If you’re operating in the Dubai International Financial Centre (DIFC), the Dubai Financial Services Authority (DFSA) has just released a new consultation paper (CP170) that should be on your radar.
The key message is simple: the financial world is becoming more complex, digital, and connected, and that means things are bound to break from time to time.
Instead of just trying to prevent problems, the DFSA is shifting the focus toward operational resilience. They want to ensure that even when the unexpected happens, like a cyber-attack, a power outage, or a wider system failure, your most critical services should keep running, or at least recover quickly enough to protect your clients and the stability of the market.
The following article is a rundown of what they are proposing and what it might mean for you.
The Big Idea: It’s Not About Being Perfect; It’s About Being Ready
Historically, firms emphasized heavily on preventing disruptions. The reality, however, is that total prevention isn’t always possible.
The new approach acknowledges that disruptions will happen. The goal is now to make sure that when they do, your business can adapt, respond, and get back on track without causing significant harm to your customers or the reputation of the DIFC.
This is a major step toward aligning with international standards such as the UK regime, the Basel Principles, and the EU’s DORA framework, which is great news for the global standing of the DIFC.
Comparison With the UK and the EU DORA
| Topic | DFSA CP170 (DIFC) | UK Regime | EU DORA |
|---|---|---|---|
| Core Focus | Critical business services and market/user harm | Important business services and staying within impact tolerance | Digital operational resilience, with strong ICT-risk emphasis |
| Applicability | All Authorised Persons must assess; only firms identifying critical services go deeper | In-scope firms had to identify key business services and meet tolerances by 31 March 2025 | Applies from 17 January 2025 to a broad range of EU financial entities |
| Governance | Governing Body approval of service identification and impact tolerances | Board/senior management accountability is central | Management body responsible for ICT risk framework |
| Mapping | Minimum resources, interdependencies, third parties, concentration risk | Mapping of people, processes, technology, facilities and information | Strong focus on ICT assets, dependencies and third-party ICT arrangements |
| Testing | Severe but plausible scenario testing | Severe but plausible testing expected; firms should already stay within tolerance | Digital resilience testing, including advanced testing/TLPT for certain entities |
| Notifications | Immediate DFSA notification when breach or near-breach of tolerance occurs | Incident reporting exists, but framework focuses on tolerance compliance and service continuity | Formal ICT incident reporting and oversight framework are more prescriptive |
| Third-Party Angle | Addressed through mapping and interdependencies | Important, especially where service delivery depends on vendors | Much more explicit and detailed, including ICT third-party registers and oversight of critical ICT providers |
| Implementation | Proposed 24-month implementation period | Rules in force from 31 March 2022; deadline to meet tolerances was 31 March 2025 | Regulation applies from 17 January 2025 |
A Deep Dive Into the New Framework’s Five Pillars
The proposed regime is built on a logical, risk-based progression. It forces firms to move beyond high-level policy statements and into granular operational analysis.
1. Identification of Critical Business Services
The regime correctly avoids a one-size-fits-all trap. Instead, the burden is placed on the Authorized Person to perform a systematic assessment.
A service is deemed critical if its disruption would cause material harm to clients or threaten the stability, reputation, or confidence of the DIFC financial ecosystem.
Action Item
Firms must define the service from the perspective of the end-user, not just an internal business unit. You must be able to articulate why specific services are critical based on objective impact criteria.
2. Setting Impact Tolerances
Once critical services are identified, the firm must quantify its red line. An impact tolerance represents the maximum tolerable level of disruption, measured in time, transaction volume, or value, beyond which the impact becomes unacceptable.
Action Item
These numbers cannot be arbitrary. You must justify your thresholds based on how much pain your clients or the market can realistically withstand before systemic harm occurs.
3. Resource Mapping and Interdependency Analysis
This is arguably the most critical technical component. True resilience lives or dies in the mapping. Most failures occur due to hidden concentration risks or single points of failure that aren’t obvious in a standard org chart.
Action Item
Firms must map the minimum combination of resources required to deliver critical services. This includes people, proprietary technology, third-party vendors, physical facilities, and critical data sets.
4. Severe but Plausible Scenario Testing
The DFSA is moving the goalposts for maturity. Desktop walkthroughs or passive business continuity plans are not sufficient anymore. You are now expected to conduct severe but plausible scenario testing to verify that your business can remain within its predefined impact tolerances during actual crises.
Action Item
Your scenarios should stress-test your resilience against diverse vectors: cyber-attacks, vendor outages, mass staff unavailability, or systemic data corruption. The paper stresses upon the outcome (staying within tolerance) rather than just the process of responding.
5. Material Disruption Notification
This requires robust monitoring and alerting mechanisms. Regulators are increasingly seeking earlier visibility into operational fires before they cascade into wider conduct or prudential issues.
Action Item
If a major disruption happens, or if you’re getting dangerously close to breaking your tolerance limits, you’ll need to notify the DFSA immediately through their portal. Also, your internal escalation paths must be tight enough to ensure that the regulatory notification is triggered before a total system collapse.
Key Takeaways for Your Governance Team
Don’t panic. You aren’t expected to flip a switch overnight. That said,
- Governing Body Oversight:
The DFSA explicitly requires the Governing Body to sign off on the identification of critical services and the setting of impact tolerances. - The Timeline:
You have a two-year implementation window. The first 12 months should be dedicated to identification and mapping, while the second 12 months should be spent maturing your scenario testing and embedding these processes into your business-as-usual operations.
By the end of this 24-month period, you will be expected to demonstrate, with documented evidence, that you can maintain your most essential services even in the face of significant, realistic operational stress.
What’s Next?
The DFSA is currently looking for feedback.
If you have any thoughts on whether these rules are practical, whether the Governing Body should be responsible for the sign-offs, or if the 24-month timeline feels right, you have until 26 May 2026 to submit your comments via the DFSA’s online response form.
The regulator is listening, and this is your chance to help shape the rules before they are finalized.
How Paragon Consulting Partners Can Help
As you begin your assessment, has your firm started identifying its primary interdependencies, or are you still in the early stages of defining what “critical” looks like for your business model?
Whether you need:
- An initial gap analysis to identify your critical business services,
- Expert support in mapping your complex resource interdependencies, or
- The design and execution of rigorous scenario-testing exercises.
Our team provides the hands-on advisory and assurance needed to ensure you are fully compliant and operationally prepared.
Leverage the expertise of risk and resilience practitioners who have done this before in other jurisdictions.
Let us help you turn these new requirements into a competitive advantage by building your firm’s resilience from the ground up.
