News Update Financial Regulatory and IT

From 17 January 2025 onwards, financial entities in scope need to comply with the EU Digital Operational Resilience act (DORA). We informed you on this legislation here and here. 

A key requirement under DORA is the set up and completion of registers of information on contractual arrangements on the use of ICT services provided by ICT third-party providers (the "Information Registers"). This requirement applies to financial entities pursuant to Article 28(3) DORA. The European Supervisory Entities (the "ESAs"), recently published a decision requiring the Authority for the Financial Markets ("AFM") and the Dutch Central Bank ("DNB") to submit to the ESAs the Information Registers collected from financial entities, within very strict timelines. In addition, on 2 December, the European Commission adopted the implementing technical standards on the Information Registers, specifying the detailed rules Information Registers need to comply with.

More important, this ESAs decision does not appear to leave any room for deviation or for a risk based approach with respect to the collection of Information Registers. Both the AFM and DNB previously indicated that they would collect Information Registers using a risk based approach. However, national competent authorities need to collect Information Registers from all entities in scope of DORA.

The ESAs provided guidance to financial entities for setting up Information Registers, and urge them to continue working on completing their risk registers. We will discuss these aspects in more detail below.

Background

Each financial entity in scope of DORA must ensure that its register of information is available from 17 January 2025 onwards. In industry meetings the AFM and DNB, the Dutch competent authorities supervising DORA, initially indicated that they would start collecting registers of information shortly after this date and on a "risk based" basis, meaning that they would focus their requests to the entities under their supervision posing the most material risk. In light of the recent ESAs decision, on 6 December, the AFM officially announced that it will formally request all entities in scope of its supervision, and in scope of DORA to submit their Information Registers with the AFM immediately after 17 January 2025. 

Timelines

Although the exact timeline for delivery of the registers by financial entities is not completely yet clear, this will likely not be any later than the end of March 2025, considering that the AFM and DNB themselves need to submit the registers with the ESAs, on 30 April 2025, at the latest. A relevant factor is that the AFM and DNB need to ensure that the relevant data has undergone quality checks and is in conformity with the requirements set out in the draft implementing technical Standards on the Register of Contracts.

The deadline of 30 April 2025 specified by the AFM matches the date specified by the ESAs in article 5(2)(a) of their decision of 8 November 2024 (the "ESAs Decision"). In the ESAs Decision, the ESAs indicated submission has to occur through the EUCLID data system operated by the European Banking Authority. Moreover, the ESAs Decision does not leave room for a risk based approach as hinted on by DNB and AFM. In its publication the AFM is clear that its information requests will be addressed to all financial entities in scope. All entities subject to DNB supervision and in scope of DORA should expect to provide their Information Register to DNB in March 2023, and should no longer anticipate a risk based or phased approach by DNB. 

Available guidance

The ESAs pointed out that although the draft implementing technical standards on the registers of information had not yet been adopted by the European Commission, the essential part of the requirements for registers of information has been publicly available since the publication of the ESAs Final Report in January 2024 and that any potential changes in the registers following the rejection by the EU Commission and the subsequent ESAs Opinion on this rejection, should be limited. Furthermore, on 2 December 2024 the European Commission published the final commission implementing regulation containing the implementing technical standards concerning the mandatory templates for the Information Register. This document will enter into force on 22 December 2024, the twentieth day after its publication in the Official Journal.

The ESAs encourage financial entities to anticipate as much as possible the preparation of their Information Registers, especially for information which may not be immediately available (e.g. the relevant identifiers of their ICT providers). 

To support financial entities, the ESAs refer to the available materials and templates previously shared with the sector as part of the May 2024 voluntary dry run on risk registers. The ESAs also provide Validation Rules.  National competent authorities and financial entities can use these validation rules to check the quality of draft risk registers. In addition, the ESAs will host an online Workshop on 18 December (10:00-13:00 CET), in which they will present the outcome of the Dry Run exercise. You can register to attend this ESAs Workshop here.

How Houthoff can support you

If you are in scope of this obligation, you now have approximately one month until DORA compliance becomes mandatory and approximately three months remaining to prepare for submission of your Information Register to the competent regulator. Houthoff has ample experience in various DORA implementation projects, both working for international and Dutch financial entities as well as for ICT service providers. Should you require any support with respect to the Information Register, the correct interpretation of any of the applicable legislation and available guidance or if you require help with any other DORA aspects such as policies and compliant contracts, please do not hesitate to contact our IT and Financial Regulatory Team.