Next month, the European Supervisory Authorities (ESAs) are set to launch a voluntary exercise to collect registers of information of contractual arrangements on the use of ICT third-party service providers by financial entities.
Beginning in 2025, financial entities will have to maintain registers of information regarding their use of ICT third-party providers under the Digital Operation Resilience Act (DORA).
DORA is aimed at strengthening the IT security of financial entities and ensuring that the European financial sector can remain resilient in the event of severe operational disruption.
Specifically, the regulation is focused on the harmonisation of rules related to operational resilience for the financial sector, applying to 20 different types of financial entities and ICT third-party service providers.
This dry run exercise initiated by the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA) and European Securities and Markets Authority (ESMA) -the ESAs – will collect information from financial entities through their competent authorities and will act as preparation for the implementation and reporting of registers of information under DORA.
The voluntary exercise will gather the relevant information specified in the ESAs’ final draft implementing standards on the registers of information and report these to respective competent authorities who will ultimately provide those to the ESAs.
The ESAs have confirmed that they will support participating financial entities in: building their register of information in the format as close as possible to the steady-state reporting from 2025; testing the reporting process; addressing data quality issues; and improving internal processes and the quality of their registers of information.
The ESAs will also provide feedback on data quality to participating financial entities and return cleaned files with their register of information, alongside organising workshops and respond to frequently asked questions.
The ad-hoc data collection is set to launch in May, with the financial entities expected to submit their registers of information to the ESAs through their competent authorities between 1 July and 30 August.