Has your information register already been created?
Since January 17, 2025, financial companies, and thus also permitted asset management companies and investment institutions, have been subject to the Digital Operational Resilience Act (DORA). DORA aims to make the financial sector more digitally resilient and strengthen the cybersecurity of financial market participants. As a key task, the regulation stipulates that financial undertakings must maintain an information register containing all contractual agreements on the use of information and communication technology (ICT) between financial undertakings and ICT third-party service providers. In this way, the responsible authorities want to gain an overview of the dependencies between the financial sector and its IT service providers and where there are critical concentrations.
Likewise, ICT third-party service providers that are considered critical within the meaning of Art. 32 et seq. of the DORA Regulation are to be identified. These critical ICT service providers will be subject to their own monitoring framework at European level.
When creating the register, financial companies must follow the requirements of the European Supervisory Authorities (ESAs). It consists of almost a hundred attributes, spread over 15 spreadsheets, which must be recorded for ICT services, and must generally be submitted as a structured file that corresponds to the taxonomy specified by the ESAs.
ICT third-party service providers must be identified using either the Legal Entity Identifier (LEI) or the European Unique Identifier (EUID).
For ICT services that support critical or important functions, the register must also include all subcontractors. Accordingly, reporters are now faced with the challenge of classifying their ICT third-party service providers according to their important or critical functionality and requesting the necessary information from the service provider in connection with a DORA contract addendum.
