Fields of action in connection with the DORA information register

On 17.01.2024, the final version of the Register of Information was published by the three supervisory authorities (ESA for short) consisting of EBA, ESMA and EIOPA. Following formal approval by the European Commission, completing, maintaining and reporting the information register will be mandatory for financial institutions that fall within DORA's circle of stakeholders (EU - 2022/2554).

Background and purpose of the information register

Article 28 (3) of Regulation (EU) 2022/2554 (DORA) requires financial institutions (FIs), as part of their ICT risk management framework, to maintain and update a register of information on all contractual arrangements for the use of ICT services provided by ICT service providers at individual, sub-consolidation and consolidation levels. FIs must also provide competent authorities with the information register and all information necessary for effective oversight of FIs and to understand the ICT dependencies of FIs to support the monitoring framework for critical third-party ICT service providers.

In order to meet these requirements, the information register consisting of 15 templates with over 100 attributes was created, which has the following purposes:

a. Collection of minimal and necessary information about the contractual arrangements and the assessment of the associated risks for financial institutions. b. Documentation of the entire supply chain (outsourcing chain) for ICT services, focusing on subcontractors of ICT services that support a critical or important function or significant parts of it.

c. Clear identification of ICT service providers and consistent allocation to service-receiving FIs to enable efficient aggregation of relevant information.

d. Identify the critical or important (essential) functions provided by ICT service providers by following the following steps:
i. FIs identify all of their operational and business functions. This means that FIs must document their business processes in an up-to-date and consistent way and assign ICT services and outsourcing to them.
ii. FIs determine which functions are considered critical or important in accordance with their internal evaluation and as defined in Article 3 (22) of DORA. This means that the definition in Article 3 (22) must be integrated into the risk analysis and that, at the latest as part of the risk analysis, it is assessed whether the outsourced function is critical or important (this is in line with the definition in EBA/GL/2019/02).
iii. FIs identify all outsourced ICT services (not just essential or those that support critical or important functions).
iv. FIs identify and document their intra-group and external ICT services.

e. Reporting this information to competent authorities.

The information register — a challenge in outsourcing management

There are currently numerous requirements for data management and reporting in outsourcing management. For example, both BaFin and ECB supervised institutions must maintain different outsourcing registers in order to comply with the reporting requirements to BaFin's MVP portal and to the ECB's IMAS portal.

Now there is an additional register that as of now has to be created and maintained in addition and which differs in content from the known outsourcing registers. This would mean that an institution must maintain at least two outsourcing registers (the outsourcing register according to MVP or IMAS and the information register), which means increased costs.

Expanding the existing outsourcing register to include additional fields from the new information register is not always useful, as regulatory authorities often expect different content for the two registers for the same fields (such as type of company or service categories).

New requirements for data storage in outsourcing management

Selected requirements for information registers from the final draft are examined in more detail below.

RT.01.02 —List of entities within the scope of the register of information

Institutions must maintain an information register that includes all ICT services with service providers within and outside the supervisory scope of consolidation. This requires the structure of the supervisory consolidation group (group structure) to be integrated into the register. A number of fields must be provided for each company, such as type of company, hierarchy in the group structure, date when the company was registered in the register and balance sheet total.

These requirements are new to this extent and result in a multi-dimensional data structure, which cannot be controlled without an automated technical solution.

RT.05.02: ICT service supply chains:

The supervisory authorities expect a seamless overview of the entire outsourcing chain for every major ICT service. Although this is not entirely new in itself, the data requirements are more comprehensive, which once again shows how important the issues of further relocation and concentration risks are along the outsourcing chain. For example, it is necessary to state what rank the sub-service provider is in the outsourcing chain and whether and which alternative service providers have already been identified.

RT.06.01: Functions identification

In addition to general attributes of the outsourced function and the service recipients, availability indicators such as RTO (Recovery Time Objective) and RPO (Recovery Point Objective) are required, which must be determined as part of Business Continuity Management (BCM) for the affected functions. This would require closer integration with BCM/IT-SCM to ensure data quality.

Summary & outlook

- The information register contains further innovations that usher in a new era of data storage in outsourcing management for financial institutions of all sizes.
- Maintaining and maintaining the information register will significantly increase outsourcing management costs.
- Neither compliance nor efficiency can be ensured without the appropriate technical solution