DORA: ESAs publish decision on reporting rules for critical ICT providers
18 November 2024 EU
Image: Shawn_Hempel/stock.adobe.com
The European Supervisory Authorities (ESAs) have published a decision on the information that competent authorities must report to them for the designation of critical ICT third-party service providers (CTPPs).
Published under the Digital Operational Resilience Act (DORA), the decision requires competent authorities to report the registers of information on financial entities' contractual arrangements with CTPPs by 30 April 2025.
However, the ESAs say they expect competent authorities to collect the registers of information from the financial entities under their supervision in advance of the deadline, following their own timelines.
“The ESAs encourage financial entities to anticipate as much as possible the preparation of their registers, especially for information which may not be immediately available such as the relevant identifiers of their ICT providers,” says ESMA.
The decision, published on 15 November, provides a general framework for the annual reporting to the ESA of the information necessary for the CTPP designation, including timelines, quality assurance and revisions of submitted data, as well as confidentiality and access to information.
Following DORA's entry into force on 17 January 2025, the ESAs, together with competent authorities, will start overseeing CTPPs offering services to financial entities in the EU.
Alongside the decision, the ESAs also published a list of validation rules that will be used when analysing the registers of information and the visual representation of the data model.
The authorities will also publish an updated reporting technical package, including the validation rules in December 2024.
In order to harmonise financial supervision in the EU, the ESAs published the final report on the draft regulatory technical standards under DORA in July.
Published under the Digital Operational Resilience Act (DORA), the decision requires competent authorities to report the registers of information on financial entities' contractual arrangements with CTPPs by 30 April 2025.
However, the ESAs say they expect competent authorities to collect the registers of information from the financial entities under their supervision in advance of the deadline, following their own timelines.
“The ESAs encourage financial entities to anticipate as much as possible the preparation of their registers, especially for information which may not be immediately available such as the relevant identifiers of their ICT providers,” says ESMA.
The decision, published on 15 November, provides a general framework for the annual reporting to the ESA of the information necessary for the CTPP designation, including timelines, quality assurance and revisions of submitted data, as well as confidentiality and access to information.
Following DORA's entry into force on 17 January 2025, the ESAs, together with competent authorities, will start overseeing CTPPs offering services to financial entities in the EU.
Alongside the decision, the ESAs also published a list of validation rules that will be used when analysing the registers of information and the visual representation of the data model.
The authorities will also publish an updated reporting technical package, including the validation rules in December 2024.
In order to harmonise financial supervision in the EU, the ESAs published the final report on the draft regulatory technical standards under DORA in July.
NO FEE, NO RISK
100% ON RETURNS If you invest in only one securities finance news source this year, make sure it is your free subscription to Securities Finance Times
100% ON RETURNS If you invest in only one securities finance news source this year, make sure it is your free subscription to Securities Finance Times