The Dubai Financial Services Authority (DFSA) has published Consultation Paper No. 170 (CP170), proposing a new operational resilience framework for firms operating in or from the Dubai International Financial Centre (DIFC). The proposals mark a significant step in the DFSA’s ongoing alignment with international supervisory standards and reflect a broader global shift in how regulators think about operational risk, disruption, and systemic stability. This article outlines the regulatory background, explains what the DFSA is proposing and why, and summarises Várri Consultancy’s perspective on the regime. We also highlight how firms can begin preparing well before the rules are finalised.
For many years, regulatory approaches to operational risk focused primarily on prevention: controls, policies, and safeguards designed to reduce the likelihood of failure. While essential, that approach has increasingly been recognised as incomplete.
Recent crises, ranging from the COVID-19 pandemic to large-scale cyber incidents, technology outages, third-party failures, and regional conflicts, have demonstrated that disruptions are inevitable, even in well-controlled organisations. The regulatory question has therefore shifted from whether organisations can adequately prevent and control operational risks to:
Can firms continue to deliver critical services through disruption, and limit harm to users and the financial system when things go wrong?
The Dubai Financial Services Authority (DFSA) has published Consultation Paper No. 170 (CP170), proposing a new operational resilience framework for firms operating in or from the Dubai International Financial Centre (DIFC).
On 27 March 2026, the Dubai Financial Services Authority (DFSA) published a consultation paper concerning operational resilience. The DFSA proposes changes to its rulebook grounded in international standards, in particular the Basel Committee on Banking Supervision’s Principles for Operational Resilience (March 2021) and Basel Core Principle 25, as updated in the 2024 Core Principles for Effective Banking Supervision, which explicitly integrates operational resilience into prudential supervision.
The Basel Committee defines operational resilience as “the ability of a bank to deliver critical operations through disruption.” Crucially, the Basel framework distinguishes critical operations or services from internal business structures. It also introduces the concept of a tolerance for disruption, defined as “the level of disruption from any type of operational risk a bank is willing to accept given a range of severe but plausible scenarios.”
The DFSA has proposed adopting this architecture in almost its entirety, tailoring it to the DIFC market and applying it across all Authorised Persons, subject to proportionality.
At a high level, CP170 introduces a structured, outcome‑focused operational resilience regime built around five core elements:
Identification of Critical Business Services
Impact Tolerances
Mapping of resources
Scenario testing
Notification of material disruptions
Firms authorised by the DFSA must regularly assess which of their business services, if disrupted, could pose a "material risk" to:
users of its financial services provided in or from the DIFC; or
the financial stability, reputation, or confidence in the DIFC financial services industry.
Importantly, not all firms will necessarily identify a Critical Business Service. If none are identified, their obligations under the operational resilience regime end there, subject to reassessment and governance approval. If a Critical Business Service is identified, firms must set an Impact Tolerance, i.e., the maximum tolerable level of disruption beyond which harm becomes unacceptable. Impact Tolerances are proposed to be outcome‑based and may be expressed using one or more metrics (e.g., time, volume, or the number of users affected). They are not the same as traditional recovery time objectives (RTOs) used in business continuity planning.
Firms must map and document the minimum set of resources required to deliver each Critical Business Service within its Impact Tolerance. This includes people, processes, technology, facilities, information, and key third‑party or intragroup dependencies. The objective is not exhaustive documentation, but the identification of single points of failure, concentration risk, and substitutability constraints.
Under the proposed regulatory updates, firms will be required to test their ability to remain within Impact Tolerances under severe but plausible disruption scenarios, including scenarios affecting shared resources or multiple services simultaneously. The DFSA has avoided prescribing scenarios or testing frequencies, instead relying on supervisory expectations set out in draft Supervisory Guidelines.
If a disruption breaches, or comes close to breaching, a firm’s Impact Tolerance, they will be required to notify the DFSA promptly via its electronic portal, under the proposed regulations.
A defining feature of the DFSA’s proposal is its emphasis on governance. Both the outcome of the Critical Business Services identification exercise and the Impact Tolerances themselves must be approved by the firm’s Governing Body under the draft updates. In our view, this reflects a clear supervisory message that the tolerance for disruption and judgments about harm to users or markets are matters of board-level accountability.
While CP170 is a regulatory framework rather than a certification standard, it aligns with the logic of widely adopted ISO management system standards, particularly ISO 22301 (Business Continuity Management) and ISO/IEC 27001 (Information Security Management).
These standards similarly require organisations to:
identify critical activities or assets;
assess the impacts of disruption;
establish acceptable limits for service degradation or interruption; and
test response and recovery capabilities.
The DFSA’s Impact Tolerance concept complements these frameworks by reframing internal continuity metrics in terms of external harm and systemic impact, rather than internal recovery convenience. For firms already operating ISO‑aligned frameworks, CP170 should therefore feel evolutionary rather than revolutionary.
We broadly support the DFSA’s proposed framework. In our view, CP170 is:
well aligned with international standards;
proportionate by design;
clear in its governance expectations; and
appropriately focused on outcomes rather than prescriptive processes.
We particularly welcome:
As with any principles‑based regime, successful implementation will depend on the quality of analysis, documentation, and governance discipline, especially in the early years. Firms that approach operational resilience as a box‑ticking exercise are likely to struggle. Those that integrate it into risk governance and strategic decision‑making will be better placed.
Várri Consultancy advises boards, senior management, and control functions on governance, risk, and regulatory transformation across the UAE (including ADGM and DIFC) and internationally. In the context of CP170, we support firms at each stage of the journey, including:
Critical Business Services assessments: We help firms design and evidence proportionate identification exercises, aligned with DFSA expectations and defensible under supervisory scrutiny.
Impact Tolerance frameworks: We assist boards and management in defining Impact Tolerances that are outcome‑focused, consistent with the firm’s risk appetite, and aligned with existing ISO, BCM, and ICT frameworks.
Resource mapping and third‑party dependency analysis: We support targeted, practical mapping that highlights real vulnerabilities without unnecessary complexity.
Scenario testing design: We help firms develop severe‑but‑plausible scenarios that are meaningful, credible, and proportionate to their business model.
Governance and board engagement: We work with governing bodies, whether supervisory boards or boards of directors, to ensure approvals, challenges, and oversight are properly structured, documented, and embedded into existing governance cycles.
Firms that engage early, before final rules take effect, will be best placed to implement efficiently, avoid supervisory friction, and strengthen their resilience in practice, not just on paper. If you would like to discuss how CP170 may apply to your organisation, Várri Consultancy would be pleased to assist.