.svg)
Q&As from the European Banking Authority (EBA) have clarified issues regarding the Digital Operational Resilience Act (DORA), as national competent authorities prepare for the upcoming register of information deadline.
New clarifications, published on March 28, 2025, address uncertainties around several key data fields that firms must complete in their register of information submission.
A key component of DORA, which became operational on January 16, 2025, is the requirement for financial entities to maintain a register of information.
This register serves as a detailed inventory of all contractual arrangements with information and communication technology (ICT) third-party service providers, so that financial institutions have a clear understanding of their external dependencies and can effectively manage associated risks.
The European supervisory authorities (ESAs), comprising the EBA, the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA), have set a deadline of April 30, 2025 for the submission of these registers.
National competent authorities are expected to collect the registers from financial entities ahead of this deadline, while following their own specified timelines for submission.
The new Q&As cover issues such as how to handle missing values in mandatory fields in the register of information inventory.
For example, if a field is required but not relevant to the entity, firms should report 鈥淣ot Applicable鈥 rather than leaving it blank.
In addition, some fields are marked as primary keys, meaning they cannot be left empty. Firms must follow the specific instructions for each field to avoid data quality issues.
Correcting an error
Part of the Q&A a numbering error in the official ITS templates for template B_06.01. The data point B_06.01.0050 (Criticality or importance assessment) was missing from the published ITS templates but is included in the data model.
Firms have been advised that they should refer to the numbering in the Reporting Technical Package v4.0 for accurate reporting.
The corrected sequence includes:
- B_06.01.0050 鈥 Criticality or importance assessment
- B_06.01.0060 鈥 Reasons for criticality or importance
- B_06.01.0070 鈥 Date of the last assessment of criticality or importance
- B_06.01.0080 鈥 Recovery time objective of the function
- B_06.01.0090 鈥 Recovery point objective of the function
- B_06.01.0100 鈥 Impact of discontinuing the function
Mandatory reporting fields
The Q&As provided by the EBA are highly technical and reveal just how prescriptive the expectations with DORA are.
One of the primary clarifications concerns field , which requires entities to report their 鈥淗ierarchy of the financial entity within the group鈥.
Although the phrase 鈥渨here applicable鈥 features in the field name, the EBA has confirmed that this field must be completed by all entities, including non-financial ones, and that firms should disregard the optionality implied by the title and select the highest applicable option from the drop-down menu.
Another significant update relates to field , which asks for the Legal Entity Identifier (LEI) of the direct parent undertaking. If an entity does not have a parent 鈥 either because it reports on an individual basis or is the parent itself 鈥 it must repeat its own LEI in this field.
ICT services reporting requirements
Several clarifications were also provided on reporting requirements related to ICT services in the register of information.
For example, for field (Country of the governing law of the contractual arrangement), firms have been advised to select the newly introduced 鈥淣ot Applicable鈥 option if the ICT service does not support a critical or important function, rather than leaving the field blank.
Similarly, the EBA has clarified that field (Country of storage of the data) is mandatory when the ICT service involves data storage, and if the data storage is not applicable, entities must use the 鈥淣ot Applicable鈥 option.
For field (Location of management of the data), meanwhile, firms cannot leave the field empty if the ICT service does not involve data processing.
Rather, they must select 鈥淣ot Applicable鈥, in line with the updated guidance.
Meanwhile, for entities that are not operating as a branch, the EU has clarified the requirement for field (Identification code of the branch), stating that although this field was initially mandatory only for branches, it is a primary key in the data model and cannot be left empty.
Instead, the EBA has said that entities that are not branches should now report 鈥淣ot Applicable鈥 in this field.
Third-party identification codes
For field (Type of code to identify the ICT third-party service provider), entities must select from a predefined set of values and exclude the country code.
Acceptable identification types include LEI, EUID, corporate registration number (CRN), VAT number, passport number (PNR) and national identity number (NIN).
For field (Identification code of the recipient of sub-contracted ICT services), if an ICT third-party service provider is a direct provider (rank = 1), this field must contain the same value reported in B_05.02.0030 rather than being left blank.
