ESA: New reporting rules for ICT suppliers under DORA
Important dates and new responsibilities
On 15 November 2024, the European Supervisory Authorities ( EBA, EIOPA and ESMA – ESA) published a decision on the information that competent authorities must provide to them facilitating the designation of critical external ICT service providers under the Digital Operational Resilience Regulation (DORA).
By 30 April 2025, competent authorities must provide ESA with records of information on contracts between financial entities and external ICT providers. Under DORA, ESAs will begin supervising critical ICT providers after its entry into force on 17 January 2025. The first step in this process will be to identify providers considered critical.
DORA in practice: how will key ICT suppliers be identified?
From January 2025, after DORA enters into force, ESAs, in cooperation with competent authorities, will start supervising ICT providers offering key services to financial entities in the EU. The process of identifying CTPPs (Critical ICT Third-Party Providers) will be based on collected and analyzed records of information provided by financial entities and supervisory authorities.
New requirements – what do you need to know?
The ESA decision sets out detailed guidelines for reporting:
- schedules,
- frequency,
- data transmission procedures,
- quality assurance,
- confidentiality and access to information.
Although the technical standards (ITS) for registers have not yet been formally adopted by the European Commission, most of the requirements have been publicly available since January 2024. The ESA recommends that financial entities prepare their registers in advance, especially for information that is difficult to access, such as ICT provider identifiers.
Support for the financial sector
To facilitate preparations, the ESAs made available:
- draft templates,
- data point models
- a technical package on reporting already in May 2024. A voluntary workshop was also held with the participation of around 1000 financial entities from across the sector in the EU.
- the validation rules and visual data model, which will be included in an updated technical package, planned for December 2024.
In addition, a voluntary workshop was also held with the participation of around 1000 financial entities from across the sector in the EU.
When will the next workshop take place?
Financial entities interested in preparing the registers and the results of the dry run exercise can participate in an information workshop organized by ESA. The meeting will be held virtually on 18 December 2024 from 10:00 to 13:00. Registration is open until 16 December 2024.
Through the materials and workshops provided, ESA encourages all financial institutions to proactively prepare to ensure that the reporting process runs smoothly and in line with the requirements.
Do you want to keep up to date with the most important changes in the law? Subscribe to our newsletter to receive: the latest regulatory news and notifications of important dates and events.