies that 'critical or important business services are external facing and should have an identifiable external end user. Whereas, processes, functions and business lines are internal facing and may form part of the chain of activities that support the delivery of a service.'

In this respect the OpRes Guidance differs from DORA, which requires consideration of internal and external activities in assessing criticality. Accordingly, these different lenses should be taken into account when identifying critical or important business services under each of the OpRes Guidance and critical or important functions under DORA.

Guideline 4 includes a slight amendment requiring Firms to also identify critical or important "functions" (in addition to business services).  

4. Impact tolerances – Wider impact 

Guideline 5 has been revised to provide context regarding the setting of impact tolerances, emphasising that the breach of an impact tolerance of a critical or important business service may indicate that the impacted service has "irrecoverable consequences for customers, the firm and the wider financial system". 

5. Digital operational resilience – Alignment with DORA – third parties

One of the key developments since the 2021 OpRes Guidance has been the introduction and application of the EU Digital Operational Resilience Regulation and Directive (DORA), which sets minimum standards of digital operational resilience required in certain financial entities. 

The revised OpRes Guidance includes changes to ensure alignment with DORA. These include broadening the definition of "Outsourced Service Provider" to "Outsourced Third Party Service Provider" so as to include third parties providing services to a Firm. The OpRes Guidance now also includes a definition of "ICT Risk" drawn from DORA and includes obligations regarding third party service providers. 

The OpRes Guidance states that it is complementary to DORA and will benefit and aid all Firms, whether subject to DORA or not, in strengthening their operational resilience. 

Under Guideline 8, in respect of information communication technology (ICT) services provided by a third party, Firms subject to DORA must ensure compliance with the provisions relating to the management of third party risks.

Firms outside DORA: According to Guideline 8, Firms that are not subject to DORA should consider that the application of the measures described in that regulation (relating to the management of third party risks) represent good practice. A similar statement is provided in Guideline 9, as outlined below.

6. ICT resilience – Alignment with DORA, ICT register

Guideline 9 has been amended to require that Firms should ensure that their ICT systems and dependencies are appropriately managed to ensure a high level of digital operational resilience and support the overall operational resilience of the Firm.

Firms outside DORA: Guideline 9 provides that the Central Bank recognises the requirements of DORA as representing good ICT risk management, incident management, testing, third party and information sharing practices for all financial entities to ensure both the resilience of individual Firms and the financial sector as a whole.  

Guideline 9 also requires Firms to identify information and ICT assets, understand roles and dependencies regarding ICT risk and maintain a register of ICT third-party service providers. 

Firms outside DORA: On this topic, as part of ensuring their operational resilience, the Central Bank expects that Firms that are not directly subject to DORA should nevertheless consider introducing equivalent measures as part of their operational resilience in line with the nature, scale and complexity of their operations, and, in respect of their ICT risk management framework, consider at least DORA’s Simplified Risk Management Framework .

7. Business continuity management (BCM)

Guideline 11 includes a new footnote providing that with regard to BCM management of ICT functions, the Central Bank invites Firms to consider good practices such as DORA’s requirements in relation to ICT business continuity management. Again, this principle is particularly relevant to Firms outside DORA.

8. Withdrawal of Central Bank Cross Industry Cybersecurity Guidance 2016

As a related measure, in order to ensure regulatory simplification and clarity, the Central Bank has withdrawn its Cross Industry Guidance in respect of Information Technology and Cybersecurity Risk Management (September 2016). This withdrawal reflects the Central Bank's expectation that DORA now provides clarity on a harmonised good practice minimum standard on these topics (cyber security and IT risk management) which is relevant for all participants in the financial system. 

As such, existing cyber and IT security policies should be reviewed and potential revisions considered where referencing the now withdrawn Central Bank's 2016 cross-industry guidance.

Next steps

Firms that already have a comprehensive operational resilience framework in place aligned with both the Central Bank's 2021 OpRes Guidance and DORA are unlikely to be required to implement a major overhaul of their frameworks. Nevertheless, some changes will be required to address specific changes to the terms of the OpRes Guidance. For Firms that fall outside the scope of DORA, the required changes will be more pronounced.

For all Firms, there is an increased emphasis on the role of the board. Boards and senior management of Firms are expected to review the revised OpRes Guidance, adopt appropriate measures to strengthen and improve their operational resilience frameworks and their effective management of operational resilience in line with OpRes Guidance, as well as being able to demonstrate its application  In the absence of any express lead-in time provided for implementation, Firms should seek to consider any necessary updates to operational resilience frameworks in their upcoming annual reviews.