Question ID
2025_7309
Legal act
Regulation (EU) No 2022/2554 (DORA Reg)
Topic
Register of information (DORA)
Article
28
Paragraph
3
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
Regulation (EU) 2024/2956 - ITS on the register of information
Article/Paragraph
Not applicable
Type of submitter
Consultancy firm
Subject matter
ANNUAL REPORT ON NEW ARRANGEMENTS ON THE USE OF ICT SERVICES
Question

Does Article 28(3) DORA require a separate and specific communication in addition to the Register of Information, or whether the communication of such data is already fulfilled through the annual submission of the same Register, constituting a single compliance obligation?

In the event that a separate communication is required in addition to the annual submission of the Register of Information, what is the meaning of the term 'categories of third-party ICT service providers'?

Background on the question

Pursuant to the provisions of Chapter V, Section I, Article 28, Paragraph 3 of the DORA Regulation states:

Financial entities shall communicate at least once a year to the competent authorities the number of new agreements for the use of ICT services, the categories of third-party ICT service providers, the type of contractual arrangements, and the ICT functions and services provided”.

Article 28(3) specifies the obligation to report annually the number of new agreements with ICT suppliers, their categories, the type of contracts and the ICT services provided.

However, some questions of interpretation remain open, including:

  • The nature of the reporting: it is unclear whether this obligation should be considered a separate fulfilment from the annual submission of the Information Register, which already includes details on ICT suppliers and contracts.

    For example, if a financial entity enters into 10 new ICT contracts with different suppliers in a year, these contracts will be included in the Information Register. It remains to be clarified whether separate reporting is also required and, if so, how to correctly categorise suppliers.

  • The definition of ‘categories of third-party ICT service providers’: the Regulation does not specify whether this term refers to standardised classifications (e.g. cloud providers, data centres, cybersecurity) or to criteria defined independently by financial entities, and no further evidence was found on this.

    For example, in the case where a financial entity enters into a new contract with a cloud provider for the storage of critical data, the question arises as to which category should be used to classify this provider, whether generically ‘cloud provider’ or another category not explicitly defined.

Submission date
Final publishing date
Final answer

With the aim of ensuring consistency on extractions of data, the ESAs Decision (see ESA 2024 22), requires that competent authorities provide to the ESAs on a yearly basis the registers of information referred to in Article 28(3) of Regulation (EU) 2022/2554, in accordance with the reporting timelines set out in Article 4 and 5 of said decision. In general, this will fulfill the requirement, and no second specific communication is needed.

In addition to said yearly submission, financial entities shall make available to the competent authority, upon its request, the register of information in accordance with Article 28(3), fourth subparagraph of Regulation (EU) 2022/2554.

Finally, financial entities shall inform the competent authority in a timely manner regarding any planned ICT third party contractual arrangements supporting critical or important functions or if a function supported by ICT third parties becomes critical or important, as per Article 28(3), fifth subparagraph of Regulation (EU) 2022/2554.

Categorization of third-party ICT service providers should be made according to the type of service they provide, using the typology of services laid out in Annex III of Regulation (EU) 2024/2956

Status
Final Q&A
Answer prepared by
Answer prepared by the Joint ESAs Q&A

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.