The time has come: the two-year transitional period since the entry into force of DORA on 16 January 2023 has expired and DORA is applicable since 17 January 2025. The financial firms and ICT third-party service providers affected must now meet the new requirements introduced by DORA. Financial firms must measure their digital operational resilience against the provisions of DORA. DORA comprises 64 articles, which are supplemented by a series of Regulatory Technical Standards (so-called RTS). The RTS create uniform standards across the EU, so that all affected financial firms throughout the Union must meet the same requirements. This is intended to strengthen the freedom of establishment and the digital operational resilience of the entire European financial market. DORA addresses ICT risks by setting out specific requirements for ICT risk management capabilities, incident reporting, operational resilience testing, and monitoring of risks associated with the use of third-party ICT service providers. BaFin has already stated on several occasions that there will be no further transition period after the two-year transition period. This means that financial companies must already fulfill the DORA requirements. But what about specific reporting and notification requirements that financial companies must submit to BaFin? The main focus here lies on the Register of Information, which refers to all contractual agreements for the use of ICT services provided by third-party ICT service providers and must be maintained by financial companies as part of their ICT risk management.

What is the DORA Register of Information?

An important part of the DORA regulation is the requirement for financial firms to establish sound management of third-party ICT risk. This includes, for example, a strategy for managing ICT third-party risk and, optionally, a strategy for using multiple ICT providers. In addition, guidelines must be created for the use of ICT third-party services, in particular for ICT services that support critical or important functions. The Register of Information is also a key component of ICT third-party risk management. Financial companies must maintain this register of information for all contractual agreements for the use of ICT services provided by third-party ICT service providers. A distinction must be made between ICT services that support critical or important functions and those that do not. The requirements for the Register of Information (RoI) are specified in detail by the Regulation on implementing technical standards with regard to standard templates for the Register of Information (ITS RoI). Financial undertakings must provide the competent authority – in Germany BaFin – with the complete Register of Information or, upon request, certain parts of this register, together with all information deemed necessary for the effective supervision of the financial undertaking. BaFin has now announced that it will require financial companies to submit the Register of Information to BaFin for the first time by 11 April 2025 at the latest. To this effect, BaFin published a series of articles on its website just a few days ago. The background to this is that BaFin must transmit the Registers of Information to the European Supervisory Authorities by 30 April 2025 so that they can classify the third-party ICT service providers requiring supervision as critical ICT service providers within the meaning of the DORA, which are subject to special supervision under the DORA.

How Should the Register of Information be Submitted in Accordance with the Regulation?

For financial companies that have already completed the implementation of DORA, submitting the Register of Information to BaFin should not pose a problem. Financial companies that have not yet fully adapted to the DORA requirements should not panic either, but should quickly start creating the Register of Information so that it is ready as soon as BaFin requests it. In a recently published article, BaFin also called on the financial companies concerned to prepare to submit the Registers of Information to BaFin for the first time by no later than 11 April 2025. However, the authority also promised to provide the companies with close support until then and to try to clarify as many open questions as possible. BaFin has published detailed information on its website. The Registers of Information are transmitted to BaFin via BaFin’s reporting and publication platform (MVP). When creating the registers, financial companies must follow the guidelines of the European Supervisory Authorities (ESAs). The registers are to be submitted as structured files that correspond to the taxonomy specified by the ESAs. In order to make the conversion easier for smaller finance companies in particular, BaFin plans to provide a special Excel template on its website in the near future. This template can then be used by financial companies instead of a structured file, provided that the given structure of the Excel template is strictly adhered to. As an alternative to submitting the Register of Information as a structured file, financial companies should be able to submit the completed Excel template via the MVP. It is also essential for companies that plan to apply to BaFin for a license to operate as a financial service provider in the near future to ensure that the requirements of DORA have been implemented. This is the best way to avoid delays in the processing of the license application. The requirements of DORA are very complex. However, they do not fundamentally differ from the requirements that BaFin has already placed on financial companies prior to the entry into force of DORA. Provided that a solid information security management system (ISMS) already exists within the company, the adjustments should be able to be implemented quickly in most cases.

Attorney Anton Schröder

Ihttps://fin-law.de

E. info@fin-law.de

 

The lawyer responsible for questions relating to DORA and IT law at our law firm is Attorney Lutz Auffenberg LL.M. (London) with assistance of Attorney Anton Schröder.