The European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) today issued an Opinion on the European Commission’s (EC) rejection of the draft Implementing Technical Standards (ITS) on the registers of information under the Digital Operational Resilience Act (DORA). The ESAs raise concerns over the impacts and practicalities of the proposed EC changes to the draft ITS on the registers of information in relation to financial entities’ contractual arrangements with ICT third-party service providers.
The draft ITS proposed by the ESAs were rejected by the EC on the grounds that it is necessary to allow financial entities the choice of identifying their ICT third-party service providers registered in the EU either by using the Legal Entity Identifier (LEI) or by using the European Unique Identifier (EUID).
In the ESAs’ view, the EC’s proposal of adding an additional identifier, allowing EU-based companies to use the EUID, will cause unnecessary complexity and could have negative impacts on the implementation of DORA by financial entities, competent authorities and the ESAs.
The ESAs note that, although the EUID is available free of charge to EU-registered companies, its introduction in the registers of information would entail unforeseen implementation and maintenance efforts for the financial entities. In particular, it would limit the access to and the possibility for verification of the information by the financial entities and competent authorities. This would lead to a potential increase in the overall reporting burden for financial entities in the context of DORA. In addition, the coexistence of two identifiers could bring additional complexity that would negatively impact the quality of data used, and risk delays in the designation of critical ICT third-party service providers (CTPPs) by the ESAs.
If the EC decides to proceed with the introduction of the EUID, despite the above concerns, additional changes to the draft ITS will be necessary. The Opinion indicates how the draft ITS should be adapted further to cater for the use of the EUID. Without these changes, the ITS could not be practically applied for a proper identification of the ICT third-party service providers, which would negatively impact the designation of CTPPs. The ESAs also note that in the case of co-existence of both LEI and EUID, the financial entities should be given the preference for using LEI, especially where both identifiers are available to them, and for the case of groups, it is important to ensure homogeneity in the registered identification codes for all ICT third-party service providers.
The ESAs also suggest in their Opinion further changes to the draft ITS, reflecting the practical feedback received from financial entities participating in the voluntary dry run exercise on reporting of registers of information.
The ESAs call for the final decision on the use of identifiers and the swift adoption of the draft ITS by the EC. This is particularly relevant for the ESAs, who will be designating CTPPs in 2025. Finally, leveraging on the experience of the dry run exercise, the ESAs call financial entities to increase their implementation efforts in order to be ready to submit their registers of information to the competent authorities in the first half of 2025.
Background and legal basis
Article 28(9) of DORA (Regulation (EU) 2022/2554) mandates the ESAs to develop draft ITS to establish the standard templates for the register of information referred to in Article 28(3) of DORA. The draft ITS was developed and submitted by the ESAs to the EU Commission on 17 January 2024.
The registers of information maintained by the financial entities serve as an important input for the ESAs’ work on the designation of CTPPs that will be subject to the oversight by the ESAs.
On 3 September 2024, the European Commission, acting in accordance with the procedure set out in the fourth subparagraph of Article 15(1) of the ESAs Regulations, notified the ESAs of the rejection of the ITS on the basis of the envisaged mandatory use of the LEI to identify ICT third-party service providers under Article 3(5) and (6) of the draft ITS.
Pursuant to Article 15(4) of the ESAs Regulation, the ESAs prepared this Opinion on the proposed amendments to the draft ITS by the EU Commission. In addition, the ESAs also suggested some other changes to the draft ITS based on the experience and feedback received from the industry during the ‘dry run’ exercise the ESAs carried out during 2024 to support the industry in the preparation for submission of the registers of information and to test the reporting process.