.svg)
The European supervisory authorities (ESAs) have said that the EU financial sector is on track to comply with its reporting obligations under the Digital Operational Resilience Act (DORA).
In a new report on their 2024 dry-run exercise, EU financial regulators have revealed that achieving high-quality reporting for Registers of Information (RoI) by the 2025 deadline is “within reach”.
Since April, the ESAs have been supporting financial entities in their preparations for setting up and reporting their RoIs in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers.
As covered by Vixio, this was anticipated to be one of the more onerous elements of compliance with the act.
The dry run exercise allowed for the testing of the reporting processes in an environment as close as possible to the upcoming first iteration of the official reporting in 2025.
At that time, the EU’s financial watchdogs will begin to use the RoIs for the purposes of designation of critical third-party providers, bringing them under their oversight.
The exercise involved nearly 1,000 financial entities from across the EU and assessed the completeness and accuracy of their submissions.
According to the ESAs, 6.5 percent of the submitted registers passed all 116 data quality checks, while 50 percent of the remaining submissions required fewer than five corrections.
Financial entities from 27 member states overseen by 40 competent authorities took part in the dry run exercise.
Of these entities, 27 percent were credit institutions and 23 percent were insurance/reinsurance firms.
However, there were also contributions from other sectors, including the payments sector.
Payments institutions made up 5 percent of the total, electronic money institutions (EMIs) 3 percent and crypto-asset service providers 1 percent.
Geographically, firms based in Austria, Malta and Hungary made the highest number of submissions to the exercise.
Outcomes for financial institutions
The data quality assurance process involved two stages: integration checks; and a series of 116 detailed data quality checks.
More than 93 percent of submissions had at least one data quality issue, with some submissions failing up to 43 checks.
Payment institutions had 1,877 failed checks, an overall 3 percent failure rate, while electronic money institutions had 1,073 failed checks at 2.5 percent .
Overall, there were 235,000 failed checks across more than 9m data points, representing a 2.5 percent failure rate.
Going forward, the ESAs have now called on financial entities and national competent authorities to build on the lessons learned from the dry run, stating that the ability to identify and rectify errors efficiently is critical to achieving high-quality data standards.
“Contrary to the dry run exercise that was run on a ‘best efforts’ basis, and financial entities were able to submit partial registers with mandatory data fields missing, this would not be possible in the official reporting from 2025,” the report notes.
Entities are also encouraged to familiarise themselves with the final Implementing Technical Standards (ITS) and ensure that their RoI includes all required information.
Additionally, the report highlights the importance of robust communication channels.
It states, for example, that authorities that relied solely on manual processes during the dry run faced delays in accessing feedback.
The ESAs, therefore, urged all parties to adopt secure file transfer protocol (SFTP) channels to ensure smooth information exchange in the official reporting phase.
ESAs lessons
The dry run exercise not only tested the readiness of financial entities but also provided invaluable insights for the ESAs.
As a result, several key improvements and recommendations were identified to enhance the reporting process for DORA.
One significant improvement is the simplification of reporting instructions. The ESAs have revised their reporting standards, introducing clarifications and adjustments to streamline data submission processes and reduce complexity for financial entities.
Another advancement is the introduction of an enhanced validation process. The updated reporting system will incorporate a two-stage data quality assurance framework, with the first stage focusing on technical checks to ensure correct formatting, file structure and adherence to naming conventions.
Once submissions pass these checks, the second stage validates the data's accuracy and consistency by cross-referencing it with external sources, such as the Global Legal Entity Identifier Foundation (GLEIF).
Lastly, the ESAs emphasise the mandatory use of unique identifiers, particularly legal entity identifiers (LEIs), stating that financial entities must ensure that both they and their third-party ICT service providers (TPPs) are uniquely identified in their submissions.
Registers that fail to include this crucial information will either be rejected outright or will require resubmission.
