The European Commission rejects the ITS on the register of information under DORA
On 3 September 2024, the European Commission ("EC") notified the European Supervisory Authorities (EBA, EIOPA and ESMA - the "ESAs") of its decision to reject the draft Implementing Technical Standards ("ITS") on the standard templates for the purposes of the register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers under Article 28(9) (the "ITS on RoI") under the Digital Operational Resilience Act ("DORA").
The ITS on RoI introduces several data elements that must be documented by the financial entities in relation to their contractual arrangements for the use of ICT services provided by ICT third-party service providers. The aim of the ITS on RoI is to (i) support financial entities' management of ICT risks stemming from ICT third-party service providers, (ii) support competent authorities to supervise how the financial entities manage these risks, and (iii) help the ESAs to designate critical ICT third-party service providers under DORA.
The main reason for the EC's rejection of the ITS on RoI is the mandatory requirement for the ICT third-party service providers to be identified solely by a Legal Entity Identifier ("LEI"). The EC proposes adding an additional identifier, the European Unique Identifier ("EUID"), which - unlike the LEI - is available free of charge for EU based companies.
On 15 October 2024, the ESAs issued an opinion stating that adding the EUID will introduce unnecessary complexity and may negatively impact the implementation of DORA, including increase maintenance efforts for financial entities and the competent authorities.
However, the ESAs have now presented a new draft of the ITS on RoI, which includes the option to use both LEI and EUID for third-party service providers. Further, the new draft ITS on RoI also introduces minor changes to the original draft, based on the ESAs experience and feedback received from the industry during the dry run exercise in relation to the register of information.
ESAs call for financial entities to increase their implementation efforts
It should be noted that the ESAs also call for the financial entities to increase their implementation efforts in order to be ready to submit their registers of information to the competent authorities in the first half of 2025.
Therefore, Plesner recommends that the financial entities commence or continue their work with the register of information but use the templates in the new draft ITS on RoI instead of the old version.
We further recommend implementing a system-supported register to streamline maintenance and enhance the reliability of data retrieval. Currently, RISMA is developing, in collaboration with Plesner, a solution designed to assist financial entities in managing their register of information, ensuring efficient and accurate data submission to the competent authorities.
As DORA’s effective date approaches on 17 January 2025, Plesner’s Technology & Outsourcing team is ready to support your organization in implementing DORA and the ITS on RoI. Please contact us to discuss how we can assist with your compliance with DORA.
Read ESAs proposals for further changes to the ITS on RoI
Read ESAs proposals for further changes to the Annex of the ITS on RoI