Counting down to DORA - Mapping & classification of ICT services ‘supporting’ critical or important functions

Blog
17.05.2024
Mapping ICT services that support 'critical or important functions' of financial institutions is an important step in the implementation of DORA. These services are subject to additional requirements under DORA, including for contracting. Our fifth DORA blog explores what critical or important functions are, and how best to identify these functions and the ICT services that support them.

DORA defines a critical or important function as 'a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law.'

In other words, these are functions that, if they are disrupted, would materially affect (i) the financial performance of the financial institution; (ii) the quality of its services and activities; and (iii) its ability to comply with regulatory obligations. If an ICT service supports a critical or important function, more stringent DORA requirements apply. These include, amongst other things, additional contractual provisions to be included in the contractual arrangements for such ICT services (article 33(3) DORA) and the establishment of exit strategies (article 28(8) DORA).

  • Mapping critical or important functions

    Financial institutions will need to map their critical or important functions under DORA on a function-by-function basis. Certain financial institutions, such as banks, insurance companies, investment firms and payment service providers, may already be familiar with this exercise, having mapped certain 'critical or important functions' within their operations to ensure compliance with, for example, MiFID II, Solvency II and the EBA Guidelines on Outsourcing (EBA Guidelines). Similarly, banks and investment firms have had to map 'critical functions' for the purpose of the recovery and resolution rules set out in the Bank Recovery and Resolution Directive (BRRD).

    However, the exercise required under DORA is not identical. Although the definition of a 'critical or important function' in DORA is clearly inspired by the definitions in the EBA Guidelines and MiFID II, a relevant distinction is that the latter definitions refer specifically to functions related to the soundness or continuity of banking, payment and investment services, respectively. In contrast, the definition in DORA covers functions related to the soundness or continuity of all types of services and activities of the financial institution. Furthermore, both MiFID II and the EBA Guidelines explicitly exclude certain functions and services from the scope of the outsourcing rules (e.g. the provision of standardised services, such as market information services), whereas these do not appear to be excluded from the scope of DORA.

    A recital to DORA provides that the definition of a critical or important function encompasses 'critical functions' as defined in the BRRD. This definition covers activities, services and operations of the financial institution whose discontinuance would likely lead to a disruption of services that are essential to the real economy or disrupt the financial stability of one or more EU member states. This can be due to the size, market share, external and internal interconnectedness, complexity or cross-border activities of this financial institution or its group. In contrast, the definitions provided in MiFID II and the EBA Guidelines are broader and do not only cover functions with potential systemic impact. The EBA Guidelines also acknowledge this difference between the two definitions. Nevertheless, this recital to DORA makes clear that these critical functions under the BRRD should in any case be understood as critical or important functions for the purposes of DORA.

    Further to the above, we think it makes sense that the first step for a financial institution undertaking its mapping exercise under DORA should be to identify functions that are already deemed 'critical or important' under existing regulatory frameworks (such as the EBA Guidelines, Solvency II and MiFID II) or 'critical' under the BRRD, as applicable. However, it should then also assess whether other functions, such as those exempted under the existing regulatory framework, could meet the broader DORA definition.

  • Mapping ICT services that support a critical or important function

    Having mapped these functions, the next step is to determine which ICT services support these functions. DORA does not define when an ICT service is considered to support a function. A broad interpretation of the word 'supporting' suggests that any service used in the operation of a function falls within the scope, regardless of whether its disruption would materially affect the function itself. Alternatively, it could be argued that 'support' should only refer to those services whose disruption actually affects the operation of the function, and therefore that a certain materiality test can be applied. This interpretation would exclude those services from the category of ICT services that support a critical or important function.

    Although this alternative interpretation may not be directly supported by the text of DORA, reference can be made to the proportionality principle in Article 4 of DORA. This principle supports an implementation of DORA's requirements in a manner that is proportionate to the size and overall risk profile of the financial institution, as well as the nature, scale and complexity of its services, activities and operations. This principle allows an institution, in complying with DORA, to differentiate between certain ICT services that are all used in the operation of a critical or important function, but the relevance of each of these services to that function may differ significantly.

    For example, suppose a bank's mortgage origination process is a critical or important function for that bank, and the cloud-based customer journey includes a digital signature option. The cloud service is likely to be an ICT service that should be considered as materially supporting this function, while the bank may already offer various alternatives to a digital signature. Taking into account the materiality of each of these services, an institution may decide that the cloud service warrants a more extensive audit and monitoring process, while the digital signature service requires only a limited exit strategy because it is easily replaceable and will not affect the performance of the function if disrupted.

  • What this means for you

    To ensure DORA compliance, financial institutions will need to conduct mapping exercises to identify 'critical or important functions' and the ICT services that support them. Relevant financial institutions can build on similar exercises performed for purposes of for example MiFID II, Solvency II, the EBA Outsourcing Guidelines and the BRRD, and the functions identified as critical or important as a result thereof. However, DORA has a broader scope. Having identified the critical or important functions, the next step is to identify which ICT services support these critical functions. The interpretation of which services provide support and the application of DORA's proportionality principle in this regard, may result in certain ICT services that support a critical or important function being treated differently from other ICT services that support the same function.

  • Download: flowchart

    To further assist a financial institution, our DORA team has also prepared a flowchart for this mapping exercise.

  • Counting down to DORA blog series

Related articles

Cookie notification

This functionality uses third-party cookies. Change your cookie preferences to view this content or view more information.
These cookies ensure that the website works properly. These cookies cannot be disabled.
These cookies can be placed by third parties, such as YouTube or Vimeo.
By deactivating categories, it is possible that related functionalities within the website may no longer work properly. It is always possible to change your preferences at a later time. View more information.