Critical Functions: Who Guards Your Digital Access?

by | Feb 24, 2026

A digital outage today is more than a mere inconvenience. It represents a tangible risk: the risk that a portfolio cannot be accessed, that a critical report is delayed, or that an investment decision is made too late. In the world of international wealth and cross-border structures, this is a real threat, not a hypothetical scenario.

The EU’s DORA (Digital Operational Resilience Act) was intended to bring clarity. However, instead of a simple checklist, it brought accountability. Financial institutions are now responsible for identifying exactly what is “critical” for the client—and ensuring it remains functional even when the technology fails. This is the dividing line between formal compliance and actual asset protection.

What happens when a key service fails?

DORA does not provide an official list of “critical or important functions.” The European Commission and supervisory authorities have confirmed that identification is left entirely to the financial entities themselves. In other words, there are no shortcuts.

A function is deemed critical if its failure would significantly impair financial performance, regulatory compliance, or the continuity of services. For a client, this isn’t a legal definition; it’s a practical question:

What happens to my assets if an IT system, a third-party provider, or a data center fails?

In practice, these functions typically include portfolio management, regulatory reporting, access to investment accounts, asset valuation, and communication with custodians. If these processes are not identified as critical and backed by robust contingency plans, a silent but significant risk emerges.

Resilience as part of the investment process

The European supervisory approach assumes that each institution knows its business best. For the client, this has a direct impact. If a wealth manager identifies critical functions only as a “paper exercise,” your protection remains an illusion. If they are assessed realistically, true resilience is born.

At Aisa International, identifying critical functions is treated as an integral part of protecting the investment process. Every key service is evaluated based on how quickly it can be replaced, the impact of its downtime on the client, and whether a functional backup solution truly exists.

Consider a practical example: If the primary portfolio management system suffers an outage, a resilient firm has already determined how data access is maintained, how reporting is restored, and who is responsible for the continuity of decision-making. These are not minor details; these are the moments where control over your legacy is preserved or lost.

Moving beyond formal checklists

DORA is often criticized for its administrative burden. While this is justified, the real danger lies in a false sense of security. A formal process map without real-world stress testing does not protect a client from losing control or suffering reputational damage.

An investor should not have to ask if an institution is “DORA compliant.” They should know how their assets are protected when things go wrong. This requires clear identification of critical functions, continuous updates to those protocols, and realistic recovery scenarios.

Aisa International acts as a critical partner here—not a passive observer of regulations. We filter the complexity of European rules into a functional framework designed to maintain the continuity of wealth management, regardless of technological or operational failures.

The views expressed in this article are not to be construed as personal advice. Therefore, you should contact a qualified, and ideally, regulated adviser in order to obtain up-to-date personal advice with regard to your own personal circumstances. Consequently, if you do not, then you are acting under your own authority and deemed “execution only”. The author does not accept any liability for people acting without personalised advice, who base a decision on views expressed in this generic article. Importantly, where this article is dated then it is based on legislation as of the date. Legislation changes but articles are rarely updated, although sometimes a new article is written; so, please check for later articles or changes in legislation on official government websites, as this article should not be relied on in isolation.

Vyjádřené názory v tomto článku nelze považovat za osobní poradenství. Vždy se proto obraťte na kvalifikovaného, ideálně regulovaného poradce, který vám poskytne aktuální, osobní doporučení šitá na míru vaší konkrétní situaci. Pokud se rozhodnete jednat bez takového poradenství, činíte tak na vlastní odpovědnost a vaše jednání spadá pod režim „execution only“ (pouhá realizace pokynu bez poradenství). Autor nepřijímá žádnou odpovědnost za rozhodnutí osob, které se spoléhají na názory uvedené v tomto obecném článku bez personalizovaného poradenství. Je důležité si uvědomit, že pokud je článek datován, vychází z právních předpisů platných k uvedenému datu. Právní předpisy se mohou měnit a články jsou aktualizovány jen zřídka. Doporučujeme proto vždy ověřit případné novější články nebo změny legislativy na oficiálních vládních stránkách, protože na tento článek nelze spoléhat izolovaně.

Follow us on Social Media

Post written by:
Autorem článku je:

Monika Škubalová

Monika works in the area of compliance and financial crime prevention, where she specializes in setting internal rules and control mechanisms to protect the company from financial and regulatory risks. She has experience in providing professional advice and implementing processes in accordance with legislation. She actively participates in training the internal team and supports the corporate culture of responsibility and transparency.

Aisa International is the only financial advice service company specialising in advice for expats that is regulated as a Securities Trader in the Czech Republic, USA, and UK.