ESAs set timetable for DORA register

As firms race to comply with the EU’s Digital Operational Resilience Act, the European Supervisory Authorities have clarified their expectations on a key aspect of the regime. DORA requires financial entities to collate information about the ICT services they receive. In a new decision, the ESAs say they want to see firms’ registers of this information by 30 April 2025.

In their decision the ESAs:

• Acknowledge that the technical standards which provide templates for the register of information have not yet been adopted by the Commission
• Note that – despite the delay in finalising the text – national regulators and financial entities have had substantial time to prepare and that firms should “anticipate as much as possible” the preparation of their registers
• Request that national regulators share registers with the ESAs as soon as possible and no later than 30 April 2025

In practice this means that national regulators will ask firms to submit their registers to them before this date. The Central Bank of Ireland, for example, has requested registers in the first week of April 2025. 

The ESAs will use the data from the register to inform which ICT third party service providers should be designated as “critical” to the EU financial system. DORA – which starts to apply on 17 January 2025 – establishes an oversight framework for critical ICT third party service providers. The first designations are expected in H2 2025.

Client subscribers to the Linklaters knowledge portal can catch up on our recent webinar: What lawyers need to know about the DORA register