The "regulation" is now in place, detailing what information must be recorded about ICT providers. Here are the 15 templates that must be completed to meet DORA requirements for ICT service agreements – (EU) 2024/2956.
The European Commission has adopted a Delegated Regulation (EU) 2024/2956 regarding an implementing technical standard for the information register for ICT service agreements. This is referred to as Level 2 legislation.
Behind the legal language lie the detailed requirements for registering direct ICT providers and their subcontractors. These have already been described at a higher level in the DORA Regulation (EU) 2022/2554 on digital operational resilience in the financial sector. A delegated regulation is, therefore, a specification and can be compared to a regulation in Norwegian law.
We have previously written that DORA requires a risk-based approach when financial institutions enter into agreements with external ICT providers. All institutions must maintain a register with an overview of services provided by ICT providers. The register must document which services support critical or important functions, and it must be available for inspection by supervisory authorities.
The Delegated Regulation clarifies DORA’s Article 28, which is where we find requirements regarding third-party ICT deliveries. This is the part of DORA covered by House of Control’s solution.
Seven articles about the register for ICT providers
The Delegated Regulation for DORA's requirements for the information register for ICT providers consists of seven articles. Article 1 contains definitions, with the most important distinction being between direct ICT service providers and subcontractors further down the supply chain, ranked in Article 2.
Article 3 is the core of the information register and outlines the general requirements further detailed in the 15 templates below. It mandates financial institutions to provide (accurate, complete, and consistent) information on all ICT services delivered by direct providers and subcontractors supporting critical functions. LEI or EUID must be used to identify providers, and the register must be regularly reviewed and updated.
LEI is a global, unique identifier for legal entities within finance. It consists of a 20-character alphanumeric code linked to key information about the entity, such as its name, address, and country of registration. EUID is a similar unique identifier used for companies registered in the EU, connected to the Business Registers Interconnection System (BRIS).
Articles 4 to 6 provide technical descriptions of data format requirements, the content of the register, and rules for groups reporting on a consolidated basis.
These are the 15 templates that must be completed
Under DORA Article 28, financial entities must maintain an overview of all agreements with ICT service providers. This is done by completing 15 standardized templates covering various aspects of these agreements. Below is a simplified explanation of each template, retaining the reference to each one.
While these are descriptions of each template mentioned in the first part of Annex 1, precise instructions for completing all 15 templates are provided in the second part. They are all described here:
-
- B_01.01 – Entity maintaining the register: Identifies the entity responsible for updating the register, either on an individual level or for the entire group.
- B_01.02 – List of entities within the group: Lists all entities belonging to the group. If the financial entity is not part of a group, only that entity is listed.
- B_01.03 – List of branches: Identifies the branches of the financial entities mentioned in B_01.02.
- B_02.01 – Agreements – general information: Lists all agreements with external ICT service providers and assigns each agreement a unique reference number.
- B_02.02 – Agreements – specific information: Provides details on each agreement, including the ICT services covered, the functions they support, and other important information such as termination period and applicable legislation.
- B_02.03 – List of internal agreements: Shows the connection between internal agreements and agreements with external ICT service providers when they are part of the same service chain.
- B_03.01 – Entities signing agreements to receive ICT services: Provides information on which entity signs the agreement with the ICT service provider on behalf of the entity using the services.
- B_03.02 – ICT service providers signing the agreements: Identifies all ICT service providers signing the agreements to deliver services.
- B_03.03 – Entities signing agreements to deliver ICT services internally: Identifies entities within the group signing agreements to deliver ICT services to other entities within the same group.
- B_04.01 – Entities using the ICT services: Identifies all entities using ICT services provided by external suppliers, including internal ICT providers.
- B_05.01 – ICT service providers: Lists and provides general information about direct ICT service providers, internal ICT providers, subcontractors in the supply chain, and their ultimate parent company.
- B_05.02 – ICT service chain: Identifies and links ICT service providers that are part of the same service chain, ranking them according to their position in the chain.
- B_06.01 – Function identification: Identifies and provides information on the functions of the financial entity using the ICT services, including a unique identifier for each combination of entity, licensed activity, and function.
- B_07.01 – Assessments of ICT services: Contains information about the risk assessment of ICT services, especially those supporting critical or important functions.
- B_99.01 – Definitions from entities using the ICT services: Compiles internal explanations and definitions used by the financial entity in the register, such as the meaning of assessment categories like "low," "medium," and "high."
- B_01.01 – Entity maintaining the register: Identifies the entity responsible for updating the register, either on an individual level or for the entire group.
