EU says good-quality DORA registers are within reach

Earlier this year around 1,000 firms took part in a “dry-run” to test the process for reporting registers under the EU’s Digital Operational Resilience Act. Now the European Supervisory Authorities have shared feedback from that exercise. According to the ESAs, registers of sufficient quality are “not out of reach, subject to some additional efforts from the industry”.

Purpose of the DORA register

Financial entities in the scope of DORA need to have a register of their contracts with ICT service providers. These registers will:

1. help firms monitor of ICT third party risks,
2. support national regulators’ supervision of how firms manage those risks, and
3. inform the ESAs’ designation of some ICT service providers as being “critical” to the EU financial system.

Firms must submit their registers to national regulators who then provide them to the ESAs.

Dry-run feedback

The voluntary dry-run exercise allowed firms and the ESAs to test the register reporting process. The ESAs checked for technical integration (e.g. the use of correct file formats) and data quality.

According to the ESAs’ summary report:

• Data quality was far from perfect. 86% of data errors related to missing mandatory information. This was expected given that the ESAs requested that firms take part in the dry-run on a “best efforts” basis.
• Looking ahead to the official reporting process, the DORA register requirements will be applied more strictly. The priority now for firms is to fill in missing data so they can submit complete registers. Missing mandatory information will trigger a request to resubmit the register.
• Another common issue in the dry-run was invalid unique identifiers for financial entities and their ICT service providers. In future, registers with missing identifiers for financial entities will be rejected. Missing identifiers for ICT service providers will be flagged and firms will be told to resubmit.

Next steps

The ESAs provided a technical package of materials to support the dry-run. They plan to release an updated version of some of these tools based on the finalised technical standards for the register before the end of 2024. This package will not, however, include a revised version of an Excel template of the register.

DORA applies from 17 January 2025. The ESAs have already set a deadline for receiving registers from national regulators by the end of April 2025. Firms will need to send their registers to regulators before this date.