2025_7362 Register of Information Taxonomy reporting vs ITS on Register of Information

Question ID

2025_7362

Legal act

Regulation (EU) No 2022/2554 (DORA Reg)

Topic

ICT third-party risk management

Article

Paragraph

COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations

Regulation (EU) 2024/2956 - ITS on the register of information

Article/Paragraph

ANNEX I

Name of institution / submitter

Formalize ApS

Country of incorporation / residence

Denmark

Type of submitter

Other

Subject matter

Question

In the industry workshop of 18 of December 2024, which was a summary of Dry Run, it was stated that the reporting taxonomy provided shall be used for the reporting , while the current DORA 4.0 validation rules does not follow the instructions provided in the ROI ITS. We kindly ask you to confirm if the reporting shall follow the DORA 4.0 validation rules despite the mismatch with the ROI ITS.

Differences between the law and the taxonomy:

Requirement in Law	Requirement in Taxonomy	Additional question
	B_01_01_0010 stated as non-nullable, but is mentioned as nullable in "LEI - EUID checks VR-2"
	B_01_02_0010 stated as non-nullable, but is mentioned as nullable in "LEI - EUID checks VR-12"
B_02.03 does not include an extra column c0030	b_02.03 has a column c0030, that is required to be filled out	What is the extra column used for?
B_03.01 does not include an extra column c0030	b_03.01 has a column c0030, that is required to be filled out	What is the extra column used for?
B_03.03 does not include an extra column c0031	b_03.03 has a column c0031, that is required to be filled out	What is the extra column used for?
B_04.01 clarifies that column c0040 is only mandatory if the financial entity making use of the ICT service(s) is a branch of a financial entity (B_04.01.0030)	B_04.01 column c0040 is mandatory. Which also requires at least 1 branch in B_01.03.	What should be reported if a reporting entity does not have any branches? Should both B_01.03 and B_04.01 be empty. Or?
B_05.01 c0030 & c0040 is optional	B_05.01 c0030 & c0040 is required when c0070 = Legal person, excluding individual acting in a business capacity
B_05.01 c0110 is mandatory if the ICT-third party service provider is not the ultimate parent undertaking	B_05_01_0110 is mandatory all the time according to the DPM

B_05.02 column c0060 & c0070 is mandatory, but not applicable for rank 1. An empty value should be reported if rank = 1	B_05.02 column c0060 & c0070 is always required.	What should be reported in c0060 & c0070 if the rank = 1?
B_01_01_0050 is mandatory in case of reporting	B_01_01_0050 is always mandatory
B_01_01_0060 is mandatory in case of reporting	B_01_01_0060 is always mandatory
B_01_02_0060 is mandatory	B_01_02_0060 is optional in DPM
B_02_01_0030 is mandatory	B_02_01_0030 is optional in DPM
B_02_02_0040 is mandatory	B_02_02_0040 is optional in DPM
B_02_02_0130 is mandatory if the ICT service is supporting a critical or important function	B_02_02_0130 is optional in DPM
B_02_02_0140 is mandatory if the ICT service is supporting a critical or important function	B_02_02_0140 is optional in DPM
B_02.02.0150 is mandatory if Yes is reported in c0140	B_02.02.0150 is mandatory in DPM
B_02.02.0160 is mandatory if the ICT service is based on or foresees data processing	B_02.02.0160 is mandatory in DPM

Additional to the question above:

If changes will be made to the Taxonomy, when will these be made available? Do you foresee to apply changes to solve the aforementioned mismatch? If so, can you please share when this is expected to be done?
If the current Taxonomy, DORA 4.0, must be followed for reporting, can we expect that all local authorities are required to accept the Register of Informations in the format aligned with the Taxonomy?
We have experienced differences while doing a mock exercise to submit the reports to local authorities from the reporting technical package. To our knowledge, these discrepancies shall not exist and the national authorities to which entities have to report to are required to accept files that follow the reporting technical package. In this scenario, what actions can we expect to be taken?

Background on the question

We provide a solution that helps clients in the financial European environment comply with DORA requirements.

We are currently preparing for the submission of Register of Information for many of our clients. In the process we have noticed differences between the Reporting framework 4.0 for DORA and the Commission Implementing Regulation (EU) 2024/2956 of 29 November 2024 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to standard templates for the register of information (going forward ROI ITS)

Submission date

28/02/2025

Rejected publishing date

05/05/2025

Rationale for rejection

This question has been rejected because the matter it refers to has been answered in the Frequently Asked Questions on the Reporting of registers of information under DORA.

Status

Rejected question

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting

Data

Publications

Media centre