Understanding DORA Information Register: Strengthening Financial Sector Digital Resilience

The financial sector’s rapid digitalization requires strong regulatory measures to safeguard against cybersecurity threats and potential technological disruptions. Part of this effort is the Digital Operational Resilience Act (DORA) which among others addresses the financial sector’s growing reliance on information and communication technology (“ICT”) third-party providers. 

The information register forms part of the ICT third-party risk management framework and shall allow the financial entities to identify and assess the risks in respect to contractual arrangements on the use of ICT services. 

Separately, by the new reporting obligation of financial entities to the national competent authorities, effective supervision and a broader understanding of the ICT dependencies of financial entities shall be ensured.

Understanding DORA’s Information Register Requirements

Within the ICT risk management framework, financial entities are obliged to maintain a comprehensive register that captures all contractual arrangements with third-party ICT service providers and on the use of ICT services. The financial entities must distinguish between ICT services that support critical/important functions.

Firms shall report to the national competent authority on the number of new arrangements on the use of ICT services, the categories of ICT service providers, the type of contractual arrangements and the ICT services and functions which are being provided at least on a yearly basis and are obliged to provide the entire register upon request.

This high-level requirement is specified by the Consultation Paper On Draft Implementing Technical Standards (“ITS Draft”) that has been published by the European Supervisory Authorities (“ESAs”). This ITS Draft present the templates composing the information register in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers. The ESAs expect to submit these draft technical standards to the European Commission by 17 January 2024.

Financial entities are expected to use these standardized templates and to fill in the information as laid out in the Draft ITS as part of the ICT risk framework.  

Are you in scope?

The requirement targets a broad range of financial entities, among others investment firms, managers of alternative investment funds, management companies credit institutions, and payment institutions.

Please note that in the case of groups, all financial entities that are part of the group shall maintain and update, in addition to their register at the entity level, the information register at the sub-consolidated and consolidated level.

Also, group-internal service providers are in scope and the data about this intra-group ICT arrangement must be included in the information register.

With regard to the application outside of the European Union, DORA has an extraterritoriality effect for non-EU companies that provide ICT services in the supply chain. This might become relevant, for example, if ICT services are performed by an intra-group entity, which is based outside of the EU, but provides the service to an EU-based financial entity.

Besides, it is expected that a clarification will be provided if non-EU AIFMs that manage EU AIFs or market AIFs in the EU will fall under the scope of DORA.

What are your obligations?

You will be required to fill out the templates with data using the formats set out in Annex I of the ITS Draft for the information at the entity level, and Annex II of the ITS Draft for  information at the sub-consolidated and consolidated level. 

The register of information at the entity level is composed of 10 templates. The ESAs visualized the templates by the following illustration in the ITS Draft:

The ITS Draft provides additional and extensive details about the information and granular instructions on how to fill out the templates. 

Some of the templates are linked to each other by using four relational keys, namely: 

• The contract reference number;  
• The ICT third-party service provider identifier;  
• The function identifier;
• The ICT service identifier.

They are symbolized by the colored dots in the illustration above.

If you are part of a group, you must fill out all of the following templates: 

In summary, you are obliged to include information about your own financial entity, the contractual arrangements with an ICT third-party service provider, and in principle also about the entities in the supply chain, identify the functions and ICT services, the assessment of the ICT services and a set of internal definitions. On a group level, you must fill out additional templates, include information about group-internal or -external relations, specify which group entity signs the contractual arrangement, and include clarification on the entities that are covered by the (sub-)consolidation.

Furthermore, you are obliged to report to the competent authority on the number of new arrangements on the use of ICT services, the categories of ICT third-party service providers, the type of contractual arrangements, and the ICT services and functions that are being provided at least on a yearly basis. Upon request, you must make available the entire information register to the regulator.

What should you do now?

We recommend that you read through the detailed instructions of the ITS Draft in order to familiarise yourself with the new regulatory requirements. 

Most important will be the review exercise of the existent database and the identification of missing but required data under DORA. The accurate and consistent data is the basis for a compliant information register and any reporting obligation. 

Your data management capabilities, operational processes regarding the data collection from various parties, and technical setup of the information register including the reporting functionality to the national competent authorities are crucial to meet the new regulatory requirements. 

In addition, you must ensure that all the data is properly stored and archived for 5 years after the contract termination with the ICT service provider. 

Furthermore, you should ensure that the information register has an audit trail functionality that allows to retrieve changes that significantly affects the information contained in the register of information for at least the previous 5 years.

Conclusion

The DORA requirement for an information register shall strengthen the digital resilience of the financial sector. For the implementation of the new measures, enormous efforts are expected to be undertaken by the financial entities. Despite the draft character of the ITS and the ongoing consultation, significant and materially new requirements are likely to arise. 

Given the complexity, the amount of data, and the impact on the operational processes, we recommend starting with the internal project work as soon as possible.