Operational Resilience


Operational resilience is the ability of a firm to identify and prepare for, respond and adapt to, recover and learn from an operational disruption. It is expected to be a key regulatory focus over the coming years. Regulators aim to bring about change in how the finance industry thinks about operational resilience in order to build a more resilient financial system. Specific issues include (i) poor governance and oversight of outsourced functions and third-party service providers, (ii) insufficiently resilient legacy IT systems with poor cyber security, and (iii) a lack of contingency plans for business disruptions.

Current work: 

The European Commission has published a draft regulation on digital operational resilience for the financial sector (DORA). It aims to enable a comprehensive framework at EU level with consistent rules addressing the digital operational resilience needs of all regulated financial entities and establishing an oversight framework for critical ICT third-party providers. The Commission's proposal is currently being scrutinised by the European Parliament and Council.

The European Securities and Markets Authority (ESMA) has issued guidelines on outsourcing to cloud service providers. The ESMA guidelines, which entered into force on 31 July 2021, aim to help firms identify, address and monitor the risks arising from cloud outsourcing arrangements. The guidelines apply from 31 December 2022 to any cloud outsourcing arrangement entered into prior to 31 July 2021.

The Central Bank of Ireland (CBI) has published cross industry guidance on operational resilience. The guidance aims to assist firms in preparing for, responding to, recovering and learning from an operational disruption that affects the delivery of critical or important business services.

The UK Financial Conduct Authority (FCA) has published new rules designed to increase and enhance firms’ operational resilience. Requirements include identifying important business services, setting impact tolerances for the maximum tolerable disruption and carrying out mapping and testing. Firms must also have identified any vulnerabilities in their operational resilience. The FCA's rules will come into force on 31 March 2022.

The U.S. Securities and Exchange Commission (SEC) staff are developing a proposal for the Commission’s consideration on cybersecurity risk governance.

Upcoming actions:

31 March 2022, FCA rules on operational resilience will come into force.

31 December 2022, ESMA guidelines apply to any cloud outsourcing arrangement entered into prior to 31 July 2021.

2023, EU's Digital Operational Resilience Act (DORA) is expected to come into effect.

(Last updated: 1 December 2021)

Other related workstreams


The increasing use of outsourcing by regulated entities is of growing importance to a number of supervisory authorities. ESMA guidelines on cloud outsourcing came into force on 31 July 2021. The CBI has issued a consultation paper on draft new outsourcing guidelines.

Cyber and Technology

In recent years, cyber security has increasingly become the top global risk for business, with regulators and policy-makers also paying increased attention to financial institutions’ cyber security planning.