CP170: the DFSA’s operational resilience regime for DIFC firms

The Dubai Financial Services Authority (DFSA) has set out how it expects firms in the Dubai International Financial Centre to keep running when something breaks. Consultation Paper 170 (CP170) proposes a new operational resilience framework in the General Module of the Rulebook. The consultation closed on 26 May 2026, and the DFSA expects to finalise the rules by the end of the year.

The regime applies broadly: banks, investment firms, insurers, advisers and fintechs, along with the DIFC branches of international groups. Few authorised firms will fall outside it.

At its centre are five tasks:

• Identify the business services that matter enough that losing them would harm clients or the wider market.
• Set an impact tolerance for each – the most disruption the firm can absorb before that harm becomes real.
• Map the people, systems and third parties each service depends on.
• Test whether the service holds up under severe but plausible scenarios, including ones where several services fail at once because they share a supplier or a piece of infrastructure.
• Tell the DFSA promptly when a tolerance is breached, or nearly breached.

The change of posture matters more than the list. Operational risk management has tended to ask how a firm prevents failure. Operational resilience starts from the opposite assumption: disruption will happen, and the firm must keep its critical services within tolerance when it does. A tested business continuity plan is a useful input. It is not the same thing, and it will not satisfy the regime on its own.

That is where most of the work sits, and where the gap usually opens. Impact tolerances have to be backed by evidence. Dependency maps have to reach into outsourced and group-provided services that the DIFC entity does not directly control. A group resilience framework rarely maps cleanly onto a single DIFC-authorised entity. Testing has to be documented and ready for the regulator on request.

None of this is finished by the end of 2026. The DFSA expects to publish Supervisory Guidelines alongside the final rules and to allow a transition period before firms must demonstrate full compliance. The months ahead are for the unglamorous groundwork: deciding which services are genuinely critical, mapping what they rest on and finding where a settled arrangement quietly falls short of what the regime will expect.

Operational resilience belongs on the board agenda now, while there is time to do the work deliberately. The firms that fare well in supervision will be the ones already mapping their critical services, evidencing tolerances and closing gaps before the rules are final. We work with DIFC firms on exactly that – identifying critical services, mapping the technology and third parties beneath them, then building the evidence the DFSA will look for.

References

1. Consultation Paper 170 – Operational Resilience, DFSA Rulebook.
2. Consultation Papers, Dubai Financial Services Authority.
3. DFSA proposes new operational resilience regime for DIFC firms, Pinsent Masons (Out-Law).
4. DFSA consults on new operational resilience framework, CMS.