DORA
      Back to home
      2. Framework FAQs
      3. DORA

      How to map your business functions

      Read this step-by-step guide on how to identify and map out your critical or important business functions.

      Introduction Mapping business functions and identifying critical or important functions within a financial services regulated company is essential for compliance with the Digital Operational Resilience Act (DORA). This guide outlines a clear, step-by-step approach to help you identify and map these functions and their supporting ICT services.

      Step 1: Identify Critical or Important Functions Determine which business functions qualify as critical or important under DORA:

      1. Review Existing Regulatory Frameworks

        • Identify functions already classified as critical or important under:
          • EBA Outsourcing Guidelines
          • MiFID II
          • Solvency II
        • Review functions deemed critical under the Bank Recovery and Resolution Directive (BRRD).

      2. Apply DORA's Broad Definition Evaluate whether other functions meet DORA's definition of critical or important. These include functions that, if disrupted, would:

        • Materially affect the financial performance of the institution.
        • Impact the quality of its services or activities.
        • Hinder the institution’s ability to comply with regulatory obligations.

      3. Consider Exemptions

        • Note that certain functions or services exempt under existing outsourcing regs may still fall within DORA’s scope.

      Note - upload details of your business functions within Adoptech (Company Profile - Business Functions) - this is mandatory if you wish to generate a Register of Information (RoI).

      Step 2: Identify Supporting ICT Services After identifying critical or important functions, map out the ICT services that support them:

      1. Define ICT Services

        • ICT services include digital and data services provided via ICT systems to internal or external users. Examples include, Hardware as a Service (HaaS), SaaS, IaaS, PaaS
        • Exclude traditional analogue telephone services.

      2. Scope of ICT Services

        • Focus on ICT services directly involved in operating the critical or important functions.

      Step 3: Apply the Proportionality Principle DORA implementation should consider the institution’s size, risk profile, and operational complexity. Follow these guidelines:

      1. Materiality Assessment

        • Evaluate the materiality of each ICT service supporting critical or important functions.
        • Categorise these services based on their significance to the function.

      2. Tailored Implementation

        • Assign varying levels of treatment to ICT services based on their materiality assessment to ensure proportionality in DORA implementation.

      Conclusion Mapping critical or important functions and their supporting ICT services is a foundational step toward achieving DORA compliance. By following this guide, financial institutions and their suppliers can align with regulatory expectations while leveraging the proportionality principle to implement tailored, effective strategies.