ESAs respond to the European Commission’s rejection of the technical standards on registers of information under DORA and call for swift ado

15 October 2024

The ESAs raise concerns over the impacts and practicalities of the proposed EC changes to the draft ITS on the registers of information in relation to financial entities’ contractual arrangements with ICT third-party service providers.

The European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) today issued an Opinion on the European Commission’s (EC) rejection of the draft Implementing Technical Standards (ITS) on the registers of information under the Digital Operational Resilience Act (DORA). 

The draft ITS proposed by the ESAs were rejected by the EC on the grounds that it is necessary to allow financial entities the choice of identifying their ICT third-party service providers registered in the EU either by using the Legal Entity Identifier (LEI) or by using the European Unique Identifier (EUID). 

In the ESAs’ view, the EC’s proposal of adding an additional identifier, allowing EU-based companies to use the EUID, will cause unnecessary complexity and could have negative impacts on the implementation of DORA by financial entities, competent authorities and the ESAs. 

The ESAs note that, although the EUID is available free of charge to EU-registered companies, its introduction in the registers of information would entail unforeseen implementation and maintenance efforts for the financial entities. In particular, it would limit the access to and the possibility for verification of the information by the financial entities and competent authorities. This would lead to a potential increase in the overall reporting burden for financial entities in the context of DORA. In addition, the coexistence of two identifiers could bring additional complexity that would negatively impact the quality of data used, and risk delays in the designation of critical ICT third-party service providers (CTPPs) by the ESAs.

If the EC decides to proceed with the introduction of the EUID, despite the above concerns, additional changes to the draft ITS will be necessary. The Opinion indicates how the draft ITS should be adapted further to cater for the use of the EUID. Without these changes, the ITS could not be practically applied for a proper identification of the ICT third-party service providers, which would negatively impact the designation of CTPPs. The ESAs also note that in the case of co-existence of both LEI and EUID, the financial entities should be given the preference for using LEI, especially where both identifiers are available to them, and for the case of groups, it is important to ensure homogeneity in the registered identification codes for all ICT third-party service providers....

 more at EIOPA

© EIOPA