{"id":165,"date":"2024-12-04T06:40:26","date_gmt":"2024-12-04T06:40:26","guid":{"rendered":"https:\/\/cyberriskpartners.net\/?p=165"},"modified":"2024-12-04T06:41:30","modified_gmt":"2024-12-04T06:41:30","slug":"dora-blog-4","status":"publish","type":"post","link":"https:\/\/cyberriskpartners.net\/es\/dora-blog-4\/","title":{"rendered":"DORA blog series #4"},"content":{"rendered":"\n

#4 ICT services supporting Critical or Important Functions<\/strong><\/h2>\n\n\n\n

The DORA regulation requires financial entities to adequately manage the risk of outsourcing critical or important functions <\/strong>to third-party ICT service providers.\u00a0 This makes sense.\u00a0 Whilst a financial organisation can transfer some of its operational risk to third parties, compensated by contractual penalties, ultimately the financial entity will suffer most from the loss of a particular ICT service.<\/p>\n\n\n\n

Before we delve into how the European Commission defines \u201ccritical or important functions\u201d in the DORA regulation, it is worth pausing to reflect why this regulation was written into EU law for all member states to adhere to.\u00a0 As previous financial crises showed, the collapse of one financial entity can lead to the collapse of others, due to short-term liquidity issues or the reliance on another entity for a business process, such as settlements.<\/p>\n\n\n\n

The proportionality concept introduced in DORA is also relevant here.\u00a0 The operational failure of a crypto broker or a small mortgage lender will be unlikely to have a material impact on other financial entities, sufficient to concern the EU banking ecosystem.\u00a0 Therefore, we would expect these companies to have a reduced set of critical or important functions.<\/p>\n\n\n\n

Definition<\/strong><\/p>\n\n\n\n

The regulation is vague when it defines the terms \u201ccritical or important functions\u201d, using phrases such \u201cthe disruption [of the function] would materially impair the financial performance \u2026 or the soundness or continuity of its services and activities \u2026 [or] impair the continuing compliance \u2026\u201d<\/p>\n\n\n\n

Whilst this definition could describe almost all functions of a financial entity such as a bank, the selection of business processes which are critical or important should be restricted to those which would have a knock-on effect to other entities.  For example, payroll is an important function for all companies, but one that is unlikely to affect a wider ecosystem in the short term.<\/p>\n\n\n\n

How to prepare for DORA<\/strong><\/p>\n\n\n\n

As a financial entity, the task here is to document all of your business functions and label them as critical, important or neither.  These could be client onboarding, credit card transactions or physical building security.  Then, map your business and IT applications to these functions.  This is no small undertaking as there is a many-to-many relationship here.  For example, your VPN application is likely to underpin multiple business processes.<\/p>\n\n\n\n

Hopefully your IT asset inventory mapping applications to hardware, software and databases is up-to-date.  If not, now is the time to refresh it and ensure there are processes in place to maintain its integrity.<\/p>\n\n\n\n

What\u2019s next?<\/strong><\/p>\n\n\n\n

In the next blog we will look at how the definition of critical or important functions affect third-party management, especially risks and contracts.<\/p>\n\n\n\n

#\ud835\uddd7\ud835\udde2\ud835\udde5\ud835\uddd4 #\ud835\uddf3\ud835\uddf6\ud835\uddfb\ud835\uddee\ud835\uddfb\ud835\uddf0\ud835\uddf2 #\ud835\uddff\ud835\uddf2\ud835\uddf4\ud835\ude02\ud835\uddf9\ud835\uddee\ud835\ude01\ud835\uddf6\ud835\uddfc\ud835\uddfb #\ud835\uddd8\ud835\udde8 #\ud835\uddf0\ud835\ude06\ud835\uddef\ud835\uddf2\ud835\uddff #resilience<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n","protected":false},"excerpt":{"rendered":"

#4 ICT services supporting Critical or Important Functions The DORA regulation requires financial entities to adequately manage the risk of outsourcing critical or important functions to third-party ICT service providers.\u00a0 This makes sense.\u00a0 Whilst a financial organisation can transfer some of its operational risk to third parties, compensated by contractual penalties, ultimately the financial entity […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"nf_dc_page":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[31],"tags":[],"class_list":["post-165","post","type-post","status-publish","format-standard","hentry","category-dora-regulation"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/cyberriskpartners.net\/es\/wp-json\/wp\/v2\/posts\/165","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cyberriskpartners.net\/es\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cyberriskpartners.net\/es\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cyberriskpartners.net\/es\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cyberriskpartners.net\/es\/wp-json\/wp\/v2\/comments?post=165"}],"version-history":[{"count":2,"href":"https:\/\/cyberriskpartners.net\/es\/wp-json\/wp\/v2\/posts\/165\/revisions"}],"predecessor-version":[{"id":168,"href":"https:\/\/cyberriskpartners.net\/es\/wp-json\/wp\/v2\/posts\/165\/revisions\/168"}],"wp:attachment":[{"href":"https:\/\/cyberriskpartners.net\/es\/wp-json\/wp\/v2\/media?parent=165"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cyberriskpartners.net\/es\/wp-json\/wp\/v2\/categories?post=165"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cyberriskpartners.net\/es\/wp-json\/wp\/v2\/tags?post=165"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}