The Dubai Financial Services Authority (“DFSA”) has published Consultation Paper No. 170 (“CP170”) proposing the introduction of a new operational resilience framework into the DFSA Rulebook.
The proposals would introduce a new section in the DFSA’s General Module (“GEN”), setting out a proportionate, principles‑based framework aimed at strengthening the ability of firms authorised by the DFSA (“Authorised Firm”) to continue delivering critical business services during periods of operational disruption. The consultation was published on 27 March 2026 and closes on 26 May 2026.
Overview of the proposals
At a high level, CP170 would require each Authorised Firm to assess whether any of its business services are sufficiently important that a disruption to them could either:
- cause material harm to clients; or
- undermine confidence in the DIFC financial system.
Where an Authorised Firm concludes that none of its business services meets this threshold, its regulatory obligations under the proposed operational resilience regime would end there, subject to:
- periodic re‑assessment; and
- approval of the outcome by the Authorised Firm’s Governing Body.
This initial identification exercise therefore operates as a gateway to the rest of the regime.
Requirements for firms with critical business services
Where an Authorised Firm identifies one or more critical business services, CP170 proposes that the Authorised Firm would be required to take the following steps:
1. Setting impact tolerances
Authorised Firms would be required to set impact tolerances for each critical business service. An impact tolerance represents the maximum level of disruption that the Authorised Firm can tolerate before the impact becomes unacceptable.
Impact tolerances may be measured by reference to time (for example, maximum tolerable downtime) and/or other relevant metrics, such as the number or value of transactions affected. Responsibility for approving impact tolerances would sit with the Authorised Firm’s Governing Body.
2. Mapping resources
Authorised Firms would need to map and document the minimum combination of resources required to continue delivering each critical business service within its impact tolerance during a disruption. This includes people, processes, technology, facilities and information, as well as dependencies on third‑party service providers.
The DFSA’s proposals place particular emphasis on understanding shared resources and concentration risks, including where multiple critical business services rely on the same underlying infrastructure or outsourced arrangements.
3. Scenario testing
Authorised Firms would be required to scenario test their ability to remain within impact tolerances under a range of severe but plausible disruption scenarios. This includes scenarios in which multiple critical business services are impacted simultaneously due to shared dependencies.
While the DFSA does not prescribe fixed testing frequencies, Authorised Firms would be expected to document their testing outcomes and maintain records that can be provided to the DFSA upon request.
4. Regulatory notification
Where a disruption to a critical business service has breached, or come reasonably close to breaching, an impact tolerance, Authorised Firms would be required to notify the DFSA as soon as practicable. Notifications would be submitted via a dedicated electronic form on the DFSA ePortal.
Implementation timeline
The DFSA proposes a 24‑month implementation period from the date the final rules are enacted.
During the first 12 months, Authorised Firms are expected to be well advanced in:
- identifying critical business services;
- setting impact tolerances;
- mapping supporting resources; and
- undertaking scenario testing.
The DFSA anticipates engaging with Authorised Firms during the implementation period to assess progress and, following the end of the transition, expects Authorised Firms to be able to demonstrate full compliance with the new requirements.
International context
The proposals in CP170 reflect established international approaches to operational resilience and will be familiar to Authorised Firms that are already subject to regimes such as:
- the UK Financial Conduct Authority and Prudential Regulation Authority operational resilience framework; and
- the EU’s Digital Operational Resilience Act (DORA)
By comparison, the DFSA’s proposals appear deliberately more principles‑based and proportionate, consistent with its broader supervisory style.
However, Authorised Firms should be cautious not to interpret a leaner rule set as implying a lighter compliance burden.
Practical considerations for Authorised Firms
In practice, the challenges associated with operational resilience rarely arise from the wording of the rules themselves, but from their implementation.
Key questions for Authorised Firms are likely to include:
- how frequently the identification of critical business services should be revisited in practice;
- how to set impact tolerances that are meaningful and robust, rather than theoretical; and
- how to reflect evolving risk profiles driven by geopolitical volatility, cross‑border dependencies and increasing reliance on outsourced and cloud‑based infrastructure.
Operational resilience is no longer confined to traditional cyber incidents or data‑centre outages. The current geopolitical climate serves as a timely reminder of the type of "severe but plausible" scenarios firms will be expected to test against. As ever, regulatory scrutiny is likely to be most acute after a disruption has occurred, when decisions made under pressure are reviewed with the benefit of hindsight.
Operational resilience is often discussed in the language of market stability and consumer protection. However, disruption to a “critical business service” is never just a technical or compliance issue. In a wholesale market such as the DIFC, it can mean failed treasury payments, disrupted trading activity, delayed custody or settlement processes, an inability to execute client instructions, or claims handling delays at precisely the wrong moment. The current environment is a timely reminder that operational risk is not abstract. When core services are disrupted, the consequences quickly flow through to clients, counterparties, markets and the wider economy.
Next steps
The DFSA proposes to publish Supervisory Guidelines alongside the final rules, which should assist Authorised Firms in interpreting regulatory expectations. Nevertheless, implementing the proposed framework is likely to involve significant governance, operational and documentation work for affected Authorised Firms.
Authorised Firms may wish to consider engaging with the consultation process ahead of the 26 May 2026 deadline and to begin assessing how the proposed framework would apply to their existing business continuity and operational risk arrangements.
