The European Supervisory Authorities (ESAs) – made up of the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), and European Securities and Markets Authority (ESMA) – have published a decision regarding information and communications technology (ICT) third-party service providers (CTPPs) designated as critical under the Digital Operational Resilience Act (DORA). It calls upon competent authorities to report the registers of information of these service providers used by the financial entities under their supervision.
The decision draws out a general framework “for the annual reporting to the ESAs of the information necessary for the CTPP designation”. Included in the framework are frequency and reference dates; timelines; general procedures for the submission of information; quality assurance and revisions of submitted data; as well as confidentiality and access to information.
Prepare early
Atypically, the decision has been published before the EU Commission has adopted the implementing technical standards (ITS) on the registers of information. However, given that the “essential part of the requirements” has been publicly available since the ESAs Final Report was published in January 2024, potential changes in the registers are deemed “limited”. Thus, the ESAs “encourage financial entities to anticipate as much as possible the preparation of their registers, especially for information which may not be immediately available”, such as the relevant identifiers of their ICT providers.
DORA will come into force on 17 January 2025, following which the ESAs and competent authorities will start their oversight of critical ICT third-party service providers. The deadline for submitting the registers of information is 30 April 2025. Organisations that wish to learn more about preparing their registers of information may sign up for the information workshop that will be held on 18 December 2024.