We are wondering whether EIOPA, since its part of ESMA, might shed some light on this. From our understanding and reviewing the definition critical or important function described in DORA: - A function, the disruption of which would materially impair the financial performance of a financial entity: this classification may be obtained by each insurance firm based on their own categorization, covered by Business Continuity. - A function, the soundness or continuity of its services and activities: this classification may be obtained by each insurance firm based on their own categorization, covered by Business Continuity. - A function, the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law: in this part, insurance firms are asking whether there is a detailed list of processes to consider so as to better determine which ones to focus under DORA. Finally, we understand that once a function covers one of the three considerations is enough to be considered like this and the Supervisory expectancy is that in the Process Map of each entity, critical or important functions are labeled like this and/or there is an inventory updated (p.ej. Excel)

The answer to this question is provided by the European Commission.

According to Article 3(22) of the Digital Operational Resilience Act (DORA), a ‘critical or important function’ means “a function whose disruption would materially impair the soundness or continuity of the financial entity’s services and activities, or compliance with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services legislation.” 

As clarified in Recital 70 of the DORA Regulation, this definition includes the concept of critical functions as set out in other Union legislations, such as the Bank Recovery and Resolution Directive (BRRD). However, DORA applies a broader operational risk lens and does not limit itself to resolution planning purposes. At this stage, there is no official list of critical or important functions provided by the Commission or the European Supervisory Authorities (ESAs). 

It is therefore for financial entities themselves to perform a case-by-case assessment to determine whether a function is critical or important, based on the nature, scale, and complexity of their activities. 

Such assessment may consider, where relevant, certain elements including:

• whether the function is essential to the provision of key services or compliance with legal obligations; 

• the potential impact of a disruption on financial stability or the real economy; 

• and the extent to which the function can be readily substituted by other providers.

Disclaimer provided by the European Commission:

The answers clarify provisions already contained in the applicable legislation. They do not extend in any way the rights and obligations deriving from such legislation nor do they introduce any additional requirements for the concerned operators and competent authorities. The answers are merely intended to assist natural or legal persons, including competent authorities and Union institutions and bodies in clarifying the application or implementation of the relevant legal provisions. Only the Court of Justice of the European Union is competent to authoritatively interpret Union law. The views expressed in the internal Commission Decision cannot prejudge the position that the European Commission might take before the Union and national courts.