Search for Q&As

Enquirers can use various factors to search for a Q&A:

  • These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
  • Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

List of Q&A's

Definition of ICT service

If a supplier must provide an ICT Service to fall under DORA, how should we determine what qualifies? Should we rely on the DORA regulation’s definition of an ICT Service, or should we use the Annex 3 list (S01-S19) from the ITS Register of Information?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/2956 - ITS on the register of information

Dora agreements - ICT service supports a CIF

When an ICT Service supports a Critical and Important Function (CIF) within a financial entity, providers must sign DORA agreements with their suppliers if the supplier: a)     Provides an ICT Service (as per the DORA definition). b)     Critically underpins the ICT Service, meaning its disruption could affect security or continuity (based on ITS on Register of Information, Article 3(2)(b)). Is this interpretation correct? Or must DORA agreements be signed with all critical suppliers, even those that do not provide ICT Services?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/2956 - ITS on the register of information

Register of ICT Services

Are these listed listed types of ICT-services (e.g., S07, S11, S12) covered under DORA’s definition of ICT Services? If not, can, e.g., facilities or infrastructure that do not include data or digital elements be excluded from this definition?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/2956 - ITS on the register of information

Definition of landline services

What are landline services in this context? Could it include fiber optics (e.g., black fiber)?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Instructions for completing the register of information-Functions identification-Licenced activity

In the specifications of the DORA Register of Information file, in sheet B0601 for insurance and reinsurance undertakings, the list of values "List of possible values for all data fields with drop-downs (updated 3 March 2025)" appears, which does not include classes 17 ("Legal Expenses Insurance") and 18 ("Assistance"). Please inform us how these activities should be declared in the column "Licensed activity B06_01_0020".

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/2956 - ITS on the register of information

Obligation to maintain a register of information for FEs exempt under article 16

 Are financial entities, which according to article 16(1) in DORA are excluded from application of Articles 5 to 15, also are excluded from application of article 28 of DORA?    

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

How to fill the refPeriod field of the parameters.csv file for the DORA register of information

As part of the DORA register of information packaging process, we are required to include a parameters.csv file that contains a refPeriod field. Could you please confirm what specific date should be used for the refPeriod?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/2956 - ITS on the register of information

Exist a definition of information security standards

In DORA Article 28 (5), reference is made to "appropriate information security standards" and "of the most up-to-date and highest quality information security standards". Is There a definition of which standards are applicable here, or can credit institutions define the desired requirements themselves?"

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Correct classification of services related to the 'reselling' of software provided in SaaS mode

With reference to the correct identification of the type of ICT services, taking into account the types contained in ANNEX III of Regulation (EU) 2024/2956, how should services related to the 'reselling' of software provided in SaaS mode be classified?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/2956 - ITS on the register of information

Definition of financial counterpart

Can you confirm whether our interpretation of the notion of ‘financial counterpart’ is correct?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Register of Information Taxonomy reporting vs ITS on Register of Information

In the industry workshop of 18 of December 2024, which was a summary of Dry Run, it was stated that the reporting taxonomy provided shall be used for the reporting , while the current DORA 4.0 validation rules does not follow the instructions provided in the ROI ITS. We kindly ask you to confirm if the reporting shall follow the DORA 4.0 validation rules despite the mismatch with the ROI ITS. Differences between the law and the taxonomy: Requirement in Law Requirement in Taxonomy Additional question   B_01_01_0010 stated as non-nullable, but is mentioned as nullable in "LEI - EUID checks VR-2"     B_01_02_0010 stated as non-nullable, but is mentioned as nullable in "LEI - EUID checks VR-12"   B_02.03 does not include an extra column c0030 b_02.03 has a column c0030, that is required to be filled out What is the extra column used for? B_03.01 does not include an extra column c0030 b_03.01 has a column c0030, that is required to be filled out What is the extra column used for? B_03.03 does not include an extra column c0031 b_03.03 has a column c0031, that is required to be filled out What is the extra column used for? B_04.01 clarifies that column c0040 is only mandatory if the financial entity making use of the ICT service(s) is a branch of a financial entity (B_04.01.0030) B_04.01 column c0040 is mandatory. Which also requires at least 1 branch in B_01.03. What should be reported if a reporting entity does not have any branches? Should both B_01.03 and B_04.01 be empty. Or? B_05.01 c0030 & c0040 is optional B_05.01 c0030 & c0040 is required when c0070 = Legal person, excluding individual acting in a business capacity   B_05.01 c0110 is mandatory if the ICT-third party service provider is not the ultimate parent undertaking B_05_01_0110 is mandatory all the time according to the DPM   B_05.02 column c0060 & c0070 is mandatory, but not applicable for rank 1. An empty value should be reported if rank = 1  B_05.02 column c0060 & c0070 is always required. What should be reported in c0060 & c0070 if the rank = 1? B_01_01_0050 is mandatory in case of reporting B_01_01_0050 is always mandatory   B_01_01_0060 is mandatory in case of reporting B_01_01_0060 is always mandatory   B_01_02_0060 is mandatory B_01_02_0060 is optional in DPM   B_02_01_0030 is mandatory B_02_01_0030 is optional in DPM   B_02_02_0040 is mandatory B_02_02_0040 is optional in DPM   B_02_02_0130 is mandatory if the ICT service is supporting a critical or important function B_02_02_0130 is optional in DPM   B_02_02_0140 is mandatory if the ICT service is supporting a critical or important function B_02_02_0140 is optional in DPM   B_02.02.0150 is mandatory if Yes is reported in c0140 B_02.02.0150 is mandatory in DPM   B_02.02.0160 is mandatory if the ICT service is based on or foresees data processing B_02.02.0160 is mandatory in DPM   Additional to the question above: If changes will be made to the Taxonomy, when will these be made available? Do you foresee to apply changes to solve the aforementioned mismatch? If so, can you please share when this is expected to be done? If the current Taxonomy, DORA 4.0, must be followed for reporting, can we expect that all local authorities are required to accept the Register of Informations in the format aligned with the Taxonomy? We have experienced differences while doing a mock exercise to submit the reports to local authorities from the reporting technical package. To our knowledge, these discrepancies shall not exist and the national authorities to which entities have to report to are required to accept files that follow the reporting technical package. In this scenario, what actions can we expect to be taken?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/2956 - ITS on the register of information

Validation rule v8821_m

The validation rule defines that in the event that column 020 of the template is valorised with the identification code indicating LEI code (eba_qCO:qx2000) then column 030 must be valorised with a LEI code.In reality, column 020 indicates the type of code to identify the third-party ICT service provider indicated in column 010. Consequently, shouldn't the validation rule be correct that the check should be made on column 010 and not 030?  

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Part 2 – Template specific instructions to template B_06.01

Data point B_06.01.0050 is missing from the official ITS templates. Is this data point no longer applicable?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/2956 - ITS on the register of information

Regulatory technical standards - subcontracting ICT services supporting critical or important functions

Where and when was the Comission Delegated Regulation (EU) supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards to specify the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions as mandated by Article 30(5) of Regulation (EU) 2022/2554 oficially published? 

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

ANNUAL REPORT ON NEW ARRANGEMENTS ON THE USE OF ICT SERVICES

Does Article 28(3) DORA require a separate and specific communication in addition to the Register of Information, or whether the communication of such data is already fulfilled through the annual submission of the same Register, constituting a single compliance obligation? In the event that a separate communication is required in addition to the annual submission of the Register of Information, what is the meaning of the term 'categories of third-party ICT service providers'?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/2956 - ITS on the register of information

The scope of the regulation described in Article 6 mismatches what is presented as an option in the Annex I, Part 2 of the same regulation

Do financial entities must include non-financial entities within the same group in the Register of Information? If not, why is there an option to do so?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/2956 - ITS on the register of information

Applicability of Regulation (EU) 2022/2554 (DORA) to ICT services provided by financial entities.

Clarification is needed on whether financial institutions providing ICT services to other financial institutions – regardless of whether these services are ancillary to regulated financial activities – can be qualified as ICT third-party service providers under Regulation (EU) 2022/2554. If they are, must their contractual relationships comply with the mandatory provisions outlined in Article 30 of the mentioned Regulation or are these requirements inapplicable since such entities are already authorised/licenced/registered? 

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Template specific instructions – primary keys

How to report data fields in case of missing values?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/2956 - ITS on the register of information

Template specific instructions – field B_05.02.0060 (Identification code of the recipient of sub-contracted ICT services)

How to report data field B_05.02.0060 if the ICT third-party service provider is a direct provider (rank =1)?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/2956 - ITS on the register of information

Template specific instructions – field B_05.01.0020 (Type of code to identify the ICT third-party service provider)

How to report type of identification code in data field B_05.01.0020 when using codes other than LEI or EUID?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/2956 - ITS on the register of information