Evaluate your DORA CIFs with an auditable methodology
5 guided steps, the 4 Art. 3(22) criteria operationalized, AI justification in 15 seconds, approval workflow and review cadence. ESA-audit-ready output (EBA/ESMA/EIOPA) and ACPR/AMF/BaFin.
5-step methodology
From raw function listing to approved and reviewed CIF — no spreadsheet, no reinvention.
Identify
Inventory of ICT-supported functions: market operations, payments, KYC, credit issuance, services to authorised clients, prudential reporting. Import from your existing process registry or let AI derive from your authorised activities.
Score (4 criteria)
For each function, check the 4 Art. 3(22) impact criteria with quantified thresholds: financial impact (€), continuity impact (customers affected, downtime hours), authorisation impact, other regulatory obligations (MiFID, AMLD, FATCA thresholds…).
Justify (AI in 15 s)
ResiPlan AI drafts the criticality justification from the name, business area and checked criteria. Audit-ready tone, explicit DORA references, structure 'what makes the function critical + Art. 3(22) reference'. Saves 2 h per CIF.
Approve
Workflow draft → review → approved by the management body or its delegate (e.g. CISO + CRO). Timestamped trace of approver and date. Dashboard of CIFs pending review.
Review
Quarterly, semi-annual or annual cadence (configurable per CIF). Auto-reminders, diff vs N-1 version, re-justification request if a criterion or threshold changed. Covers Art. 5(2) 'regularly review' obligation.
The 4 Art. 3(22) criteria — operationalized
Each criterion must come with quantified thresholds. ResiPlan guides you to defendable thresholds.
1. Financial performance
Unavailability of the function or quality degradation would materially affect the entity's financial performance (revenue, cost, valuation, exposure).
Typical thresholds: Quantified thresholds: estimated annual loss € · % of revenue
2. Continuity of authorised activities
Loss of continuity would prevent the entity from providing the authorised service to clients (payments, markets, custody, advisory, etc.).
Typical thresholds: Thresholds: customers affected · MTPD hours · revenue loss/hr
3. Authorisation conditions
Failure would jeopardize compliance with authorisation conditions, registry entry or equivalence regimes (MiFID II, AIFMD, CRR, IDD…).
Typical thresholds: Criteria: capital threshold breach · IT outsourcing breach
4. Other regulatory obligations
Missed prudential reporting, failed Art. 17 incident notifications, AMLD obligations, MiFIR transaction reporting, EMIR clearing, FATCA/CRS, sanctions screening.
Typical thresholds: Thresholds: missed reports · legal deadline breached
Decision matrix
| Profile | DORA status | Consequences |
|---|---|---|
| No criterion checked | Out of DORA scope | — |
| 1 criterion checked, thresholds below limits | Important function (to document) | Annual review sufficient |
| ≥1 criterion + thresholds breached | CIF — Critical or Important Function | Semi-annual review, TLPT scope |
| ≥2 criteria + systemic impact | Priority CIF (TLPT mandatory) | Quarterly review, exit plan Art. 28(7)(j) |
Criticality justification, written in 15 seconds
ResiPlan AI receives the name, business area and checked criteria; it produces an audit-ready, structured text with explicit DORA references and quantified thresholds. You edit before approval. Typical saving: 2 h per CIF, ~80 h on a 40-function registry.
Approval workflow
Per DORA Art. 5(2) — the management body approves, reviews and revises.
Every transition is timestamped, signed by the user and traced in the audit log. A PDF export of the approval file is available for ESAs.
DORA articles covered
Evaluate your first CIF in 10 minutes
Free 14-day trial. Identify, score, justify with AI, approve. All in one session — your evaluation file is ACPR-ready.