As regulators across Europe, the UK and Asia tighten expectations around operational resilience, software testing and quality assurance teams are finding themselves closer to the centre of supervisory scrutiny than ever before.
From the EU’s Digital Operational Resilience Act (DORA) regulation to the Bank of England’s operational resilience regime and Singapore’s technology risk frameworks, regulators are converging on a common question: can financial institutions demonstrate, through testing, that critical services will continue to operate under severe disruption?
The shift reflects a broader re-framing of resilience away from theoretical controls and towards evidence-based assurance.
Scenario testing, impact tolerance validation and technology resilience testing are no longer peripheral exercises. They are becoming core regulatory tools used to assess whether firms truly understand how their systems, processes and third-party dependencies behave when things go wrong.
Against this backdrop, the Central Bank of Ireland has published updated cross-industry guidance that reinforces this global regulatory direction and places explicit emphasis on scenario testing, ICT resilience and the role of operational testing in safeguarding critical services.
Resilience framework built on disruption
In its Cross Industry Guidance on Operational Resilience, the Central Bank defines operational resilience as “the ability of a firm, and the financial services sector as a whole, to identify and prepare for, respond and adapt to, recover and learn from an operational disruption.”
The phrasing mirrors international regulatory thinking, particularly in the EU and UK, where resilience is framed not as the absence of incidents, but as the ability to withstand and recover from them.
For QA and software testing teams, this definition signals a clear expectation that testing strategies must extend beyond traditional functional validation.
“It’s not about what happens to a firm, but how a firm is able to withstand and respond.”
– Central Bank of Ireland
Resilience is positioned as an ongoing capability that spans preparation, response, recovery and learning, with testing embedded throughout the lifecycle rather than confined to pre-production stages.
The Guidance is structured around three pillars: Identify and Prepare; Respond and Adapt; and Recover and Learn.
Within this structure, scenario testing and ICT resilience emerge as critical mechanisms for demonstrating that firms can remain within acceptable levels of disruption when faced with severe but plausible events.
Scenario testing as regulatory evidence
The Central Bank’s Guidance explicitly defines scenario testing as “the assessment of a firm’s ability to remain within its impact tolerance for each of its critical or important business services in the event of a severe, but plausible, disruption of its operations.”
This outcome-focused framing aligns closely with the expectations set out under DORA and the Bank of England’s resilience framework, both of which require firms to evidence how systems perform under stress rather than merely documenting controls.
Importantly, the Guidance emphasises that operational resilience is “not about what happens to a firm, but rather, how a firm is able to withstand and respond to an incident when it does occur.”
For testing teams, this shifts the emphasis from preventing failure to validating behaviour under failure conditions, a subtle but significant change in regulatory tone.
Scenario testing under this model must therefore interrogate real operational dependencies, including technology platforms, data flows and third-party services.
It also places pressure on firms to ensure that test environments, scenarios and assumptions are sufficiently robust to reflect real-world disruption rather than idealised failure modes.
ICT resilience and QA ownership
The Guidance reinforces the role of ICT resilience as a foundational element of operational resilience programmes.
While not prescribing specific tools or methodologies, it makes clear that resilience must be integrated into governance, risk management and assurance structures. Operational resilience frameworks, the document states, should be “integrated into the firm’s governance structures.”
This integration has direct implications for QA and testing functions, which are increasingly expected to provide measurable evidence that technology systems can support critical services within defined impact tolerances.
Rather than testing isolated applications, QA teams are being drawn into cross-functional resilience testing that spans infrastructure, cloud services, data platforms and external providers.
The approach reflects wider regulatory expectations under DORA, which mandates ICT risk management, digital resilience testing and enhanced oversight of third-party technology providers across the EU financial system.
Global regulation
While rooted in the Irish supervisory context, the Central Bank’s Guidance is explicit in its alignment with international standards.
It noted that the framework is intended to support firms regardless of their formal regulatory obligations, stating that “this Guidance will benefit and aid all firms, whether subject to DORA or not, in strengthening their operational resilience.”
This positioning echoes similar expectations from the Bank of England, where firms must demonstrate through testing that important business services can remain within impact tolerances during disruption, and from Singapore’s Monetary Authority, which continues to emphasise scenario-based testing within technology risk management frameworks.
For QA leaders, the message is increasingly consistent across jurisdictions: resilience testing must be systematic, scenario-driven and directly tied to business outcomes.
Testing artefacts, results and remediation plans are no longer purely internal tools; they are becoming supervisory evidence.
From testing activity to resilience assurance
Taken together, the Central Bank of Ireland’s Guidance reinforces a regulatory shift that places QA and software testing teams at the heart of operational resilience programmes.
Scenario testing is no longer an abstract exercise but a mechanism for validating that critical services can survive disruption without causing unacceptable harm.
As financial services firms continue to digitise and rely on complex technology ecosystems, the burden on testing teams will continue to grow.
The challenge is not simply to test more, but to test differently, designing scenarios that reflect real threats, validating recovery paths and translating technical results into assurance that boards and regulators can rely on.
In that sense, operational resilience is becoming one of the clearest examples of how regulatory pressure is reshaping the role of QA from a delivery function into a core pillar of financial stability.
QA FINANCIAL EVENTS
Why not become a QA Financial subscriber?
It’s entirely FREE
* Receive our weekly newsletter every Wednesday * Get priority invitations to our Forum events *
REGULATION & COMPLIANCE
Looking for more news on regulations and compliance requirements driving developments in software quality engineering at financial firms? Visit our dedicated Regulation & Compliance page here.
READ MORE
- Why real-time monitoring and scenario testing are becoming core QA disciplines
- BankDhofar takes an automated approach to strengthen QA
- Banks warned AI still fails on real-world software testing tasks
- SEC’s AI emphasis drives new QA and testing imperatives for US banks
- Inside the chaos: The new reliability discipline reshaping banking QA
WATCH NOW
QA FINANCIAL PODCASTS
