.svg)
The European supervisory authorities (ESAs) have confirmed a voluntary dry-run exercise to prepare the financial services industry for the next stage of implementation of the Digital Operational Resilience Act (DORA).
The European Banking Authority, the European Insurance and Occupational Pensions Authority and the European Securities and Markets Authority — jointly known as the ESAs — have announced a voluntary exercise beginning in May on financial entities’ contractual arrangements on the use of ICT third-party service providers.
Under DORA, and starting from 2025, financial entities including banks, payment and e-money institutions and crypto-asset service providers will have to maintain registers of information regarding their use of ICT third-party providers.
In this dry-run exercise, this information will be collected from financial entities through their competent authorities and will serve as preparation for the implementation and reporting of registers of information under DORA.
The exercise is intended to help financial entities prepare for establishing their register of information, gathering the relevant information specified in the ESAs’ Implementing Standards on the registers of information, and reporting their registers of information to their respective competent authorities, which will, in turn, provide those to the ESAs.
Financial entities participating in the dry run will receive support from the ESAs to build their register of information in the format as close as possible to the steady-state reporting from 2025, test the reporting process, address data quality issues, and improve internal processes and quality of their registers of information.
As part of the exercise, the ESAs will also provide feedback on data quality to participating financial entities, return cleaned files with their register of information, organise workshops and respond to frequently asked questions.
The ad-hoc data collection is expected to begin in May 2024, with the financial entities expecting to submit their registers of information to the ESAs through their competent authorities between July 1 and August 30.
This is just the latest preparatory work to have taken place in advance of DORA’s implementation in January next year.
In March, for example, the ESAs published a series of responses to their DORA consultations, on matters such as threat-led penetration tests, as well as specifying the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions.
In Malta, meanwhile, the national competent authority sent out a new “Dear CEO” letter outlining its expectations for firms in implementing the regulatory framework, and the Dutch Central Bank (DNB) published an announcement shedding light on industry preparations.
Spain is also consulting on the implementation of the DORA regulatory framework at the moment.
DORA recruitment drive
Earlier this week, the ESAs began the recruitment process for the oversight of critical third-party providers (CTPPs) that is required by DORA.
The team will include a director, legal experts and ICT risk experts, and applications need to be in by May 13.
The joint oversight team will be led by 30 staff across the ESAs and will be complemented by experts from competent authorities.
