DORA CIF Resilience Testing: A Practical Guide to Monitoring Critical or Important Functions

Only 32% of regulated financial entities fully comply with all DORA requirements, according to KPMG's analysis of EU financial institutions.

If you're a CISO or security leader in financial services, the challenge is clear: monitoring and resilience testing of Critical or Important Functions demand visibility that most organizations don't have.

Under Article 24 of DORA, Critical or Important Functions (CIFs)  - those functions whose disruption would materially impair your financial performance or business continuity, such as payment processing or trading platforms - must now require continuous monitoring to prove controls remain effective, not just during annual audits, but every day.

With enforcement now active and 43% of UK institutions having missed initial deadlines, according to KPMG, authorities are examining your CIF (or, more commonly, known as Important Business Services to some) monitoring capabilities and controls assurance practices.

This post explains what DORA CIF resilience testing entails, why many organizations don’t have the visibility they need for continuous monitoring, and practical steps to implement effective CIF monitoring - including how Panaseer's Business Service Lens transforms business service-level visibility.

What DORA CIF resilience testing and monitoring involves

Article 24 of DORA establishes mandatory digital operational resilience testing for CIFs. This goes beyond traditional penetration testing to include:

• Regular, ongoing testing of critical or important function controls.
• Threat-led penetration testing (TLPT) for the most critical ICT systems.
• Risk-based scenario testing that simulates realistic disruption events.
• Independent validation and monitoring that controls protecting CIFs can withstand operational stress.

DORA CIF resilience testing must be comprehensive enough to prove the effectiveness of your defenses, covering all ICT systems, applications, processes, and infrastructure supporting those critical functions.

The DORA continuous monitoring mandate

The biggest headache for many CISOs is that DORA doesn’t accept point-in-time assessments.

Instead, regulators expect continuous CIF monitoring that demonstrates – crucially, with evidence - that controls protecting your most important services work consistently.

This means tracking endpoint protection, patch compliance, configuration management, access controls, and other security measures across every asset supporting your CIFs, then aggregating that data to show service-level control effectiveness over time.

Read more: Understand how leading firms are approaching this with Panaseer’s DORA Continuous Monitoring in Practice whitepaper.

Why DORA CIF monitoring creates visibility challenges

Most financial institutions perform business impact assessments and continuity planning.

But DORA CIF resilience testing introduces a legally binding requirement that connects business services to technical controls - and most organizations currently lack the infrastructure to make that connection reliably.

It requires more than just a regular, collated data feed from relevant tooling. It requires a service-centric view: one that accurately maps asset-level control data to the business functions those assets support.

This creates challenges, including:

• CIF monitoring at scale – DORA mandates that you must demonstrate that security controls work consistently. Most organizations struggle because control data is scattered across dozens of tools and doesn’t automatically map to service-level. Relying on manual spreadsheet wrangling simply isn’t an option.
• Scoping CIF resilience testing accurately – Under Article 24, resilience testing must be risk-based and comprehensive. When you can't reliably identify which assets support which CIFs, scoping your resilience testing program becomes guesswork.
• Generating robust evidence for CIF monitoring compliance – Authorities expect service-level evidence showing control performance over time. This includes how controls protecting each CIF perform continuously, where control gaps exist within critical services, and historical performance data. Creating and maintaining this evidence manually doesn't scale and leaves gaps that regulators will find.

Implementing effective DORA CIF resilience testing

We recently covered the challenges of monitoring controls effectiveness by critical or important business services in our webinar with Neil Hooper and advisory board member Andreas Wuchner.

Watch: DORA - The operational reality of continuous monitoring at scale webinar

Step 1: Classify CIFs using DORA criteria

Identify which business functions meet DORA's materiality threshold for resilience testing. Work with stakeholders to assess which functions, if disrupted, could cause significant financial loss, market disruption, regulatory breach, or customer harm. Don't rely solely on existing business impact assessments. DORA's CIF criteria are specific - revisit classifications to ensure alignment with regulatory expectations.

Step 2: Map technical dependencies for CIF monitoring

Identify all devices, applications, infrastructure, and third-party services supporting each CIF. This mapping forms the foundation for both continuous CIF monitoring and resilience testing scoping. Accurate service-to-asset mapping often reveals surprising dependencies. Without this mapping, your CIF monitoring and resilience testing programs sit on shaky ground.

Step 3: Aggregate control data for service-level monitoring

Implement continuous CIF monitoring by aggregating device-centric control data - endpoint protection status, patch compliance, configuration drift, access management - and surfacing gaps organized by affected CIFs. Automation is essential. Manually correlating control data from multiple security tools to business services for DORA CIF monitoring doesn't scale and creates evidence gaps.

Step 4: Establish continuous CIF monitoring capabilities

DORA expects real-time visibility into control performance for critical functions. Implement CIF monitoring that:

• Tracks control effectiveness within each CIF continuously
• Flags when performance declines beyond defined thresholds
• Provides historical context to identify trends before they impact resilience
• Enables drill-down from service-level alerts to root causes Continuous CIF monitoring should connect service-level risk to specific devices and controls, enabling targeted remediation that protects your most important functions.

Step 5: Scope resilience testing based on CIF mapping

Tie your DORA CIF resilience testing program to accurate service-to-asset mapping. This ensures testing is risk-based, comprehensive, and aligned with business continuity priorities.

Step 6: Generate service-level evidence for CIF monitoring

Regulators want service-level documentation proving your CIF monitoring capabilities. Your evidence should demonstrate:

• Which controls protect each CIF, and how they perform over time
• Continuous monitoring results showing control effectiveness trends
• How resilience testing results connect to CIF-specific remediation
• Historical data proving monitoring is ongoing and responsive to changes.

This documentation must be continuous, defensible, and structured for straightforward regulatory reporting during supervisory visits.

Dig deeper: View business service-level controls monitoring dashboards and reporting

How Panaseer's Business Service Lens enables CIF monitoring

Panaseer's Business Service Lens was built to solve the service-level visibility gap that makes DORA CIF resilience testing and continuous monitoring challenging.

Business Service Lens maps devices, applications, and infrastructure to important business services, creating two insight levels for DORA CIF monitoring:

• Business Service level: View overall control performance for CIFs like Payments or Customer Onboarding
• Business Service Applications and Devices level: Drill into specific applications or devices under each CIF to prioritize any necessary remediation based on business impact, regulatory scrutiny, or customer dependency

The platform integrates with trusted data models to connect technical assets to CIFs, monitors control effectiveness across those services continuously, and enables drill-down from service to root cause. When a CIF shows elevated risk, trace it directly to underlying devices and specific controls contributing to that risk.

How Panaseer supports DORA CIF resilience testing

Business Service Lens continuously monitors control effectiveness for each CIF, flags when performance declines, provides historical context for trend analysis, and generates audit-ready evidence supporting DORA resilience testing requirements.

For resilience testing scoping, Business Service Lens provides the service-to-asset mapping needed to ensure testing coverage is comprehensive. For continuous CIF monitoring, it aggregates control data at the service level, eliminating manual correlation and providing the real-time visibility regulators expect.

This benefits multiple roles and teams across the security organization, including:

• CISOs who receive business-aligned visibility into how well CIFs are protected, enabling clearer board reporting and investment decisions for resilience testing programs
• Compliance teams gain access to continuous, service-level evidence aligned to DORA CIF monitoring requirements, replacing manual audits with real-time reporting.
• Security analysts can organize control data by CIF, reducing investigation time during resilience testing and improving remediation focus.
• Business Information Security Officers gain shared risk visibility between security and service owners, aligning stakeholders on CIF protection priorities.

Turning DORA from a compliance burden to operational resilience

DORA CIF resilience testing and continuous monitoring represent a fundamental shift in how financial institutions approach operational resilience.

The path forward requires mapping business services to technical controls, implementing continuous CIF monitoring, scoping resilience testing accurately, and generating service-level evidence.

Panaseer's Business Service Lens provides visibility to achieve all four - connecting CIFs your board cares about to controls your security team manages, with continuous monitoring evidence that satisfies regulators.

See how Panaseer supports DORA readiness end-to-end.