Materiality of Outsourcing According to DORA

While MaRisk refers to material outsourcing, the EBA guidelines on outsourcing (EBA/GL/2019/02) use the term "critical or important outsourcing" to denote the outsourcing of critical or material functions. In practice, "critical" and "material" are predominantly used synonymously, thus the term "material" has become established in practice. Now, DORA (Digital Operational Resilience Act) introduces the somewhat lengthy designation "ICT services supporting critical or important functions," hereinafter referred to simply as "critical ICT services" for simplicity. According to DORA (Article 3, No. 22), a critical or important function is defined as follows:

"Critical or important function": A function whose failure would significantly impair the financial performance, solvency, or continuity of a financial entity's business activities and services, or whose interrupted, defective, or failed performance would significantly impair the ongoing compliance with the conditions and obligations of a financial entity under the applicable financial services law.

Comparing this definition with points 29 and 30 of the EBA guidelines on outsourcing, we find that a critical ICT service according to DORA represents a material outsourcing with ICT relevance as per EBA/GL/2019/02. Thus, critical ICT services according to DORA are a subset of the material outsourcing of an institution, as these may also include non-IT outsourcing. Therefore, the terms "material", "important," and "critical" can be used synonymously when describing an (ICT) service. Nonetheless, it is advisable to use a term consistently in the written order and throughout the framework to avoid confusion. From my perspective, DORA does not introduce a change in the method of materiality classification of an (IT) outsourcing. The requirement for regular and ad-hoc reviews or updates of a risk analysis for outsourcing and other IT external procurements (or other ICT services) naturally remains.

Even though DORA does not differentiate between a "non-essential IT procurement" (according to BAIT) and a "non-material outsourcing" (according to MaRisk & EBA/GL/2019/02) and nowadays non-material outsourcing is monitored and managed to the same extent as other IT external procurements, this distinction should still be maintained. According to DORA, "critical ICT service providers" are identified and monitored by regulatory authorities. It is important to distinguish the term "critical ICT service provider" from "critical ICT service." A critical ICT service provider can also be a provider of a critical ICT service (aka material IT outsourcing), but it is not necessarily so. Whether an ICT service provider is critical or not is determined by the supervisory authorities. In other words, there is neither correlation nor causality between "critical ICT service provider" and "critical ICT service." This should not be confused with information security and business continuity management (BCM). These definitions are distinct from the terms "critical information" or "critical assets" in information security management, as the latter are limited to the risk profile concerning the affected information. The time-criticality of a business process, function, or asset (or a resource such as IT, buildings, services, or personnel) is a result of the Business Impact Analysis (BIA) within the Business Continuity Management Lifecycle. The question of whether time-criticality entails materiality will be addressed in a later post.

Summary:

- Outsourcing can have an ICT relation (IT outsourcing) or no ICT relation.
- An ICT service according to DORA can be a critical ICT service (material IT outsourcing according to MaRisk/EBA outsourcing guidelines) or a non-critical ICT service (a non-material IT outsourcing or another IT external procurement according to MaRisk/EBA outsourcing guidelines).
- "Critical ICT service provider" and "critical ICT service" are two different, independent classifications.
- Criticality in information security refers to the need for protection of information and associated risks.
- Time criticality in BCM expresses the potential damage of a business process's failure over a certain period.