ARTICLE
3 March 2025

National Regulators Announce Digital Operational Resilience Act Reporting Windows

KG
K&L Gates LLP

Contributor

At K&L Gates, we foster an inclusive and collaborative environment across our fully integrated global platform that enables us to diligently combine the knowledge and expertise of our lawyers and policy professionals to create teams that provide exceptional client solutions. With offices spanning across five continents, we represent leading global corporations in every major industry, capital markets participants, and ambitious middle-market and emerging growth companies. Our lawyers also serve public sector entities, educational institutions, philanthropic organizations, and individuals. We are leaders in legal issues related to industries critical to the economies of both the developed and developing worlds—including technology, manufacturing, financial services, health care, energy, and more.
EU national supervisory authorities will collect the Register of Information (ROI) pursuant to the EU's Digital Operational Resilience Act (DORA) from in scope financial entities in April 2025...
European Union Strategy

EU national supervisory authorities will collect the Register of Information (ROI) pursuant to the EU's Digital Operational Resilience Act (DORA) from in scope financial entities in April 2025, with the reference date set as 31 March 2025. ROIs are reports by in-scope EU financial entities on all contractual arrangements on the use of information and communication technology (ICT) services provided by ICT third-party service providers. The financial entity must differentiate between providers who are not critical and providers who are considered critical and important.

The Irish Central Bank has announced that it will collect the ROIs between 1-4 April 2025. The German BaFin has set 11 April as the deadline. In-scope financial entities across the EU should expect that there will be a similar process locally.

Under the Implementing Technical Standards on the Register of Information, information to be collected includes:

  • Identification of ICT third-party service providers (will need to have either a valid LEI code or EU-ID for the files to pass validation);
  • Detail on the nature of the ICT services provided;
  • Detail on contractual arrangements;
  • Risk classification;
  • Monitoring and oversight mechanisms;
  • Sub-outsourcing arrangements; and
  • ICT-related incidents.

The European Supervisory Authorities have provided useful information on how to prepare to report the ROI which is available online. In Ireland, the Central Bank will publish a system guide to submitting the ROI in March 2025. The German BaFin has provided information here (in German).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More