A pivotal component of DORA is the mandate for financial entities to maintain, as part of their ICT risk management framework, a Register of Information (RoI) detailing all contractual arrangements about the use of ICT services provided by ICT third-party service providers.

Purpose of the Register of Information

The RoI serves multiple critical functions within the DORA framework:

1. Enhanced Supervisory Oversight: By maintaining a comprehensive record of ICT third-party dependencies, financial entities provide supervisors with essential information to understand and monitor these relationships. This transparency aids in identifying potential systemic risks arising from concentrated dependencies on specific ICT providers.

2. Facilitation of Service Provider Designation: The RoI is instrumental in the process of designating certain ICT third-party service providers as critical or important.

3. Strengthening Risk Management Frameworks: Incorporating the RoI into the ICT risk management framework allows financial entities to better systematically assess and manage risks associated with third-party ICT services. This structured approach ensures that all potential vulnerabilities are identified and addressed promptly.

Requirements of the Register of Information

DORA outlines specific requirements for the RoI to ensure its effectiveness.

Financial entities are required to maintain and regularly update the RoI at the entity, sub-consolidated, and consolidated levels. This ensures a holistic view of all ICT third-party arrangements across the organisation.

The RoI must include specific details of each contractual arrangement, including:

1. Identification of the ICT third-party service provider
2. Description of the services provided
3. Duration and renewal terms of the contract
4. Risk assessment of the ICT services when they support a critical or important function or material part thereof
5. Sub-contracting arrangements, if any
6. Data storage and location
7. Termination conditions.

This level of detail ensures that financial entities have a clear understanding of their ICT dependencies and can manage them effectively.

To promote consistency and facilitate supervisory review, the European Supervisory Authorities (ESAs) have developed standard templates for the RoI. These templates provide a uniform structure for recording information, ensuring comparability across entities.

It should be noted that, despite DORA being applicable as from 17^th January 2025, the European Commission and the ESAs have still not resolved a disagreement between them over the draft Implementing Technical Standards (ITS) on the RoI.

The draft ITS proposed by the ESAs were rejected by the European Commission on the grounds that it is necessary to allow financial entities the choice of identifying their ICT third-party service providers registered in the EU either by using the Legal Entity Identifier (LEI) or by using the European Unique Identifier (EUID). 

In the ESAs’ view, the Commission’s proposal of adding an additional identifier, allowing EU-based companies to use the EUID, will cause unnecessary complexity and could have negative impacts on the implementation of DORA by financial entities, competent authorities and the ESAs. They noted that, although the EUID is available free of charge to EU-registered companies, its introduction in the registers of information would entail unforeseen implementation and maintenance efforts for financial entities. 

In their opinion, issued in October 2024, the ESAs called for the final decision on the use of identifiers and the swift adoption of the draft ITS by the Commission as this impacts the timeline of designating critical ICT third-party service providers under DORA.

Intricacies and Implementation Challenges

In 2024, the ESAs conducted a dry run exercise to allow for the testing of the reporting processes in an environment designed to mimic the first iteration of the official reporting in 2025. This exercise sought to test the reporting process and the accuracy of such testing by allowing financial entities to carry out this exercise on a best-effort basis.

Based on the input of 1039 financial entities, the ESAs’ summary highlighted that the most frequent issues identified were missing mandatory information, the use of an invalid LEI and an invalid Data Point Model value.

Indeed, implementing the RoI presents several challenges and considerations:

1. Data Consistency Across Levels: For financial groups operating at multiple levels, ensuring data consistency across entity, sub-consolidated, and consolidated RoIs is crucial. Discrepancies can lead to gaps in oversight and risk management.

2. Dynamic Nature of ICT Arrangements: The rapidly evolving landscape of ICT services means that contractual arrangements can change frequently. Financial entities must establish processes to ensure the RoI is updated promptly to reflect any changes, maintaining its accuracy and relevance. This is essential as financial entities are also required to inform their competent authority in a timely manner about any planned contractual arrangement on the use of ICT services supporting critical or important functions as well as when a function has become critical or important.

3. Integration with Existing Risk Management Frameworks: Incorporating the RoI into existing ICT risk management frameworks requires careful planning. Entities must ensure that the RoI complements other risk management tools and processes, providing a cohesive approach to ICT risk management.

4. Regulatory Compliance and Reporting: Financial entities must be prepared to provide their RoI to competent authorities upon request, necessitating a high standard of accuracy and completeness. Furthermore, they are required to report, at least yearly, on the number of new arrangements on the use of ICT services, the categories of ICT third-party service providers, the type of contractual arrangements and the ICT services and functions which are being provided.

Based on the results of the dry-run exercise, the ESAs also recommended to financial entities to further familiarise themselves with the ITS, to ensure that all ICT service providers and related entities are correctly identified in accordance with their respective LEIs, and to be prepared to convert their data into the required formats for reporting purposes.

Deadline for Maltese Financial Entities

Further to a recent circular issued by the MFSA, persons who have been authorised by the MFSA by and including 31^st March 2025, and which fall within DORA’s scope, are required to submit their RoI to the MFSA between 1^st – 8^th April 2025, both days included. Failure to submit within this deadline may result in regulatory action by the MFSA. Those persons authorised after 31^st March 2025 shall not be included in the 2025 RoI reporting requirement but will still be required to maintain a RoI and make it available to the MFSA upon request.

The MFSA will communicate further instructions regarding the RoI reporting for 2026 in due course.

The Register of Information is a cornerstone of DORA's strategy to bolster the digital operational resilience of the EU's financial sector. By meticulously documenting ICT third-party arrangements, financial entities not only comply with regulatory mandates but also enhance their own risk management capabilities. While the implementation of the RoI presents challenges, a proactive and structured approach will enable entities to navigate these complexities effectively, contributing to a more resilient and secure financial ecosystem.

This is the fourth article in our series "Chartering DORA Compliance: A Guide for Financial Entities".

For information or assistance please contact us at info@gtg.com.mt

Author: Dr Cherise Abela Grech