Introduction

The Central Bank of Ireland’s latest regulatory outlook highlights an evolution in supervisory focus. Capital strength remains important, but regulators are also looking at how firms manage operational disruption, technology risk and fraud in an increasingly digital financial system. 

Operational resilience remains the Central Bank’s highest-rated risk. At the same time, the rapid adoption of artificial intelligence is raising new governance and model risk challenges. Fraud and financial crime are also rising as criminals exploit digital channels and AI-enabled social engineering. 

Several regulatory reforms will take effect between 2026 and 2027, increasing supervisory scrutiny across the sector, including the revised Consumer Protection Code, which is effective from late March 2026. These priorities also reflect broader global trends identified in the Organisation for Economic Co-operation and Development (OECD) Consumer Finance Risk Monitor 2026.

Across each sector, the Central Bank’s message is broadly consistent. Supervisors are not only focusing on isolated compliance exercises but also examining whether firms can demonstrate operational resilience, effective governance and strong customer protections in practice.

For financial institutions, this means preparing for closer scrutiny of how operational and technology risks are managed in practice.

Supervisory priorities for 2026

The Central Bank identifies five industry-wide priorities for the year ahead, aligned with the wider European supervisory framework:

  • Maintaining resilience to geopolitical and macro-financial risks
  • Protecting consumer and investor interests
  • Responding to technology-driven change
  • Supporting environmental and societal transitions
  • Strengthening how supervision is carried out.

These priorities span a wide range of policy areas. In practice, supervisory attention centres on three themes: operational resilience, artificial intelligence and technology risk, and consumer protection.

Operational resilience

Operational and cyber resilience remains the Central Bank’s most severe risk category. As firms become more digital and operating models grow more complex, many critical services now rely on a small number of third-party technology providers. Cyber threats are also increasing as geopolitical tensions rise. Distributed denial-of-service attacks (DDoS) against Irish financial institutions grew significantly during 2025, and operational outages have become more common across the sector.

The Central Bank is also paying closer attention to concentration risk in cloud infrastructure. Four US providers now account for roughly 70% of the EU cloud market, creating potential systemic vulnerabilities if disruption occurs. The Digital Operational Resilience Act (DORA), which took effect in January 2025, introduces a framework for managing ICT risk across financial services.

Early supervisory observations suggest many firms have designed resilience frameworks but have not yet embedded them fully across their organisations. Common gaps include limited board oversight of technology risk, incomplete incident reporting processes and weak oversight of third-party ICT providers. Supervisors are increasingly focused on how these frameworks operate in practice. Firms that rely heavily on documentation rather than operational testing may struggle to demonstrate that critical services can continue during disruption.

 

Artificial intelligence and technology

Supervisors are also examining risks linked to artificial intelligence and advanced data modelling. As firms expand the use of AI in areas such as credit decisions, fraud detection and investment processes, regulators are paying closer attention to governance, explainability and model oversight.

The Central Bank has also been designated as the national authority responsible for overseeing the EU AI Act within the financial sector. This is likely to increase supervisory attention on how firms design, deploy and govern AI systems.

The regulator is expected to focus on three areas:

  1. Governance and accountability
  2. Explainability and model risk management
  3. Conduct risks arising from automated decision-making

Many firms still treat AI primarily as an innovation initiative rather than a risk management issue. Regulators are increasingly examining how firms integrate AI oversight into existing governance and risk frameworks.

 

Consumer protection and financial crime

Consumer protection remains a central supervisory theme. The revised Consumer Protection Code takes effect in March 2026 and places greater emphasis on customer outcomes, digital service delivery and the treatment of vulnerable customers.

Financial crime is also a growing concern. Fraudulent payments in Ireland reached €57 million in 2024, driven largely by social engineering attacks. As digital financial services expand, regulators are encouraging firms to strengthen fraud detection, improve customer communication and address the root causes of recurring complaints.

 

Global alignment

For Irish regulated firms, the Central Bank’s priorities are not isolated domestic requirements but part of a broader international regulatory response to evolving risks in financial services. The OECD Consumer Finance Risk Monitor 2026, which gathered perspectives from 60 jurisdictions, highlights many of the same pressures emerging across financial systems.

Financial scams and fraud rank as the most significant risk globally. Around 85% of OECD jurisdictions identify fraud as a leading threat, with nearly 70% reporting increases during 2025. This closely mirrors developments in Ireland, where fraudulent payments reached €57 million in 2024. Both the OECD and the Central Bank highlight the growing role of artificial intelligence in enabling social engineering, phishing, deepfakes and other forms of digital fraud. Artificial intelligence is also emerging as a major governance challenge. The OECD reports similar concerns across multiple jurisdictions, including algorithmic bias, lack of transparency and data integrity risks as AI adoption accelerates.

Other risks identified globally include rising consumer debt, conduct-related risks such as ineffective disclosures, and financial exclusion linked to digital capability gaps. Many jurisdictions are responding through similar regulatory frameworks, including the Digital Operational Resilience Act (DORA), the EU Artificial Intelligence Act and the G20/OECD High-Level Principles on Financial Consumer Protection.

Sector implications 

This section outlines key sector implications arising from evolving regulatory expectations and supervisory priorities ahead.

The banking landscape continues to evolve as digitalisation, new entrants and regulatory change reshape the market. The Capital Requirements Directive VI (CRD6) will require third-country firms to establish EU subsidiaries by January 2027. Supervisors have also highlighted rising cyber threats following increased distributed denial-of-service (DDoS) attacks in 2025, alongside weaknesses in risk data aggregation and reporting (RDARR), climate risk integration and anti-money laundering and counter-terrorist financing (AML/CFT) frameworks in newer market entrants.

Key supervisory activities include:

  • Assessment of CRD6 Article 21c and its balance sheet impact
  • Reviews of customer service, vulnerable customer treatment and root cause analysis
  • Digital Operational Resilience Act (DORA) compliance and cyber resilience testing
  • Supervisory Review and Evaluation Process (SREP) assessments covering climate risk, credit exposures such as buy now pay later (BNPL) and fraud controls.

Safeguarding of customer funds remains the Central Bank’s highest supervisory priority for payment and electronic money institutions (EMIs). Fraudulent payments reached €57 million in 2024, driven largely by artificial-intelligence-enabled social engineering. Supervisors have also raised concerns about financial resilience and weaknesses in wind-down planning.

Key supervisory activities include:

  • Assessment of safeguarding remediation and implementation of the new Head of Safeguarding pre-approval controlled function (PCF) role
  • Enhanced AML/CFT Risk Evaluation Questionnaire (REQ) submissions and fraud control reviews
  • Thematic review of financial resilience and wind-down planning
  • Information technology (IT) outsourcing governance assessments and DORA reporting.

Solvency II reforms and the Insurance Recovery and Resolution Directive (IRRD) will take effect in January 2027. Supervisors have also highlighted weaknesses in product oversight and governance (POG), climate risk integration and governance of artificial intelligence.

Key supervisory activities include:

  • Solvency II review survey and proportionality assessments
  • Thematic reviews of product governance, claims handling and commission arrangements
  • Engagement with firms on artificial intelligence governance and the European Union Artificial Intelligence Act
  • Review of climate risk integration and DORA implementation in non-life insurers.

Supervisors have raised concerns about governance and board substance, valuation of hard-to-value assets such as private credit and private equity and leverage in property funds.

Key supervisory activities include:

  • Continued assessment of delegation in fund management companies
  • Governance reviews of administrators and depositaries
  • Valuation oversight for level 3 assets such as real estate and private markets
  • Monitoring of liquidity risk, property fund leverage and sustainable finance
  • disclosure regulation (sfdr) compliance.

With ten crypto-asset service providers (casps) authorised in Ireland during 2025, operational resilience remains the most pervasive risk, particularly around custody arrangements and private key security.

Key supervisory activities include:

  • Sector-wide reviews of technology risk and dora compliance
  • European securities and markets authority (ESMA) common supervisory action on cyber risk for casps
  • Follow-up reviews of markets in crypto-assets regulation (MICAR) custody and authorisation requirements
  • Trade surveillance reviews and improvements in suspicious transaction and order reporting (STOR).

With around 80 investment firms authorised under the markets in financial instruments directive (mifid) operating in Ireland, supervisors have highlighted increasing operational resilience risks, governance gaps in artificial intelligence and ongoing weaknesses in aml/cft controls.

Key supervisory activities include:

  • Operational resilience assessments and dora reporting reviews
  • Participation in esma’s common supervisory action on conflicts of interest in financial instrument distribution
  • Thematic reviews of vulnerable customer identification and complaints handling
  • Cyclical aml reviews and improvements in trade surveillance and stor reporting.

The consumer protection code 2025 will apply to all 172 regulated credit union activities for the first time, with implementing regulations expected in 2026. A recent thematic review also identified weaknesses in information technology risk ownership.

Retail intermediaries remain under scrutiny where firms offer unregulated products, with the revised consumer protection code requiring clearer separation between regulated and unregulated activities.

What firms should prioritise

Across sectors, supervisors want firms to demonstrate operational resilience, effective governance and strong customer protections in practice.

These issues are likely to feature prominently in supervisory engagement during the year ahead. Firms that are responding well to the central bank’s evolving supervisory focus tend to share a few common characteristics. They treat regulatory change as a governance and operational issue, not just a compliance exercise. Boards are increasingly involved in oversight of operational resilience, technology risk and customer outcomes.

Strong performers also focus on several practical areas:

  1. Embedding operational resilience frameworks required under dora, including testing and incident response planning
  2. Establishing clear governance for artificial intelligence, with defined accountability and model oversight
  3. Strengthening fraud prevention and anti-money laundering and counter-terrorist financing (aml/cft) controls as digital threats evolve
  4. Improving regulatory reporting, data quality and risk data aggregation
  5. Integrating climate risk into enterprise risk management and scenario analysis
  6. Preparing early for regulatory change, including the revised consumer protection code and the eu artificial intelligence act.
  7. Businesses that approach these issues in a coordinated way are better positioned to respond to supervisory scrutiny and evolving regulatory expectations.
     

About the authors

Cathie Farrell

Cathie Farrell

Director - Consulting
Dublin
View profile
Kevin Coleman

Kevin Coleman

Partner - Advisory
Dublin
View profile
Cillian Byrne

Cillian Byrne

Director - Advisory
Dublin
View profile