2024_7098 Scope of Register of Information for Contractual Arrangements on the use of ICT Services Provided by ICT Third-party Service Providers

Question ID: 2024_7098
Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
Topic: ICT third-party risk management
Article: 28
Paragraph: 3
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations: Not applicable
Article/Paragraph: /
Type of submitter: Credit institution
Subject matter: Scope of Register of Information for Contractual Arrangements on the use of ICT Services Provided by ICT Third-party Service Providers
Question: According to Article 28(3) of DORA, must an EU parent bank, which has subsidiaries both within and outside the EU, maintain the register of information regarding all contractual arrangements for the use of ICT services only for subsidiaries that are subject to DORA (financial entities established in the EU), or does this requirement extend to subsidiaries established outside the EU for which DORA does not apply?
Background on the question: Article 28(3) of DORA requires financial entities, as part of their ICT risk management framework, to maintain and update a register of information regarding all contractual arrangements for the use of ICT services provided by ICT third-party service providers at the entity level, and at sub-consolidated and consolidated levels. The bank seeks clarification on whether the EU parent bank must maintain this register only for subsidiaries based in the EU that are subject to DORA, or also for subsidiaries based outside the EU for which DORA does not apply.

If the parent bank were required to maintain the register for subsidiaries based outside the EU, it would face several challenges. These include increased administrative burden and complexity in managing compliance across different regulatory regimes. In these non-EU countries, ICT service providers are not bound by DORA, which adds another layer of complexity.
Submission date: 29/05/2024
Final publishing date: 25/07/2025
Final answer: Answer already provided as part of the frequently asked questions (FAQ) about the preparation and the reporting of the registers of information of contractual arrangements with the ICT third-party providers that financial entities need to maintain in accordance with Article 28(3) of Regulation (EU) 2022/2554 (DORA) and as specified in the Commission Implementing Regulation (EU) 2024/2956 (ITS on the registers of information).
The scope of the registers of information held at the sub-consolidated and consolidated basis should reflect all financial entities and their branches that belong to their consolidation scope in accordance with both Directive 2013/34/EU and the relevant sectorial Union legislation.
Status: Final Q&A
Answer prepared by: Answer prepared by the Joint ESAs Q&A

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting

Data

Publications

Media centre

Disclaimer