.svg)
The latest Q&As from the European Supervisory Authorities (ESAs) aim to address confusion around the EU’s operational resilience framework and the expectations for the Register of Information.
The ESAs have published new clarifications on the scope and structure of the Register of Information under the Digital Operational Resilience Act (DORA).
The Register of Information is a mandatory inventory that financial entities, including payment and e-money firms, must maintain to document all contractual arrangements for ICT services and detail relevant group entities involved in ICT service provision.
The aim is to enable supervisors to monitor a range of key players involved in critical areas such as outsourcing across the financial sector.
Scope of firms
In one Q&A, a consultancy firm queried a perceived contradiction in the European Commission’s Implementing Regulation (EU) 2024/2956, which sets out technical standards for the Register of Information under Article 28 of DORA.
Article 6 limits the register to financial entities and ICT intra-group service providers. However, a corresponding template includes a selectable category labelled “non-financial entity: other”, seemingly expanding the scope beyond what the regulation requires.
The ESAs have clarified that while the main objective of the template is to document all relevant financial entities, it must also capture non-financial entities where appropriate – particularly where they provide ICT services within the group.
These may include intra-group service providers (to be cross-reported in Template B_05.01) and non-financial entities that have contractual obligations to deliver ICT services on behalf of financial entities (to be reported in Template B_03.01).
Dedicated networks
Another clarification responded to a credit institution’s question about the requirement to maintain a separate and dedicated network for ICT asset administration
Article 13(1)(c) of the Regulatory Technical Standards (RTS) on ICT risk management calls for this separation, but stakeholders raised questions about what level of network isolation is considered compliant, particularly in virtualised or cloud-based environments.
The ESAs reiterated that the RTS is principles-based and technology-neutral.
Both physical and logical separation, such as via virtual local area networks (vLANs), can be appropriate, provided they meet the overall objective of secure administrative network isolation.
However, they cautioned that a VLAN alone may be insufficient, and advised that it should be supported by additional security controls, such as firewalls or controlled routing.
The authorities added that financial institutions must assess whether these configurations meet the full requirements of Article 13 and broader network security obligations under DORA.
Non-EU subsidiaries
A third Q&A addressed whether EU parent institutions must include non-EU subsidiaries in their Register of Information.
In response, the ESAs referred to earlier guidance stating that the register should reflect all financial entities and branches within the group's consolidation scope under relevant EU legislation, including Directive 2013/34/EU.
This effectively limits the register’s scope to EU-based operations and those captured under EU consolidation rules, relieving institutions of the obligation to include non-EU subsidiaries not subject to DORA.
