Do You Know Your CIFs? – Service Mapping and Why It Matters to Tech Leadership – Jan 8, 2024

Welcome back to Blog No.2 in our DORA series! In this installment, we’re diving into service mapping and, specifically, CIFs—the abbreviation for Critical & Important Functions.

This one’s a bit lengthy, but stick with us—understanding CIFs and how to define them is fundamental to meeting DORA legislation and aligning technology requirements accordingly. Strap in—here we go!

What Are CIFs, and Why Do They Matter?

You’ll see CIFs mentioned consistently throughout the DORA regulatory text, so let’s start with a clear definition.

CIFs (Critical & Important Functions) are the essential business processes and activities that, if disrupted, could significantly impact the soundness, continuity, or compliance of a financial institution. Think of them as the lifeblood of financial organizations—any disruption could cause severe business consequences or, in the worst case, market-wide disruption.

When regulators or competent authorities come knocking, they’ll expect you to demonstrate:

  • A strong understanding of your CIFs.
  • Clear mappings to associated components and services.
  • A well-maintained CIF registry.

It’s important to note that CIFs aren’t explicitly defined by the regulation. Each financial entity must identify and define its own CIFs, document them appropriately, and maintain a reliable registry.

Characteristics of CIFs

Here are some key characteristics to help identify CIFs in your organization.

Services that could cause material impact to:

  • Customers
  • The industry
  • Financial performance (profits, revenue, market share)
  • Financial stability (solvency, liquidity, ability to meet obligations)
  • The ability to reliably provide core services

Systemic Significance:

  • Disruption could cause broader financial system failures.
  • Negative impacts on the real economy.
  • Contagion effects among financial institutions.

Regulatory Compliance:

  • Disruption could hinder compliance with obligations like AML, KYC, and reporting requirements.

Reputational Risk:

  • Loss of customer trust
  • Negative media coverage
  • Increased regulatory scrutiny

Examples of CIFs in Financial Services

Common CIF examples in financial institutions include:

  • Settlements / Payments
  • Trading
  • Market Feeds
  • Customer Onboarding
  • End-User Systems
  • Technology Core Services (often called Domain 0 services)

What Is Not a CIF?

Not every function is a CIF. Generally, non-core administrative or support functions don’t meet the criteria. These include:

  • Marketing
  • Human Resources
  • Internal R&D

If disruption in these areas wouldn’t directly harm customers, peers, or the financial system, they likely aren’t considered CIFs.

CIFs vs. IBSs: What’s the Difference?

For those familiar with the FCA/PRA’s Important Business Services (IBSs) framework, you might be wondering how CIFs differ.

  • IBSs (FCA/PRA): Focus on core business outcomes and services, emphasizing market impact and customer harm during failures.
  • CIFs (DORA): Broader in scope, including supporting services, with a stronger emphasis on technology, ICT systems, and their resilience, risk management, and support.

In reality, there’s a significant overlap between the two. Many organizations preparing for DORA compliance (Jan 17, 2025) are aligning CIFs with their IBSs as a starting point. However, DORA tends to be more prescriptive from a technology perspective. Aligning with DORA can help meet global resilience requirements.

DORA Pillars

Why CIFs Matter to Technology Leaders

So, why should technology leaders care about CIFs? Let’s revisit the DORA pillars discussed in our first article. Each CIF must align with these pillars to ensure compliance, governance, and oversight.

Key Considerations for Technology Leaders:

  • Awareness & Definition: Ensure your CIFs are clearly defined, mapped, and documented in a reliable registry.
  • Application Mapping: Understand which applications and components support each CIF.
  • Infrastructure Dependencies: Map infrastructure services tied to each CIF.
  • Supplier Risk Management: Identify third-party suppliers supporting CIFs and assess their resilience.
  • Resilience Testing: Regularly test CIF-related technologies for resilience, availability, and cybersecurity.
  • Incident Management: Ensure incident response frameworks prioritize CIFs.

Technological Directives Aligned with CIFs:

  • Cybersecurity measures (e.g., penetration testing, vulnerability assessments)
  • Backup & Recovery plans
  • Source code validation and functional testing
  • Open-source mapping and testing
  • Business continuity and resilience testing
  • Recovery plans
  • Network Segmentation (more on this in our next blog!)

Final Thoughts

This was a deep dive into CIFs and their importance in the DORA framework. While dense, CIFs represent the core focus for regulatory compliance in the financial services sector.

In our next blog, we’ll tackle Network Segmentation, one of the most challenging aspects of DORA compliance. It’s a topic causing significant concern across the financial and tech industries due to its complexity, cost, and associated risks.

Stay tuned, and see you in the next article!

Have a great one!

Wrapping It Up

Do our bi-weekly insights prove valuable to you? Have you noticed trends or threads that you think our community should know about? Connect and share your insights with us on LinkedIn.

Get in touch to learn more