Artifact GuideEU

DORA Critical or Important Functions

Classify financial-entity functions, map the ICT services that support them, and preserve the evidence DORA expects across contracts, registers, incidents, testing, and exit planning.

For ICT risk, resilience, outsourcing, procurement, legal, security operations, incident response, audit, and business-service owners who need the classification to drive real controls rather than sit in a spreadsheet.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
6

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Under DORA, a critical or important function is not just a label for a business process. It determines which ICT services need tighter risk assessment, contract controls, subcontractor visibility, register-of-information records, testing coverage, and incident classification. The practical task is to connect each regulated financial service or activity to the ICT systems, providers, data locations, subcontractors, continuity assumptions, and evidence that keep it available and secure.

Section 1

What counts as a critical or important function under DORA?

DORA defines a critical or important function by impact: the function is critical or important when a defect or failure in its performance would materially impair a financial entity's financial performance, soundness, continuity of services and activities, or continued compliance with authorisation conditions and regulatory obligations. The assessment therefore starts with the business function and its regulated service, not with the vendor catalogue.

Use one classification record per function and licensed activity. A payments incident response platform, trading venue matching engine, securities settlement workflow, client authentication service, or actuarial calculation process may be supported by many ICT services; the function classification should explain why disruption to those ICT services would or would not impair the regulated activity.

  • Name the financial entity, licensed activity, function name, and function owner.
  • State whether the function is critical or important, not critical or important, or not yet assessed.
  • Document the impact rationale: financial performance, soundness, service continuity, authorisation, or regulatory compliance.
  • Link the function to each supporting ICT system, ICT service type, data set, location, internal service owner, and third-party provider.
  • Record the trigger for reassessment, such as a new ICT service, major architecture change, outsourcing change, incident, concentration finding, or business-service redesign.
Sources for this answer
Regulation (EU) 2022/2554 (DORA)
Defines critical or important functions by the effect that defective or failed performance would have on a financial entity's performance, soundness, continuity, authorisation, or regulatory obligations.
Implementing Regulation (EU) 2024/2956 on the register of information
Requires register templates to identify functions with a function identifier and a criticality or importance assessment.
Section 2

Map ICT dependencies before approving or changing the function

A useful DORA classification is a dependency map. For each function, identify the ICT services that support it, the direct ICT third-party service provider, the contractual arrangement reference number, the service location, data-processing and storage locations, and whether the service is concentrated in one provider or a small provider group.

The map should cover intra-group providers as well as external providers. DORA and the contract-policy RTS treat ICT intra-group service providers as ICT third-party service providers for this purpose; internal group sourcing can change the risk profile but does not remove the need for documented oversight.

  • Assign a stable function identifier and keep it consistent across entity, sub-consolidated, and consolidated register views.
  • For each supporting ICT service, record the ICT service type, service owner, provider identifier, contract reference, data category, processing and storage locations, and continuity dependency.
  • Identify single points of failure, provider concentration, technology-specific lock-in, and limited transferability to another provider.
  • Mark which ICT services support critical or important functions so incident playbooks, audit plans, business continuity plans, and contract reviews use the same scope.
  • Keep evidence that data quality checks were performed: accuracy, completeness, consistency, integrity, uniformity, and validity.
Sources for this answer
Implementing Regulation (EU) 2024/2956 on the register of information
Explains that the register links contractual arrangements, provider identifiers, function identifiers, and ICT service types, and that register data must be accurate and consistent.
Delegated Regulation (EU) 2024/1773 on ICT third-party contract policy
Requires the contract policy to account for ICT service type, provider location, data location, concentration, transferability, and disruption impact for ICT services supporting critical or important functions.
Section 3

Use the register of information as the operating record

DORA's register of information is more than a vendor inventory. It is the record that lets a financial entity, group, supervisor, and Lead Overseer see which ICT contracts and providers support which functions. If the criticality decision is separate from the register, the organization will struggle to prove why a contract, subcontractor, incident, or TLPT scope was treated as higher risk.

The register should make the dependency chain reviewable. For ICT services supporting critical or important functions, the register must include subcontractors that effectively underpin those services, including subcontractors whose disruption would impair the service's security or continuity.

  • Keep the function identifier, contract reference number, financial-entity LEI or EUID, provider identifier, and ICT service type aligned across register templates.
  • Use one row per valid value where a template field has multiple valid values, rather than burying multiple providers, locations, or services in a note field.
  • Include entity, sub-consolidated, and consolidated views where applicable so group-level register data reconciles with entity-level records.
  • Record direct ICT providers at rank 1 and subcontractors at higher ranks in the ICT service supply chain.
  • Add only relevant additional information, such as internal control IDs or service-tier mappings, without changing the mandatory register data model.
Sources for this answer
Implementing Regulation (EU) 2024/2956 on the register of information
Provides the standard register templates, supply-chain ranking rules, required identifiers, group-level register expectations, and data quality principles.
Regulation (EU) 2022/2554 (DORA)
Requires financial entities to maintain and update a register of information for contractual arrangements on ICT services provided by ICT third-party service providers.
Section 4

Translate the classification into third-party and subcontractor controls

When an ICT service supports a critical or important function, DORA expects stronger lifecycle control before and during the contract. The contract policy should define how the entity determines which ICT services support critical or important functions, when that assessment is reviewed, who approves and monitors the contract, what due diligence is required, what assurance is accepted, and when exit planning is tested.

Subcontracting needs its own control record. Before allowing a provider to subcontract ICT services supporting critical or important functions or material parts of them, assess whether the provider can identify and monitor relevant subcontractors, pass through access and inspection rights, maintain continuity through the subcontracting chain, notify material changes in time, and support termination where changes exceed the entity's risk tolerance.

  • Before contract signature or material change, complete risk assessment, provider due diligence, concentration analysis, information-security review, continuity review, and approval evidence.
  • Put in writing the service description, performance targets, reporting obligations, access and audit rights, testing rights, incident obligations, termination rights, and exit plan.
  • Do not rely solely on certifications or audit reports over time; verify their scope, freshness, control coverage, testing basis, and right to request scope changes or individual and pooled audits.
  • For subcontractors, assess service type, subcontracted service type, subcontractor and parent-company location, chain length, data shared, group relationship, supervisory status, concentration, transferability, and disruption impact.
  • Treat intra-group ICT providers and intra-group subcontractors as in-scope providers when they support critical or important functions.
Sources for this answer
Delegated Regulation (EU) 2024/1773 on ICT third-party contract policy
Specifies contract-policy content for ICT services supporting critical or important functions, including methodology, governance, due diligence, audits, monitoring, exit plans, and annual review.
Delegated Regulation (EU) 2025/532 on subcontracting ICT services
Specifies the elements to determine and assess when ICT services supporting critical or important functions are subcontracted.
Section 5

Connect critical-function mapping to incidents, testing, and resilience evidence

Critical or important function mapping changes operational response. Under the incident classification RTS, incidents affecting ICT services or network and information systems supporting critical or important functions are treated as incidents affecting critical services. Malicious unauthorised access to systems supporting those functions is singled out as a serious reporting concern, and service downtime thresholds are tighter where critical or important functions are involved.

Testing also depends on the classification. DORA requires annual appropriate testing of ICT systems and applications supporting critical or important functions for financial entities other than microenterprises. For entities selected for TLPT, the TLPT scope must cover several or all critical or important functions, identify the underlying ICT systems, processes, technologies, and outsourced or contracted ICT services, and preserve the rationale for including or excluding functions from the test scope.

Is every important business process a DORA critical or important function?

No. The DORA classification depends on the impact of defective or failed performance on the financial entity's financial performance, soundness, service continuity, authorisation conditions, or regulatory obligations. A process can be operationally useful without meeting that DORA impact test.

What evidence proves that a DORA critical or important function is mapped properly?

Keep the function identifier, criticality rationale, licensed activity, owner, supporting ICT systems, ICT service types, direct providers, contract references, data locations, subcontractor chain, continuity assumptions, incident classification links, test scope decisions, approvals, and reassessment triggers.

  • Feed the function map into incident classification so responders know whether affected systems support critical or important functions.
  • Store incident evidence by function: affected ICT services, affected clients or financial counterparts, downtime, data losses, transactions, economic impact, cross-border effects, root cause, and remediation.
  • Use the same function list for business continuity, response and recovery, vulnerability testing, penetration testing, and TLPT scoping.
  • For TLPT, retain the scope specification, targeted threat intelligence report, red team test plan, red team and blue team reports, summary findings, remediation plan, and attestation.
  • When a third-party provider supports a tested function, document how the provider participated or why a pooled TLPT approach was used.
Sources for this answer
Delegated Regulation (EU) 2024/1772 on ICT incident classification
Links critical or important functions to incident criticality, including incidents affecting supporting ICT services and malicious unauthorised access to supporting systems.
Regulation (EU) 2022/2554 (DORA)
Requires digital operational resilience testing, annual appropriate tests for ICT systems supporting critical or important functions, and TLPT coverage for selected entities.
Delegated Regulation (EU) 2025/1190 on TLPT criteria and methodology
Specifies TLPT scoping, threat intelligence, scenario, reporting, remediation, and attestation evidence for critical or important functions.
Recommended next step

Build a register-ready DORA critical-function map

Sorena can help connect critical or important function assessments to ICT dependency maps, contract controls, incident classification, testing scope, and evidence requests.

Research workflow
Open Research Copilot for EU DORA

Ask source-linked questions about DORA critical or important functions, ICT dependencies, register records, third-party risk, and evidence.

Explore next step
Talk to Sorena
Talk through DORA function mapping

Review your function classification, ICT service map, provider controls, register fields, and open evidence gaps with Sorena.

Explore next step
Primary sources

References and citations

Regulation (EU) 2022/2554 (DORA)
eur-lex.europa.eu
Referenced sections
  • Requires digital operational resilience testing, annual appropriate tests for ICT systems supporting critical or important functions, and TLPT coverage for selected entities.
"several or all critical or important functions"
Related guides

Explore more topics

DORA deadlines and compliance calendar for financial entities
Calendar the grounded DORA dates and recurring evidence: 17 January 2025 application, incident reporting clocks, register updates, annual reporting, TLPT cadence, and CTPP oversight milestones.
DORA ICT Third-Party Contract Remediation Workflow
A DORA workflow for remediating ICT third-party contracts covering critical or important functions, subcontracting, audit rights, exits, register updates, and evidence.
DORA ICT Third-Party Contracts FAQ
What DORA requires in ICT third-party contracts, including critical or important functions, audit and access rights, termination, exit, subcontracting, register updates, and evidence.
DORA ICT third-party risk and contract clauses guide
Source-grounded DORA guide for financial entities in scope, ICT third-party risk, contract clauses, subcontracting controls, register evidence, audit rights, exit planning, and oversight.
DORA incident classification forms: criteria, fields, and reporting clocks
Grounded guide to DORA ICT incident classification forms: major-incident criteria, significant cyber-threat notifications, report fields, time limits, evidence, and reclassification records.
DORA incident clock workflow: classification, reports, deadlines, and evidence
Grounded DORA workflow for starting the major-incident reporting clock, classifying ICT incidents, submitting initial, intermediate, and final reports, and preserving authority evidence.
DORA major ICT incident reporting: classification, reports, and timing
Source-grounded DORA guide to major ICT-related incident classification, initial notifications, intermediate and final reports, competent authority routing, and significant cyber threat notifications.
DORA major ICT incident thresholds: what triggers reporting?
FAQ on DORA major ICT-related incident classification thresholds, recurring incidents, reporting triggers, and evidence inputs grounded in EU DORA RTS and ITS texts.
DORA Register of Information FAQ: ICT Third-Party Arrangements
FAQ on the DORA register of information: who maintains it, which ICT third-party arrangements it covers, template fields, critical functions, reporting, data quality, and evidence.
DORA Register of Information Import and Build Workflow
Build a DORA register of information from procurement, vendor, contract, service, function, and subcontractor data using the official register templates and validation checks.
DORA Register of Information Template: ICT Provider Fields and Evidence
A grounded DORA register of information template for ICT third-party contracts, provider hierarchy, critical functions, dates, statuses, reporting, and evidence.
DORA TLPT selection: who can be required to test?
FAQ on DORA threat-led penetration testing selection: who identifies financial entities, what criteria are used, what the TLPT authority validates, and what evidence to keep.
DORA vs EBA outsourcing guidelines: ICT third-party risk comparison
Compare binding DORA ICT third-party risk duties with the EBA/ESA outsourcing baseline for registers, critical functions, contracts, subcontracting, exit, incident reporting, and evidence.
DORA vs ISO 22301: ICT resilience and business continuity compared
Compare DORA's binding ICT operational resilience duties for financial entities with ISO 22301's business continuity management system requirements.
DORA vs ISO/IEC 27001: legal ICT resilience obligations and ISMS controls
Compare EU DORA and ISO/IEC 27001 across scope, governance, incident reporting, testing, ICT third-party risk, certification, evidence, overlap, and gaps.
DORA vs NIS2: financial-sector obligations, overlap, and evidence
Compare DORA and NIS2 for financial entities, ICT providers, incident reporting, management accountability, third-party risk, supervisory routes, and reusable evidence.
DORA vs PSD2 incident reporting: major ICT and payment incidents
Compare DORA major ICT-related incident reporting with PSD2 major operational or security payment incident reporting, including scope, triggers, report stages, recipients, and evidence.
EU DORA Applicability Test for Financial Entities and ICT Providers
A source-grounded DORA applicability test for financial-entity scope, ICT third-party services, critical or important functions, exclusions, proportionality, and evidence.
EU DORA Compliance Checklist for Financial Entities
A source-grounded DORA checklist covering ICT risk governance, major incident reporting, resilience testing, TLPT, ICT third-party contracts, register-of-information records, and audit evidence.
EU DORA Compliance Obligations and Evidence Guide
A source-grounded DORA compliance guide covering ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, registers, governance, oversight, and evidence.
EU DORA FAQ: scope, incidents, ICT contracts, testing, and evidence
Concise DORA FAQ covering who is in scope, proportionality, ICT third-party contracts, register-of-information records, major ICT incident thresholds and reporting, TLPT, testing, enforcement, and evidence.
EU DORA ICT risk management control baseline
A source-grounded DORA control baseline for ICT risk governance, asset and dependency mapping, protection, detection, response, recovery, testing, third-party risk, and evidence.
EU DORA ICT subcontracting chain controls for critical functions
DORA guide to ICT subcontracting chains for critical or important functions: prior assessment, contract conditions, register fields, monitoring, exit rights, and evidence.
EU DORA penalties and fines: enforcement powers and limits
Grounded guide to DORA enforcement: competent-authority powers, administrative penalties, remedial measures, publication rules, and Lead Overseer penalty payments for critical ICT third-party providers.
EU DORA Register of Information Data Model: templates, fields, and evidence
Field-level guide to the EU DORA register of information data model: templates B_01 to B_07, provider identifiers, contract links, subcontracting chains, critical-function assessments, dates, and export evidence.
EU DORA Requirements Overview: ICT risk, incidents, testing, and third-party risk
A grounded overview of the main EU DORA requirements for financial entities: governance, ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, register of information, oversight, proportionality, and evidence.
EU DORA Scope and Covered Entities: financial entities and ICT providers
Classify whether DORA applies to a financial entity, ICT third-party provider, group arrangement, branch, or critical ICT service dependency.
EU DORA Scope and Proportionality Workflow
Classify DORA covered entities, simplified-framework status, critical or important functions, ICT dependencies, evidence records, and governance approvals.
EU DORA testing and TLPT readiness guide
A grounded DORA guide for resilience testing, TLPT eligibility, authority interaction, test evidence, remediation plans, and avoiding unsupported testing cadence.
EU DORA TLPT eligibility workflow for financial entities
Check how DORA TLPT authorities identify financial entities for threat-led penetration testing and what evidence supports scope, readiness, providers, and governance.
EU DORA TLPT Runbook: scope, providers, reports, and remediation
Build a DORA threat-led penetration testing runbook around authority coordination, scope validation, provider controls, active testing, closure reports, remediation, and attestation.
How does proportionality work under EU DORA?
A grounded FAQ on DORA proportionality: what can be scaled, who may use the simplified ICT risk framework, what evidence supports the decision, and which duties cannot be waived.
How to build a DORA register of information
Build a DORA register of information from contracts, ICT services, providers, functions, subcontractors, risk assessments, audit evidence, exit plans, and export checks.