15/11/2024
The European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) published today a Decision on the information that competent authorities must report to them for the designation of critical ICT third-party service providers under the Digital Operational Resilience Act (DORA). In particular, the Decision requires competent authorities to report by 30 April 2025 the registers of information on contractual arrangements of the financial entities with ICT third-party service providers.
Following the entry into force of DORA on 17 January 2025, the ESAs, together with competent authorities, will start the oversight of critical ICT third-party service providers (CTPPs) offering services to financial entities in the EU. The first oversight activity is the designation of CTPPs.
The Decision published today provides a general framework for the annual reporting to the ESA of the information necessary for the CTPP designation, including timelines, frequency and reference dates, general procedures for the submission of information, quality assurance and revisions of submitted data, as well as confidentiality and access to information.
As the deadline for the first submission of the registers of information to the ESAs is set for 30 April 2025, the ESAs expect competent authorities to collect the registers of information from the financial entities under their supervision in advance, following their own timelines.
Although the implementing technical standards (ITS) on the Registers of information have not yet been adopted by the EU Commission, the ESAs note that the essential part of the requirements for registers of information is publicly available since the publication of the ESAs Final Report in January 2024 and that any potential changes in the registers following the rejection by the EU Commission and the ESAs Opinion on the rejection should be limited. Therefore, the ESAs encourage financial entities to anticipate as much as possible the preparation of their registers, especially for information which may not be immediately available (e.g. the relevant identifiers of their ICT providers).
Support to the industry
To support the industry preparations, the ESAs have shared the draft templates, data point model and reporting technical package in May 2024 and have carried out a voluntary Dry Run exercise on reporting of registers of information with participation of around 1000 financial entities across the financial sector in the EU.
The ESAs also published today a list of validation rules that will be used when analysing the registers of information and the visual representation of the data model. These rules will be included in the updated reporting technical package (including updated data point model, taxonomy and validation rules), which is set to be published in December 2024.
Workshop
Financial entities who would like to learn more about how to prepare their registers of information and hear about the outcomes of the 2024 Dry Run exercise, are invited to take part in an information workshop on 18 December 2024.
The workshop will be held virtually from 10:00 to 13:00. Interested parties can register by 16 December 2024 at the following link.