Pursuant to the provisions of Chapter V, Section I, Article 28, Paragraph 3 of the DORA Regulation states:

“Financial entities shall communicate at least once a year to the competent authorities the number of new agreements for the use of ICT services, the categories of third-party ICT service providers, the type of contractual arrangements, and the ICT functions and services provided”.

Article 28(3) specifies the obligation to report annually the number of new agreements with ICT suppliers, their categories, the type of contracts and the ICT services provided.

However, some questions of interpretation remain open, including:

• The nature of the reporting: it is unclear whether this obligation should be considered a separate fulfilment from the annual submission of the Information Register, which already includes details on ICT suppliers and contracts.

  For example, if a financial entity enters into 10 new ICT contracts with different suppliers in a year, these contracts will be included in the Information Register. It remains to be clarified whether separate reporting is also required and, if so, how to correctly categorise suppliers.

• The definition of ‘categories of third-party ICT service providers’: the Regulation does not specify whether this term refers to standardised classifications (e.g. cloud providers, data centres, cybersecurity) or to criteria defined independently by financial entities, and no further evidence was found on this.

  For example, in the case where a financial entity enters into a new contract with a cloud provider for the storage of critical data, the question arises as to which category should be used to classify this provider, whether generically ‘cloud provider’ or another category not explicitly defined.