Fund XP’s DORA Register Solution
Fund XP provides a comprehensive solution to help financial entities efficiently produce the DORA register of information required by the financial authorities.
Financial authorities must submit the register to the ESAs starting 30 April 2025, using the reference date of 31 March 2025 for the first submission.
Fund XP simplifies this process by streamlining the generation of the register in the required XBRL JSON/CSV ZIP format.
Importantly, the ESA will not provide tools or scripts for generating the register, as was done during the Dry Run exercise. Fund XP offers a reliable solution to ensure that your register is correctly formatted and ready for submission without additional manual effort.
How it works?
Utilizing an Excel template, Fund XP integrates advanced functions to ensure seamless data production, validation, and checks. Our solution automates the process of compiling and verifying critical information, drastically reducing manual errors and improving efficiency. As the reporting is yearly and the data remain relatively stable, our aim is to provide a simple, efficient, and cost-effective solution that avoids unnecessary complexity while delivering reliable results. Everything is done locally on your system, ensuring complete control over your data and processes.
The solution is multi-jurisdictional and fully compliant with jurisdictions that require filing in CSV/JSON formats.
DORA errors : RoI Register Error Message Guidance
What is Dora?
The Digital Operational Resilience Act (DORA), effective from 17 January 2025, aims to strengthen the digital operational resilience of the EU financial sector. This regulation introduces a unified legal framework to manage ICT-related risks, enhance incident reporting, conduct resilience testing, and oversee third-party ICT providers. DORA applies to 20 types of financial entities, including banks, insurers, and investment firms.
What is the primary purpose of this new EU regulation?
This regulation, Commission Implementing Regulation (EU) 2024/2956, aims to establish standard templates for a register of information concerning contractual arrangements on the use of ICT services provided by third-party service providers to the financial sector. The main goal is to enhance digital operational resilience by providing crucial information for financial entities’ internal ICT risk management, effective supervision by competent authorities, oversight of critical ICT third-party providers, and the annual designation process of critical ICT third-party service providers by European Supervisory Authorities (ESAs).
Luxembourg’s Transposition of DORA
In Luxembourg, DORA is directly applicable from January 2025. The CSSF and CAA are designated as the authorities ensuring compliance with DORA. Specific laws and regulations, such as Circular CSSF 24/847, are already in place to enhance incident reporting and align with DORA’s framework.
Which financial entities fall under the scope of DORA?
(a) credit institutions;
(b) payment institutions, including payment institutions exempted pursuant to Directive (EU) 2015/2366;
(c) account information service providers;
(d) electronic money institutions, including electronic money institutions exempted pursuant to Directive 2009/110/EC;
(e) investment firms;
(f) crypto-asset service providers and issuers of asset-referenced tokens;
(g) central securities depositories;
(h) central counterparties;
(i) trading venues;
(j) trade repositories;
(k) managers of alternative investment funds;
(l) management companies;
(m) data reporting service providers;
(n) insurance and reinsurance undertakings;
(o) insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries;
(p) institutions for occupational retirement provision;
(q) credit rating agencies;
(r) administrators of critical benchmarks;
(s) crowdfunding service providers; and
(t) securitisation repositories
Who is required to maintain this register of information, and at what levels?
Financial entities are required to maintain and update this register of information. This obligation applies at various levels: entity level, sub-consolidated level, and consolidated level. For financial entities that are part of a group, the parent undertaking is responsible for determining which entities to include in the register at sub-consolidated and consolidated levels, consistent with Union financial services legislation. Groups also have the option to develop a single register that can fulfill the reporting obligations at all three levels, thereby reducing administrative costs.
What is a direct ICT third-party service provider?
An ICT third-party service provider or ICT intra-group service provider that signed a contractual arrangement with:
(a) a financial entity to provide its ICT services directly to that financial entity;
(b) a financial or a non-financial entity to provide its services to other financial entities within the same group;
What is an ICT service supply chain?
A sequence of contractual arrangements connected with the ICT service being provided by the direct ICT third-party service provider to the financial entity, starting with the direct ICT third-party service provider which has one or multiple other ICT third-party service providers as counterparties (subcontractors);
What key information about ICT services and third-party providers must be included in the register?
The register must include comprehensive details about ICT services and their providers. This encompasses general information on the financial entity maintaining the register, details of entities within the scope of consolidation and their branches, and general and specific information on contractual arrangements with direct ICT third-party service providers. Crucially, it must also include information on the ICT service supply chain, identifying all direct ICT third-party service providers and subcontractors that underpin critical or important functions. Furthermore, details on the identification of functions supported by ICT services, risk assessments of these services (including substitutability and impact of discontinuation), and internal terminology used by financial entities must be provided.
What kind of information should be provided?
| Template Code | Template Name | Short Description |
|---|---|---|
| B_01.01 | Entity maintaining the register of information |
This template identifies the entity maintaining and updating the register of information at entity, sub-consolidated and consolidated level, respectively. |
| B_01.02 | List of entities within the scope of consolidation |
This template identifies all the entities belonging to the group. Where the financial entity responsible for maintaining and updating the register of information does not belong to a group, only that financial entity shall be reported in this template. |
| B_01.03 | List of branches | This template identifies the branches of the financial entities referred to in template B_01.02. |
| B_02.01 | Contractual arrangements – general information |
This template lists all contractual arrangements with direct ICT third-party service providers. For each contractual arrangement with a direct ICT third-party service provider, the financial entity maintaining the register of information shall assign a unique ‘contractual arrangement reference number’ to identify unambiguously the contractual arrangement itself. |
| B_02.02 | Contractual arrangements – specific information |
This template provides details in relation to each contractual arrangement listed in template B_02.01 with regard to: (a) the ICT services included in the scope of the contractual arrangement; (b) the functions of the financial entities supported by those ICT services; (c) other important information in relation to the specific ICT services provided (e.g. notice period, law governing the arrangement, etc.). |
| B_02.03 | List of intra-group contractual arrangements |
This template identifies the links between intra-group contractual arrangements and contractual arrangements with ICT third-party service providers which are not part of the group using the contractual reference numbers when part of the ICT service supply chain. |
| B_03.01 | Entities signing the contractual arrangements for receiving ICT service(s) or on behalf of the entities making use of the ICT service(s) |
This template provides information on the entity signing the contractual arrangements with the direct ICT third-party service provider for the entity making use of the ICT services. Where the register of information is maintained and updated at entity level, the entity signing the contractual arrangement and the entity making use of the ICT services is the financial entity maintaining and updating the register of information. In the context of sub-consolidation and consolidation, the financial entity making use of the ICT services provided is not necessarily the entity signing the contractual arrangement with the ICT third-party service providers. |
| B_03.02 | ICT third-party service providers signing the contractual arrangements for providing ICT service(s) |
This template identifies all the ICT third-party service providers referred to in template B_05.01 signing the contractual arrangements referred to in template B_02.01 for providing the ICT services. |
| B_03.03 | Entities signing the contractual arrangements for providing ICT service(s) to other entities within the scope of consolidation |
This template identifies all the entities referred to in template B_01.02 signing the contractual arrangements referred to in template B_02.01 for providing the ICT services to other entities in the consolidation. |
| B_04.01 | Entities making use of the ICT services |
This template identifies all entities making uses of the ICT services provided by ICT third-party service providers and registered in the register of information. The entities making use of the ICT services shall be either the financial entities in scope, or the ICT intra-group service providers. Where the register of information is maintained and updated at entity level, the entity signing the contractual arrangement and the entity making use of the ICT services are the financial entity maintaining the register. |
| B_05.01 | ICT third-party service providers |
This template lists and provides general information to identify: (a) the direct ICT third-party service providers; (b) the ICT intra-group service providers; (c) all subcontractors included in template B_05.02 on ICT service supply chain; (d) the ultimate parent undertaking of the ICT third-party service providers listed in points (a), (b) and (c). |
| B_05.02 | ICT service supply chain | This template identifies and links the ICT third-party service providers that are part of the same ICT service supply chain. Financial entities shall identify and rank the ICT third-party service providers for each ICT service included in each contractual arrangement. Example: a financial entity has a contractual arrangement with an ICT third-party service provider (‘ICT third-party service provider X’) to receive 2 specific ICT services (‘ICT service A’ and ‘ICT service B’) and the service provider makes use of a subcontractor (‘ICT third-party service provider Y’) to provide one of those services (‘ICT service B’).— In relation to ICT service A, the ICT service supply chain is composed of one ICT third-party service provider, ICT third-party service provider X, which will be ranked as number 1 in the template. ICT third-party service provider X is the direct ICT third-party service provider. — In relation to ICT service B, the ICT service supply chain is composed of two ICT third-party service providers: (a) ICT third-party service provider X, which will be ranked number 1 in the template. ICT third-party service provider X is the direct ICT third-party service provider. (b) ICT third-party service provider Y, which will be ranked number 2 in the template. ICT third-party service provider Y is a subcontractor. All ICT third-party service providers belonging to the same ICT service supply chain share the same ‘contractual arrangement reference number’ as referred to in template B_02.01 and the same type of ICT services |
| B_06.01 | Functions identification | This template identifies and provides information on the functions of the financial entity making use of the ICT services. In the information to be provided in this template, financial entities shall include a unique identifier, the ‘function identifier’ for each combination of a financial entity’s LEI, licenced activity and function. Example: a financial entity (LEI: 21USLEIC20231109J3Z8) which operates under two licensed activities (‘activity A’ and ‘activity B’) will be given two unique ‘function identifiers’ for the same function X (e.g. sales) performed for activity A and activity B, respectively. The function identifier will be: F1 for the combination of “21USLEIC20231109J3Z8” “Activity A” and ‘Function X” F2 for the combination of “21USLEIC20231109J3Z8” “Activity B” and ‘Function X” |
| B_07.01 | Assessments of the ICT services |
This template captures information in relation to the risk assessment of the ICT services (e.g. substitutability, date of last audit, etc.) when those ICT services are supporting a critical or important function or material part thereof. |
| B_99.01 | Definitions from entities making use of the ICT Services |
This template captures entity-internal explanations, meanings, and definitions of the closed set of indicators used by the financial entity in the register of information. Example: In template B_07.01 the financial entity shall provide an indication of the impact of discontinuation of the ICT services by using a closed set of options (low, medium, high). In template B_99.01 the financial entity shall specify the meaning of those options. |
How are ICT third-party service providers and their positions in the supply chain identified and tracked?
Financial entities must assign a “rank” to each ICT third-party service provider in the ICT service supply chain. A rank of ‘1’ is assigned to direct ICT third-party service providers that have a direct contractual arrangement with the financial entity. Subcontractors receive a rank higher than ‘1’, with lower numbers indicating closer proximity to the financial entity in the supply chain. For legal persons, unique identifiers such as the Legal Entity Identifier (LEI) or the European Unique Identifier (EUID) are mandated, while natural persons can use alternative identification codes. The register also specifically links intra-group contractual arrangements with external third-party provider arrangements to capture the full supply chain.
What are the data quality principles that financial entities must adhere to when maintaining the register?
To ensure consistency, harmonisation, and comparability of reported information, financial entities must adhere to several data quality principles. These include accuracy, completeness, consistency, integrity, uniformity, and validity. The information must be regularly reviewed, and any errors or discrepancies promptly corrected. For groups, consistency between entity-level, sub-consolidated, and consolidated information is also explicitly required.
What kind of risk assessments are financial entities required to perform and report in relation to ICT services?
Financial entities must conduct and report risk assessments related to ICT third-party services, particularly for services supporting critical or important functions. This includes assessing the nature, scale, complexity, and importance of ICT-related dependencies, and the risks arising from contractual arrangements. Specific information to be captured includes the substitutability of the ICT third-party service provider, reasons for non-substitutability or high complexity in substitution, the date of the last audit on the provider, the existence of exit plans, the possibility of reintegrating contracted ICT services, and the impact of discontinuing the ICT services. They also need to assess whether alternative ICT third-party service providers have been identified.
How does this regulation address the complexities of intra-group ICT service provision and subcontracting?
The regulation specifically accounts for intra-group ICT service providers and subcontracting chains. Financial entities must report information on contractual arrangements with both intra-group service providers and external ICT third-party providers, including subcontractors. A dedicated template (B_02.03) allows for the reconciliation of intra-group contracts with contracts involving external ICT third-party providers when they are part of the same ICT service supply chain. For ICT services supporting critical or important functions, financial entities are required to record all subcontractors that effectively underpin these services. Furthermore, if an intra-group service provider uses subcontractors, at least the first extra-group subcontractor must be recorded, even if their services are not deemed critical or important.
What types of financial entities are covered by this regulation, and what activities are relevant to their reporting?
The regulation applies to a broad range of financial entities, including but not limited to credit institutions, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, central securities depositories, central counterparties, trading venues, insurance and reinsurance undertakings, and credit rating agencies. For each type of entity, a specific list of licensed activities and services is provided in Annex II, which is relevant for the identification of functions (template B_06.01) within their internal organization that are supported by ICT services.
Glossary of Key Terms
- Board of Supervisors (BoS): The governing body of each European Supervisory Authority (ESA), involved in approving key decisions like the designation of Critical Third-Party Providers (CTPPs).
- Competent Authority (CA): National authorities responsible for the supervision of Financial Entities (FEs) within a Member State. They cooperate with ESAs in DORA oversight.
- Critical Third-Party Provider (CTPP): An Information and Communication Technology (ICT) third-party service provider designated as critical by the European Supervisory Authorities (ESAs) due to its systemic impact on the financial sector.
- Digital Operational Resilience Act (DORA): An EU regulation establishing a comprehensive framework for managing ICT risks in the financial sector, including oversight of CTPPs.
- European Banking Authority (EBA): One of the three European Supervisory Authorities (ESAs) with oversight responsibilities under DORA, specifically for the banking sector.
- European Insurance and Occupational Pensions Authority (EIOPA): One of the three European Supervisory Authorities (ESAs) with oversight responsibilities under DORA, specifically for the insurance and occupational pensions sector.
- European Securities and Markets Authority (ESMA): One of the three European Supervisory Authorities (ESAs) with oversight responsibilities under DORA, specifically for the securities and markets sector.
- European Supervisory Authorities (ESAs): The EBA, EIOPA, and ESMA, jointly empowered to oversee CTPPs on a pan-European scale under DORA.
- Financial Entity (FE): An entity within the financial sector that relies on external ICT services.
- General Investigations: Formal reviews performed by overseers covering one or more risk areas of CTPPs, aimed at gathering information on how CTPPs manage risks.
- Information and Communication Technology (ICT): Technologies and services related to information processing, storage, and communication.
- Inspections: A highly intrusive method of oversight involving on-site or off-site examinations of CTPPs’ premises, systems, and data to gain a deep understanding of business operations, risk management, and internal controls.
- Joint Committee (JC): The most senior cross-sectoral committee across the three ESAs, responsible for adopting relevant decisions regarding CTPPs oversight, including designation.
- Joint Examination Teams (JETs): Teams composed of staff from ESAs and relevant Competent Authorities (CAs) that assist Lead Overseers (LOs) in conducting DORA oversight activities.
- Joint Oversight Network (JON): A body set up by the overseers to coordinate the conduct of oversight activities over CTPPs and prepare decisions and acts for submission to the Oversight Forum.
- Joint Oversight Venture (JOV): An operational structure set up by the three ESAs to maximize synergies and ensure consistency in day-to-day DORA oversight activities through a cross-sectoral integrated approach.
- Lead Overseer (LO): The specific European Supervisory Authority (ESA) appointed to conduct the oversight activities for a designated CTPP.
- Ongoing Regular Monitoring: The continuous interaction between overseers and CTPPs, involving systematic collection, analysis, and assessment of information outside of specific investigations or inspections.
- Oversight Forum (OF): A standing committee of the ESAs dedicated to DORA oversight, carrying out preparatory work for individual acts and collective recommendations, and promoting a consistent approach to ICT third-party risk.
- Recommendations: Non-binding suggestions issued by overseers to CTPPs addressing identified deficiencies in specific areas of assessment, typically after examinations.
- Request for Information (RfI): A tool used by overseers to request information from CTPPs, either by “Simple Request” or by “Decision,” without initiating full investigations or inspections.
- Remediation Plan: A plan provided by a CTPP to the overseers, outlining the actions and measures it intends to take to address findings and comply with issued recommendations.
Usefull links
CAA Circular LC25-01 : https://www.caa.lu/uploads/documents/files/LC25-01_FR.pdf
CSSF Webpage : https://www.cssf.lu/en/digital-operational-resilience-act-dora/
EIOPA Webpage : https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en