Definition (Article 3(22)), identification criteria, step-by-step methodology, real-world examples — and how to automate CIF management with Resiplan. Every DORA obligation cascades from correctly identifying your CIFs.
A "critical or important function" means a function, the disruption of which would:
• Materially impair the financial performance of a financial entity, or
• Impair the soundness or continuity of its services and activities, or
• Whose discontinued, defective or failed performance would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law. — Regulation (EU) 2022/2554 (DORA), Article 3, point 22
DORA does not impose the same obligations on every function. Most requirements — and their intensity — cascade from whether a function is classified as "critical or important". Get CIF identification wrong, and every downstream obligation is wrong too.
Every ICT service supporting a CIF must be flagged in the RoI (ITS 2024/2956) with enhanced attributes.
RTS 2024/1773 →Stricter mandatory clauses apply to ICT providers supporting CIFs (audit, subcontracting, exit).
Third-Party Risk →Threat-Led Penetration Tests must cover ICT systems supporting CIFs (DORA Art. 26).
TLPT Guide →Impact on CIFs is one of the 6 criteria triggering major incident reporting.
RTS 2024/1772 →Max 2 cascading subcontracting levels allowed for ICT services supporting CIFs (RTS 2025/532).
RTS 2025/532 →CIF inventory is an input to risk assessment, BCP/DRP, and resilience testing (DORA Art. 5-16).
RTS 2024/1774 →A function becomes a CIF when it meets the materiality threshold across a combination of quantitative and qualitative criteria. No single metric decides — it's a weighted assessment.
A structured approach reviewed by EBA, EIOPA and ESMA in their joint Q&A on DORA.
Build an exhaustive inventory of every function your financial entity performs — core services (payments, custody, underwriting), customer-facing processes, internal support (treasury, compliance, HR). Use your operating model or value chain as a starting point.
Resiplan ships with a pre-built function taxonomy by sector (banking, insurance, payments)For each function, collect measurable inputs: revenue contribution, client count, transaction volume, AUM. Define institution-specific thresholds (typical: 5% revenue, 10% clients, high-value transaction flows).
Resiplan auto-imports financial data and runs scoring against your thresholdsComplement with non-numeric dimensions: regulatory impact (does this support your licence?), reputational exposure, substitutability, systemic implications. Workshop with business heads, legal, risk, compliance.
Resiplan workflow: multi-stakeholder scoring with evidence attachmentsAggregate quantitative + qualitative scores. Apply your materiality threshold. Document every decision — especially borderline cases where you opted not to classify as CIF (supervisors will ask).
Resiplan produces an auditable CIF register with decision rationaleFor every CIF, list the ICT services (internal + third-party) that support it. This data feeds the Register of Information (ITS 2024/2956) and drives which contracts need the stricter DORA clauses.
Resiplan auto-generates the RoI from CIF → ICT service mappingsThe management body (board) must formally approve the CIF list. Review at least annually, and whenever a material change occurs (new service, M&A, outsourcing). Keep the approval traceable for supervisors.
Resiplan sends review reminders and tracks board sign-off electronicallyIllustrative examples across sectors — your actual classification depends on your specific business model and materiality thresholds.
| Function | Sector | Typical Classification | Why |
|---|---|---|---|
| Core banking / transaction processing | Banking | CIF | Direct client impact, regulatory authorisation, systemic relevance |
| Payment initiation (SEPA, instant) | Payments | CIF | High volume, customer-facing, regulated service |
| Claims management | Insurance | CIF | Core to insurance obligations, direct client impact, Solvency II relevance |
| Custody / safekeeping of assets | Investment firms | CIF | Client asset protection is a regulated activity |
| Regulatory reporting (COREP, FINREP) | All | CIF | Failure = breach of authorisation conditions |
| AML / KYC screening | All | CIF | Legal obligation, reputational and regulatory risk |
| HR payroll | All | Not CIF | No direct impact on regulatory compliance or financial services |
| Marketing automation | All | Not CIF | Disruption does not materially impair services |
| Internal corporate email | All | Not CIF | Support function, substitutable, no regulatory dependency |
| Document management (contracts) | All | Depends | Borderline — CIF if tied to regulatory archiving obligations |
Resiplan is the specialised SaaS for DORA, business continuity and GRC. Our CIF module turns a 4-hour workshop into a 15-minute guided workflow — with continuous tracking, board-ready reports, and automatic propagation to the Register of Information.
Start with a sector-specific function catalogue (banking, insurance, payments, investment, crypto).
Enter your thresholds once. Resiplan scores every function on the 12+ DORA criteria automatically.
Route borderline cases to business owners, legal, risk. Collect evidence inline. Full audit trail.
Link every ICT service and provider to the CIFs it supports. Drag & drop interface.
The ITS 2024/2956 Register of Information is generated from CIF mappings. Ready to submit.
Annual review reminders, change-triggered alerts, electronic board approval with evidence.
Continue deepening your understanding of DORA's interconnected obligations.
Register of Information, contractual clauses, subcontracting under DORA.
Read Guide →Assess your DORA compliance across all 5 pillars in 10 minutes.
Start Assessment →All 13 Regulatory and Implementing Technical Standards in one place.
Read Overview →Take our free 5-minute assessment and get an instant DORA compliance score with personalised recommendations.