Critical or Important Functions Under DORA

Under the Digital Operational Resilience Act (Regulation (EU) 2022/2554), there are two criticality criteria:

1. Criticality of the function using the information and communication technology (ICT) service: article 8.5 of DORA, as determined by financial entities; and
2. Criticality of the ICT service provider: article 31 of DORA, as determined by the European Supervisory Authorities (ESAs).

Pursuant to Article 31(1) of DORA, the ESAs are responsible for identifying and designating the ICT service providers that are critical to financial entities. In November 2025, the ESAs published the list of such providers, and Proofpoint was not included in this initial list. Proofpoint’s expectation is that it will not be identified as such by the ESAs in any future lists that the ESAs distribute because the failure of Proofpoint’s services would not result in large-scale operational disruption to a regulated financial entity.

Similarly, Proofpoint, Inc. does not view itself as an ICT service provider whose activities support “critical or important functions” of financial entities.

Under Article 3(22) of DORA, an ICT service provider is deemed to support a “critical or important function” where disruption of that function would have serious consequences for the financial entity. Specifically, it would:

• materially harm the financial performance of the financial entity,
• significantly damage the soundness or continuity of the financial entity’s services and activities, or
• cause the financial entity to fail to comply with its authorization conditions or with other applicable financial services legal obligations.

In other words, “critical or important functions” are those that are essential to a financial institution’s ability to operate normally, fulfill legal and regulatory obligations, and maintain stability.

The concept of “critical or important functions” is further described by the European Banking Authority (EBA) Guidelines on Outsourcing and Article 2(1)(35) of the Bank Recovery and Resolution Directive (BRRD) (Directive 2014/59/EU), which refer primarily to functions directly related to banking activities or payment services; these functions, if suddenly stopped, would likely disrupt services essential to the real economy or unsettle financial stability. Proofpoint’s products and services do not involve, support, or impact any deposit-taking, trading, or payment processing activities.

Proofpoint is a cybersecurity company that protects organizations from email-based threats, data loss, and human-targeted attacks such as phishing and ransomware. Proofpoint also provides solutions for information protection, compliance, and securing cloud and digital communications. Proofpoint’s products and services generally sit between customers and their email service providers to filter and block malicious content. Proofpoint does not provide email services, domain hosting, or any infrastructure for sending or receiving communications. As such, Proofpoint does not act as an email service provider or domain registrar, nor do Proofpoint’s products and services support or form part of a regulated entity’s critical or important functions under EU financial services law.

The Proofpoint Trust site, available here: https://www.proofpoint.com/us/legal/trust, is a resource intended to assist with our customers’ due diligence processes and provides additional information.