The European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) published today a Decision on the information that competent authorities must report to them for the designation of critical ICT third-party service providers under the Digital Operational Resilience Act (DORA). In particular, the Decision requires competent authorities to report by 30 April 2025 the registers of information on contractual arrangements of the financial entities with ICT third-party service providers.
Following the entry into force of DORA on 17 January 2025, the ESAs, together with competent authorities, will start the oversight of critical ICT third-party service providers (CTPPs) offering services to financial entities in the EU. The first oversight activity is the designation of CTPPs.
The Decision published today provides a general framework for the annual reporting to the ESA of the information necessary for the CTPP designation, including: timelines, frequency and reference dates, general procedures for the submission of information, quality assurance and revisions of submitted data, as well as confidentiality and access to information.
As the deadline for the first submission of the registers of information to the ESAs is set for 30 April 2025, the ESAs expect competent authorities to collect the registers of information from the financial entities under their supervision in advance, following their own timelines.
Although the implementing technical standards (ITS) on the Registers of information have not yet been adopted by the EU Commission, the ESAs note that the essential part of the requirements for registers of information is publicly available since the publication of the ESAs Final Report in January 2024 and that any potential changes in the registers following the rejection by the EU Commission and the ESAs Opinion on the rejection should be limited. Therefore, the ESAs encourage financial entities to anticipate as much as possible the preparation of their registers, especially for information which may not be immediately available (e.g. the relevant identifiers of their ICT providers).
Support to the industry
To support the industry preparations, the ESAs have shared the draft templates, data point model and reporting technical package in May 2024 and have carried out a voluntary Dry Run exercise on reporting of registers of information with participation of around 1000 financial entities across the financial sector in the EU.
The ESAs also published today a list of validation rules that will be used when analysing the registers of information and the visual representation of the data model. These rules will be included in the updated reporting technical package (including updated data point model, taxonomy and validation rules), which is set to be published in December 2024.
Workshop
Financial entities who would like to learn more about how to prepare their registers of information and hear about the outcomes of the 2024 Dry Run exercise, are invited to take part in an information workshop on 18 December 2024.
The workshop will be held virtually from 10:00 to 13:00. Interested parties can register by 16 December 2024 at the following link.
Legal basis and background
Article 31(1)(a) of Regulation (EU) 2022/2554 (DORA) requires the ESAs, through the Joint Committee and upon recommendation of the Oversight Forum, to annually designate the CTPPs. That designation is to be based on the criteria referred to in Article 31(2) of DORA and the Commission Delegated Regulation (EU) 2024/1502 (Delegated act on criticality).
To perform the designation, the ESAs will need the information necessary for the assessment of the criticality criteria referred to in Article 31(2) of DORA and that set out in the Delegated act on criticality, and will need to collect from this from CAs. This information will need to be reported to the ESAs on annual basis for the CTPP designation. To ensure a common approach throughout the financial sector, the ESAs need to adopt a joint decision on the basis of Article 35 of their Founding Regulations.