All Posts

Importance of outsourcing in the age of DORA

Von
Veröffentlicht am
May 3, 2025

Critical Outsourcing in the Age of DORA

While MaRisk speaks of significant outsourcing, the EBA guidelines on outsourcing (EBA/GL/2019/02) use the phrase “critical or significant outsourcing” to describe an outsourcing of critical or essential functions, with critical and essential being mostly used synonymously in practice, and so the term “essential” has prevailed in practice.

Now comes the DORA (Digital Operation Resilience Act) with the somewhat long term “ICT services to support critical or important functions”, hereinafter referred to as “critical ICT services” for simplicity.

According to DORA (Article 3, No. 22), a critical or important function is defined as follows:

“Critical or important function”: A function whose failure would significantly affect the financial performance of a financial entity or the soundness or continuation of its operations and services, or whose interrupted, faulty, or failure to perform would significantly affect the continued compliance of a financial entity with the eligibility conditions and obligations of a financial entity or its other obligations under applicable financial services law.

If you compare this definition with paragraphs 29 and 30 of the EBA guidelines on outsourcing, you come to the conclusion that a critical ICT service in accordance with DORA represents a significant outsourcing related to ICT in accordance with EBA/GL/2019/02. According to DORA, the critical ICT services are therefore a subset of an institution's major outsourcing, as these can also include non-IT outsourcing.

Therefore, the terms “essential”, “important” and “critical” can be used interchangeably when describing an (ICT) service. However, it is advisable to use a term consistently in the written order and throughout the framework in order to avoid confusion.

In my opinion, DORA is therefore not changing the method of classifying the materiality of (IT) outsourcing. The requirement to carry out regular and ad-hoc reviews or updates of a risk analysis for outsourcing and other external IT procurement (or other ICT services) remains, of course.

Even though DORA does not differentiate between “other external IT procurement” (according to BAIT) and “non-significant outsourcing” (according to MaRisk & EBA/GL/2019/02) and today non-significant outsourcing is monitored and managed to the same extent as other external IT outsourcing, this distinction should continue to be maintained.

According to DORA, “critical ICT service providers” are identified and monitored by regulatory authorities. Here, it is important to differentiate the term “critical ICT service provider” from “critical ICT service”. A critical ICT service provider can also be a provider of a critical ICT service (aka essential IT outsourcing), but it doesn't have to. Regulators determine whether an ICT service provider is critical or not critical (see link). In other words, there is no correlation or causality between “critical ICT service provider” and “critical ICT service”.

Confusion with information security and business continuity management (BCM).

These definitions must be strongly differentiated from the terms “critical information” or “critical assets” in information security management, as the latter are limited to the risk profile with regard to the information affected by it.

The time criticality of a business process, a function or an asset (or a resource such as IT, buildings, services or personnel) is a result of the Business Impact Analysis (BIA) as part of the Business Continuity Management Lifecycle. The question of whether time criticality brings about materiality will be answered in a later article.

Summary:

- Outsourcing can have an ICT connection (IT outsourcing) or no ICT connection.
- An ICT service in accordance with DORA can be a critical ICT service (significant IT outsourcing in accordance with Marisk/EBA guidelines for outsourcing) or a non-critical ICT service (a non-essential IT outsourcing or other external IT procurement in accordance with MarISK/EBA guidelines for outsourcing).
- “Critical ICT service provider” and critical “ICT service” are two different, independent classifications.
- Criticality in information security refers to the need to protect information and the associated risks.
- Time criticality in BCM expresses the potential damage caused by the failure of a business process for a specific period of time.

United Governance, Risk & Compliance

About usCareerBlog
Contact us
Zu unserem Trust Center
© 2025 LeanMind. All rights reserved.
Privacy PolicyImprint