2025_7468 ANNUAL REPORT ON NEW ARRANGEMENTS ON THE USE OF ICT SERVICES

Question ID

2025_7468

Legal act

Regulation (EU) No 2022/2554 (DORA Reg)

Topic

Other DORA topics

Article

Paragraph

COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations

Not applicable

Article/Paragraph

Type of submitter

Consultancy firm

Subject matter

ANNUAL REPORT ON NEW ARRANGEMENTS ON THE USE OF ICT SERVICES

Question

Pursuant to the provisions of Chapter V, Section I, Article 28, Paragraph 3, of the DORA Regulation, which states:

“Financial entities shall report at least yearly to the competent authorities on the number of new arrangements on the use of ICT services, the categories of ICT third-party service providers, the type of contractual arrangements and the ICT services and functions which are being provided.,”

we kindly request clarification on whether this provision requires a separate and specific communication in addition to the Register of Information, or whether the communication of such data is already fulfilled through the annual submission of the same Register, constituting a single compliance obligation.

In the event that a separate communication is required in addition to the annual submission of the Register of Information, we kindly request clarification on the meaning of the term "categories of third-party ICT service providers" as mentioned in Chapter V, Section I, Article 28, Paragraph 3 of the DORA Regulation.

Background on the question

Article 28(3) specifies the obligation to report annually the number of new agreements with ICT suppliers, their categories, the type of contracts and the ICT services provided.

However, some questions of interpretation remain open, including:

The nature of the reporting: it is unclear whether this obligation should be considered a separate fulfilment from the annual submission of the Register of Information, which already includes details on ICT suppliers and contracts.

For example, if a financial entity enters into 10 new ICT contracts with different suppliers in a year, these contracts will be included in the Register of Information. It remains to be clarified whether separate reporting is also required and, if so, how to correctly categorise suppliers.
The definition of "categories of third-party ICT service providers": the Regulation does not specify whether this term refers to standardised classifications (e.g. cloud providers, data centres, cybersecurity) or to criteria defined independently by financial entities, and no further evidence was found on this.

For example, in the case where a financial entity enters into a new contract with a cloud provider for the storage of critical data, the question arises as to which category should be used to classify this provider, whether generically "cloud provider" or another category not explicitly defined.

Submission date

27/05/2025

Rejected publishing date

04/09/2025

Rationale for rejection

This question has been rejected because the matter it refers to is answered in Q&A DORA 170 (EBA 2025_7309).

Status

Rejected question

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting

Data

Publications

Media centre