On 15 October 2024, the European Supervisory Authorities (ESAs) issued an Opinion on the European Commission’s (Commission) rejection of the draft Implementing Technical Standard (ITS) on the register of information under the Digital Operational Resilience Act (DORA).
By way of background, the ESAs submitted a draft ITS to the Commission in January 2024; in September 2024 the Commission sent a letter to the ESAs rejecting the proposed draft citing the principle of proportionality with regard to requirements relating to legal identifiers for ICT third-party service providers. The Commission contested the mandatory use of Legal Entity Identifier (LEI) for EU third-party ICT service providers, arguing that the companies should have a choice between the use of the LEI and the European Unique Identifier (EUID).
In its Opinion, the ESAs push back on the Commission’s suggestion to provide for an alternative between the use of the LEI and the EUID, arguing that only the former provides for international convergence for the identification of legal entities participating in financial markets and related activities. The ESAs defend their original proposal by mandating the use of the LEI, arguing that they have not found alternatives capable of providing efficiencies to both the industry and supervisors and achieving international convergence in the area of global cyber security and operational resilience. The ESAs took note of the Commission’s arguments but contested that the introduction of the EUID as identifier for the ICT third-party service providers within the registers of information would require previously not planned implementation and maintenance efforts and costs for financial entities. That said, the ESAs suggest clarifying the proposed framework allowing for a use of two identifiers by giving priority to using LEI in the cases where both identifiers are available to the financial entity, with the EUID as an alternative identifier to the LEI for ICT third-party service providers established in the EU.
In addition, having taken into the account the feedback received from the register of information “dry run” exercise that was concluded earlier this year, the ESAs also suggest certain minor changes to the draft ITS. The proposed amendments include both technical changes to the register of information templates and the text of the revised draft ITS.
The changes to the templates concern the reporting instructions, with the aim of providing additional clarifications. Importantly, the ESAs did not propose any substantive changes to the list of ICT services as included in Annex III of the draft ITS. The ESAs also clarified recital 7 in the draft ITS stating that “the register of information should be maintained and updated by financial entities including where a financial entity outsources all its activities to another entity, as the maintenance of the register of information contributes to the operational resilience of that financial entity. Therefore, where an entity is acting on behalf of a financial entity for all the activities of the financial entity (including the ICT services), the direct ICT third-party service providers to that entity should be recorded in the relevant templates of the register of information of the financial entity. In such case, the entity is only registered as an entity maintain the register”.
The Commission is now expected to publish the revised ITS over the coming weeks.