Search results for: DORA

This Friday (17 January) the EU Digital Operational Resilience Act, DORA, comes into force and, unusual for EU legislation, there are no transitional provisions meaning the legislation comes into effect immediately.

The European Securities and Markets Authority has already warned that financial entities should identify and address gaps between their internal set ups and DORA’s requirements. In addition, as of this Friday the firm should be ready for the new reporting ICT-related incidents in accordance with the new reporting obligations. Also, firms should be ready for the request to provide the new register of ICT third-party providers’ contractual arrangements as soon as February/March.

For those financial entities that are behind with their DORA implementation we are running last minute bespoke emergency clinics and training.

For further information please contact Floortje Nagelkerke, Anna Carrier, Sebastien Praicheux, Dorothee Ciolino or your usual Norton Rose Fulbright contact.

On 17 December 2024, the European Supervisory Authorities (ESAs) issued a summary report with the key findings from the 2024 dry run exercise on reporting the registers of information (RoI) under the Digital Operational Resilience Act (DORA).

Dry run

The primary objective of the dry run exercise was to help financial entities with the preparation of the RoI and their reporting to Member State competent authorities (NCAs) and the ESAs. The exercise was designed to help the industry improve data quality for the formal reporting that will begin from 2025. The dry run exercise also allowed for testing the reporting processes in an environment as close as possible to the official reporting.

Summary report

The summary report is intended to provide an overview of the dry run exercise and its key findings focusing on the quality of data found in the RoI submitted to the ESAs.

The report draws conclusions and highlights lessons learnt that should be considered by financial entities, NCAs and the ESAs to ensure that the financial sector is generally better prepared for the start of the application of DORA in 2025 and the RoI to be reported by the financial entities are of better quality and meet the requirements of the applicable legislation.

The report has three main sections:

  • Section 2 provides an overview of the participating financial entities.
  • Section 3 deals with the key points observed in the dry run submissions from a data quality perspective.
  • Section 4 focuses on the key lessons learnt for financial entities, NCAs and the ESAs for the finalisation of their preparations for the official reporting of RoI to start from 2025.

Lessons learnt

Lessons learnt and recommendations for financial entities include that they:

  • Should continue to identify and integrate missing data into their RoI, so they are able to submit full registers to their NCA and then the ESAs. Missing mandatory information will be flagged as data quality issues with the request to re-submit the registers within the short time frame provided.
  • Are encouraged to continue as much as possible the preparation of their registers, especially for information which may not be immediately available (e.g. the relevant identifiers of their third-party service providers (TPPs)), where additional data collection/retrieval efforts may be necessary given that such information have not been used in the dry run.
  • Are encouraged to ensure that they have a valid LEI for themselves and for all financial entities belonging to their consolidated groups noting that where the registers are reported on the consolidated basis, all financial entities included in template B_01.02 should be identified with LEI.
  • Are encouraged to work with their TPP so that those are identified and recorded in the registers with identifiers specified in the ITS on the Registers of information.

On 4 December 2024, the European Supervisory Authorities (ESAs) issued a statement on the application of the Digital Operational Resilience Act (DORA).

The statement notes that DORA and its technical standards and guidelines will apply from 17 January 2025 and financial entities and third-party providers are called on to advance their preparations to ensure readiness. It also emphasizes the importance for financial entities to adopt a robust, structured approach to meet obligations in a timely manner given that DORA does not provide for a transitional period.

Other key messages in the statement include that financial entities:

  • Are expected to identify and address in a timely manner gaps between their internal set ups and DORA’s requirements.
  • Should prepare for the new reporting obligations and in particular financial entities need to have their registers of ICT third-party providers’ contractual arrangements available for Member State competent authorities early in 2025, as the latter will have to report them to the ESAs by 30 April 2025.

The ESAs also invite those ICT third-party service providers that meet the criticality criteria published in May 2024 to assess their operational setup against DORA’s requirements. The first designation of critical ICT third-party service provider is expected to take place in H2 2025.

On 2 December 2024, there was published in the Official Journal of the EU Commission Implementing Regulation (EU) 2024/2956 of 29 November 2024 laying down implementing technical standards for the application of the Regulation on digital operational resilience for the financial sector (DORA) with regard to standard templates for the register of information. The Implementing Regulation enters into force on the twentieth day following that of its publication in the Official Journal of the European Union (22 December 2024).

On 15 November 2024, the European Supervisory Authorities issued a Decision on the information that Member State competent authorities (NCAs) must report to them for the designation of critical ICT third-party service providers under the Digital Operational Resilience Act (DORA). In particular, the Decision requires NCAs to report by 30 April 2025 the registers of information on contractual arrangements of the financial entities with ICT third-party service providers.

Financial entities who would like to learn more about how to prepare their registers of information and hear about the outcomes of the 2024 Dry Run exercise, are invited to take part in an information workshop on 18 December 2024. The workshop will be held virtually from 10:00 to 13:00. Interested parties can register by 16 December 2024.

On 6 November 2024, the Joint Committee of the European Supervisory Authorities (ESAs) published joint guidelines on the oversight cooperation and information exchange between the ESAs and the competent authorities under the Regulation on digital operational resilience for the financial sector (DORA).

The ESAs issue these guidelines on the basis of Article 32(7) of DORA which provides that the ESAs will issue guidelines on the cooperation between the ESAs and the competent authorities covering:

  • The detailed procedures and conditions for the allocation and execution of tasks between competent authorities and the ESAs.
  • The details on the exchanges of information which are necessary for competent authorities to ensure the follow–up of recommendations addressed to ICT third party service providers to financial entities designated as critical.

Next steps

Competent authorities must notify the respective ESA whether they comply or intend to comply with the guidelines, or otherwise with reasons for non-compliance, within two months after the issuance of the translated versions of the guidelines. In the absence of any notification by this deadline, competent authorities will be considered by the respective ESA to be non-compliant.

The guidelines apply from 17 January 2025.

They will be subject to a review by the ESAs.

On 24 October 2024, the European Commission adopted a Delegated Regulation supplementing the Regulation on digital operational resilience for the financial sector (DORA) with regard to regulatory technical standards (RTS) on harmonisation of conditions enabling the conduct of the oversight activities.

The European Supervisory Authorities issued the draft RTS as part of the second batch of policy products under DORA earlier this year.

The Delegated Regulation enters into force on the twentieth day following its publication in the Official Journal of the European Union.

On 23 October 2024, the European Commission adopted:

  • Commission Delegated Regulation (EU) supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards (RTS) specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats.

The RTS and ITS are based on drafts that the Joint Committee of the European Supervisory Authorities published earlier this year.

The Council of the EU and the European Parliament will scrutinise the Delegated Regulation. If neither object, it will be published in the Official Journal of the European Union (OJ).

The Implementing Regulation will be published in the OJ without further scrutiny.

Both will enter into force 20 days after publication in the OJ.

On 15 October 2024, the European Supervisory Authorities (ESAs) issued an Opinion on the European Commission’s (Commission) rejection of the draft Implementing Technical Standard (ITS) on the register of information under the Digital Operational Resilience Act (DORA).

By way of background, the ESAs submitted a draft ITS to the Commission in January 2024; in September 2024 the Commission sent a letter to the ESAs rejecting the proposed draft citing the principle of proportionality with regard to requirements relating to legal identifiers for ICT third-party service providers. The Commission contested the mandatory use of Legal Entity Identifier (LEI) for EU third-party ICT service providers, arguing that the companies should have a choice between the use of the LEI and the European Unique Identifier (EUID).

In its Opinion, the ESAs push back on the Commission’s suggestion to provide for an alternative between the use of the LEI and the EUID, arguing that only the former provides for international convergence for the identification of legal entities participating in financial markets and related activities. The ESAs defend their original proposal by mandating the use of the LEI, arguing that they have not found alternatives capable of providing efficiencies to both the industry and supervisors and achieving international convergence in the area of global cyber security and operational resilience. The ESAs took note of the Commission’s arguments but contested that the introduction of the EUID as identifier for the ICT third-party service providers within the registers of information would require previously not planned implementation and maintenance efforts and costs for financial entities. That said, the ESAs suggest clarifying the proposed framework allowing for a use of two identifiers by giving priority to using LEI in the cases where both identifiers are available to the financial entity, with the EUID as an alternative identifier to the LEI for ICT third-party service providers established in the EU.

In addition, having taken into the account the feedback received from the register of information “dry run” exercise that was concluded earlier this year, the ESAs also suggest certain minor changes to the draft ITS. The proposed amendments include both technical changes to the register of information templates and the text of the revised draft ITS.

The changes to the templates concern the reporting instructions, with the aim of providing additional clarifications. Importantly, the ESAs did not propose any substantive changes to the list of ICT services as included in Annex III of the draft ITS. The ESAs also clarified recital 7 in the draft ITS stating that “the register of information should be maintained and updated by financial entities including where a financial entity outsources all its activities to another entity, as the maintenance of the register of information contributes to the operational resilience of that financial entity. Therefore, where an entity is acting on behalf of a financial entity for all the activities of the financial entity (including the ICT services), the direct ICT third-party service providers to that entity should be recorded in the relevant templates of the register of information of the financial entity. In such case, the entity is only registered as an entity maintain the register”.

The Commission is now expected to publish the revised ITS over the coming weeks.

On 15 October 2024, the European Supervisory Authorities (ESAs) issued an opinion regarding the European Commission’s (EC) rejection of the draft Implementing Technical Standards (the Draft ITS) for the register of information under the Digital Operational Resilience Act (Regulation (EU) 2022/2554, DORA). DORA requires financial entities to maintain and regularly update a register of information covering all contractual agreements with ICT third-party service providers. This register is crucial for managing third-party ICT risks and will enable the EU competent authorities and ESAs to supervise compliance with DORA and identify critical ICT service providers subject the DORA’s oversight framework. The Draft ITS contains standard templates for this register.

The EC rejected the Draft ITS on 3 September 2024 due to concerns over the mandatory use of the Legal Entity Identifier (LEI) for identifying ICT third-party service providers. Among other things, the EC wants to see the ability for entities to use either the LEI or the European Unique Identifier (EUID), arguing that the EUID is already widely used by EU companies. In their response, the ESAs expressed concerns that incorporating the EUID alongside the LEI would add unnecessary complexity, increase implementation costs, and introduce potential data quality issues. The ESAs emphasised that the LEI’s widespread international adoption and robust data validation capabilities make it the more suitable option for financial reporting. As a result, the ESAs favour the exclusive use of the LEI.

In the end, the ESAs suggest keeping the LEI as the main identifier but recognise that if the EUID is adopted, additional changes to the Draft ITS would be necessary for a seamless implementation. These changes would involve adding new data fields and prioritising the LEI in cases where both identifiers are present.

Finally, financial entities are encouraged to ramp up their implementation efforts to be ready to submit their registers in the first half of 2025.

The ESA’s opinion is available via this link.