EU finalises DORA register rules

The European Commission has adopted implementing technical standards on the register of information under the EU’s Digital Operational Resilience Act. DORA starts to apply next month and so EU financial entities will welcome having this important aspect of the rulebook finalised. Other rules, however, remain outstanding.

As of 17 January 2025, when DORA takes effect, EU financial entities must maintain a register of information about their use of third party ICT services. The European Supervisory Authorities were tasked with developing standardised templates for the register. They consulted on draft ITS last year, published a final report in January, and – after a back-and-forth with the Commission – issued a revised report in October.

The final text adopted by the Commission is consistent with the ESAs’ October edit. This means that, for example, the Commission will allow financial entities to identify EU ICT third party service providers on the register using an EUID rather than a legal entity identifier (LEI). It also means that recital 7 – which, in the ESAs’ original draft, had sparked several debates – has been clarified.

Firms can now put the final touches to their DORA registers. The ESAs recently confirmed that they will want national regulators to share the registers with them by the end of April 2025.

The ITS is not the last piece of the DORA puzzle to be finalised. The Commission and ESAs are still working on technical standards relating to subcontracting and threat-led penetration testing.

• Client subscribers to the Linklaters knowledge portal can catch up on our recent webinar: What lawyers need to know about the DORA register