Menu
Join my newsletter
4. Critical and Important Business Functions (BIA)
Under the Digital Operational Resilience Act (DORA), financial entities are required to identify, assess, and safeguard critical and important business functions to ensure operational continuity and resilience against ICT disruptions. Conducting a Business Impact Analysis (BIA) is a fundamental step in achieving compliance with DORA's requirements, as it helps financial entities prioritize resources and ensure continuity of operations for their most vital functions.
This guide provides a comprehensive overview of DORA's requirements related to critical and important business functions, outlines best practices for conducting a BIA, and connects the topic with related compliance themes.

by Sylvan Ravinet

The StratOps way to accelerate DORA
This guide on Critical and Important Business Functions (BIA) can help you achieve DORA compliance. Faster. Part of my 12-capabilities cyber framework.
Before continuing, make sure you are subscribed to StratOps!
Get weekly insights in your email
My StratOps newsletter helps cybersecurity experts achieve more, faster.
It's Free! For now.
Have feedback? Connect with me on Linkedin
1. Overview of Critical and Important Business Functions (BIA) in DORA
The identification of critical and important business functions is at the heart of operational resilience. DORA mandates financial entities to:

Understand dependencies and vulnerabilities associated with critical business functions

Safeguard these functions against ICT risks, operational disruptions, and cyber threats

Develop and implement risk mitigation strategies for the most significant processes, systems, and interdependencies
Key regulatory sources:
  • DORA Regulation (EU 2022/2554): Articles 5, 11, 13, and 15 specifically emphasize the importance of identifying and protecting critical business functions
  • Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) issued by European Supervisory Authorities (ESAs) provide guidance on performing BIAs and identifying critical dependencies
2. Definition of Critical and Important Business Functions
A critical or important business function refers to any process or operation whose disruption could:

Materially impact financial stability, customers, or market integrity

Cause significant operational, legal, or reputational harm to the entity

Affect compliance with legal or regulatory obligations
Examples of critical and important business functions:
  • Payment processing systems
  • Core banking operations
  • Risk management and trading systems
  • Customer data storage and management
  • Cybersecurity monitoring and response
3. Conducting a Business Impact Analysis (BIA)
A Business Impact Analysis (BIA) is a systematic process to identify critical business functions, assess their dependencies, and understand the impact of their disruption.
3.1. Steps in Conducting a BIA

1

Identify Business Functions
  • Collaborate with stakeholders across the organization to catalog all business functions
  • Determine their importance based on:
  • Financial impact
  • Regulatory compliance requirements
  • Customer service implications

2

Classify Functions Based on Criticality
Assign criticality levels to each function:
  • Critical: Functions whose disruption causes severe financial, operational, or reputational harm
  • Important: Functions whose disruption results in moderate harm
  • Non-critical: Functions with negligible impact in case of disruption

3

Map Dependencies
  • Document the ICT assets (e.g., applications, systems, infrastructure) supporting each business function
  • Identify dependencies on third-party services, suppliers, or cloud providers

4

Assess Impact of Disruption
  • Measure the potential operational, financial, legal, and reputational impact of a disruption to critical and important functions
  • Use metrics such as:
  • Recovery Time Objective (RTO): Time required to restore the function
  • Recovery Point Objective (RPO): Maximum tolerable data loss

5

Prioritize Risk Mitigation
  • Develop a prioritized action plan to mitigate risks to critical and important functions, including:
  • Enhancing system redundancy and resilience
  • Strengthening data backup and recovery
  • Ensuring continuity of third-party services
4. Protecting Critical Business Functions
4.1. ICT Risk Management
  • Integrate critical business functions into the entity's overall ICT risk management framework
  • Ensure secure SDLC (security by design) principles are applied to systems supporting critical functions (see Risk Framework Guide)
4.2 Resilience Testing
  • Test the resilience of systems and processes supporting critical functions through:
  • Resilience testing for failover and recovery scenarios
  • Threat-Led Penetration Testing (TLPT) for high-risk functions (see Testing Guide)
4.3. Incident Response
  • Ensure rapid recovery and stakeholder notification in case of disruptions
4.4. Business Continuity and Disaster Recovery (BCDR)
  • Align critical business functions with the entity's BCDR strategy to minimize downtime and data loss during disruptions (see Business Continuity Guide)
5. Key Challenges in Managing Critical Business Functions
5.1. Complexity of Interdependencies
  • Many critical functions rely on interconnected ICT systems, third-party providers, and cloud services
  • Ensure these dependencies are continuously monitored and assessed

5.2. Data Protection and Privacy
  • Critical functions often handle sensitive data
  • Ensure compliance with DORA's data security requirements and other regulations like GDPR
5.3. Evolving Threat Landscape
  • Cyber threats continue to evolve, requiring continuous proactive detection and response capabilities
6. Integration with Other DORA Domains
6.1. Incident Management and Crisis Communication
  • Critical business functions should be prioritized during incident response and crisis communication efforts
  • Reference related guides:
6.2. Governance and Oversight
  • The management body must approve and oversee the identification, classification, and protection of critical functions (see Governance Guide)
6.3. ICT Asset and Data Classification
  • Ensure alignment between critical business functions and their supporting ICT assets and data classification frameworks
  • Reference related guides:
6.4 Third-Party Risk Management
  • Assess the role of third-party services in supporting critical functions (see TP(S)RM Guide)
  • Integrate this assessment into the BIA process
7. Best Practices for BIA and Critical Function Management
7.1. Maintain an Updated Inventory
  • Regularly update the inventory of critical functions, ICT assets, and interdependencies
  • Reflect organizational changes and emerging risks
7.2. Automate Monitoring
  • Use automated tools to continuously monitor the availability and performance of systems supporting critical functions
7.3. Conduct Periodic Reviews
  • Perform periodic BIAs to reassess critical functions, dependencies, and recovery strategies
  • Update in response to technological changes or regulatory updates
7.4. Foster Collaboration
  • Involve stakeholders across business, ICT, compliance, and risk management teams
  • Ensure a holistic approach to identifying and safeguarding critical functions
8. Key Takeaways

Identifying and protecting critical and important business functions is a cornerstone of operational resilience under DORA

Conducting a robust Business Impact Analysis (BIA) enables financial entities to prioritize resources, mitigate risks, and maintain continuity during disruptions

Protecting critical functions requires integration with incident management, business continuity, ICT risk management, and third-party risk frameworks

Regular reviews, testing, and collaboration across teams are essential to maintaining compliance and resilience
Links to Related DORA Compliance Themes
For a comprehensive understanding of DORA compliance, this guide aligns with the following related topics:
For detailed implementation guidance, refer to DORA's RTS and ITS documentation and related guides within this compliance series.
The StratOps way to accelerate DORA
CISO & Advisor | My StratOps newsletter helps cybersecurity experts achieve more, faster.

I hope this guide on Critical and Important Business Functions (BIA) will help your team achieve DORA compliance.
There's 11 more capabilities for you!

Not yet a member? You might join StratOps newsletter today.
Have feedback? Connect with me on Linkedin