Fund XP’s DORA Register Solution
Fund XP provides a comprehensive solution to help financial entities efficiently produce the DORA register of information required by the financial authorities.
Financial authorities must submit the register to the ESAs by 30 April 2025, using the reference date of 31 March 2025 for the first submission.
Fund XP simplifies this process by streamlining the generation of the register in the required CSV format.
Once the register is submitted, the authorities will perform validation checks from 15 April 2025 to 30 April 2025. If any errors are detected, Fund XP ensures that the financial entity can quickly address and correct them for resubmission before the 30 April deadline.
During May 2025, the ESAs will perform their own checks. If they identify any additional errors, Fund XP will facilitate the correction and re-submission of the register, who will then communicate it to the ESAs.
Importantly, the ESA will not provide tools or scripts for generating the register, as was done during the Dry Run exercise. Fund XP offers a reliable solution to ensure that your register is correctly formatted and ready for submission without additional manual effort.
How it works?
Utilizing Excel templates, Fund XP integrates advanced functions to ensure seamless data production, validation, and checks. Our solution automates the process of compiling and verifying critical information, drastically reducing manual errors and improving efficiency. Everything is done locally on your system, ensuring complete control over your data and processes.
The solution is multi-jurisdictional and fully compliant with jurisdictions that require filing in CSV/JSON formats.
What is Dora?
The Digital Operational Resilience Act (DORA), effective from 17 January 2025, aims to strengthen the digital operational resilience of the EU financial sector. This regulation introduces a unified legal framework to manage ICT-related risks, enhance incident reporting, conduct resilience testing, and oversee third-party ICT providers. DORA applies to 20 types of financial entities, including banks, insurers, and investment firms.
Luxembourg’s Transposition of DORA
In Luxembourg, DORA is directly applicable from January 2025. The CSSF and CAA are designated as the authorities ensuring compliance with DORA. Specific laws and regulations, such as Circular CSSF 24/847, are already in place to enhance incident reporting and align with DORA’s framework.
Which financial entities fall under the scope of DORA?
(a) credit institutions;
(b) payment institutions, including payment institutions exempted pursuant to Directive (EU) 2015/2366;
(c) account information service providers;
(d) electronic money institutions, including electronic money institutions exempted pursuant to Directive 2009/110/EC;
(e) investment firms;
(f) crypto-asset service providers and issuers of asset-referenced tokens;
(g) central securities depositories;
(h) central counterparties;
(i) trading venues;
(j) trade repositories;
(k) managers of alternative investment funds;
(l) management companies;
(m) data reporting service providers;
(n) insurance and reinsurance undertakings;
(o) insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries;
(p) institutions for occupational retirement provision;
(q) credit rating agencies;
(r) administrators of critical benchmarks;
(s) crowdfunding service providers; and
(t) securitisation repositories
What is a direct ICT third-party service provider?
An ICT third-party service provider or ICT intra-group service provider that signed a contractual arrangement with:
(a) a financial entity to provide its ICT services directly to that financial entity;
(b) a financial or a non-financial entity to provide its services to other financial entities within the same group;
What is an ICT service supply chain?
A sequence of contractual arrangements connected with the ICT service being provided by the direct ICT third-party service provider to the financial entity, starting with the direct ICT third-party service provider which has one or multiple other ICT third-party service providers as counterparties (subcontractors);
What kind of information should be provided?
| Template Code | Template Name | Short Description |
|---|---|---|
| B_01.01 | Entity maintaining the register of information |
This template identifies the entity maintaining and updating the register of information at entity, sub-consolidated and consolidated level, respectively. |
| B_01.02 | List of entities within the scope of consolidation |
This template identifies all the entities belonging to the group. Where the financial entity responsible for maintaining and updating the register of information does not belong to a group, only that financial entity shall be reported in this template. |
| B_01.03 | List of branches | This template identifies the branches of the financial entities referred to in template B_01.02. |
| B_02.01 | Contractual arrangements – general information |
This template lists all contractual arrangements with direct ICT third-party service providers. For each contractual arrangement with a direct ICT third-party service provider, the financial entity maintaining the register of information shall assign a unique ‘contractual arrangement reference number’ to identify unambiguously the contractual arrangement itself. |
| B_02.02 | Contractual arrangements – specific information |
This template provides details in relation to each contractual arrangement listed in template B_02.01 with regard to: (a) the ICT services included in the scope of the contractual arrangement; (b) the functions of the financial entities supported by those ICT services; (c) other important information in relation to the specific ICT services provided (e.g. notice period, law governing the arrangement, etc.). |
| B_02.03 | List of intra-group contractual arrangements |
This template identifies the links between intra-group contractual arrangements and contractual arrangements with ICT third-party service providers which are not part of the group using the contractual reference numbers when part of the ICT service supply chain. |
| B_03.01 | Entities signing the contractual arrangements for receiving ICT service(s) or on behalf of the entities making use of the ICT service(s) |
This template provides information on the entity signing the contractual arrangements with the direct ICT third-party service provider for the entity making use of the ICT services. Where the register of information is maintained and updated at entity level, the entity signing the contractual arrangement and the entity making use of the ICT services is the financial entity maintaining and updating the register of information. In the context of sub-consolidation and consolidation, the financial entity making use of the ICT services provided is not necessarily the entity signing the contractual arrangement with the ICT third-party service providers. |
| B_03.02 | ICT third-party service providers signing the contractual arrangements for providing ICT service(s) |
This template identifies all the ICT third-party service providers referred to in template B_05.01 signing the contractual arrangements referred to in template B_02.01 for providing the ICT services. |
| B_03.03 | Entities signing the contractual arrangements for providing ICT service(s) to other entities within the scope of consolidation |
This template identifies all the entities referred to in template B_01.02 signing the contractual arrangements referred to in template B_02.01 for providing the ICT services to other entities in the consolidation. |
| B_04.01 | Entities making use of the ICT services |
This template identifies all entities making uses of the ICT services provided by ICT third-party service providers and registered in the register of information. The entities making use of the ICT services shall be either the financial entities in scope, or the ICT intra-group service providers. Where the register of information is maintained and updated at entity level, the entity signing the contractual arrangement and the entity making use of the ICT services are the financial entity maintaining the register. |
| B_05.01 | ICT third-party service providers |
This template lists and provides general information to identify: (a) the direct ICT third-party service providers; (b) the ICT intra-group service providers; (c) all subcontractors included in template B_05.02 on ICT service supply chain; (d) the ultimate parent undertaking of the ICT third-party service providers listed in points (a), (b) and (c). |
| B_05.02 | ICT service supply chain | This template identifies and links the ICT third-party service providers that are part of the same ICT service supply chain. Financial entities shall identify and rank the ICT third-party service providers for each ICT service included in each contractual arrangement. Example: a financial entity has a contractual arrangement with an ICT third-party service provider (‘ICT third-party service provider X’) to receive 2 specific ICT services (‘ICT service A’ and ‘ICT service B’) and the service provider makes use of a subcontractor (‘ICT third-party service provider Y’) to provide one of those services (‘ICT service B’).— In relation to ICT service A, the ICT service supply chain is composed of one ICT third-party service provider, ICT third-party service provider X, which will be ranked as number 1 in the template. ICT third-party service provider X is the direct ICT third-party service provider. — In relation to ICT service B, the ICT service supply chain is composed of two ICT third-party service providers: (a) ICT third-party service provider X, which will be ranked number 1 in the template. ICT third-party service provider X is the direct ICT third-party service provider. (b) ICT third-party service provider Y, which will be ranked number 2 in the template. ICT third-party service provider Y is a subcontractor. All ICT third-party service providers belonging to the same ICT service supply chain share the same ‘contractual arrangement reference number’ as referred to in template B_02.01 and the same type of ICT services |
| B_06.01 | Functions identification | This template identifies and provides information on the functions of the financial entity making use of the ICT services. In the information to be provided in this template, financial entities shall include a unique identifier, the ‘function identifier’ for each combination of a financial entity’s LEI, licenced activity and function. Example: a financial entity (LEI: 21USLEIC20231109J3Z8) which operates under two licensed activities (‘activity A’ and ‘activity B’) will be given two unique ‘function identifiers’ for the same function X (e.g. sales) performed for activity A and activity B, respectively. The function identifier will be: F1 for the combination of “21USLEIC20231109J3Z8” “Activity A” and ‘Function X” F2 for the combination of “21USLEIC20231109J3Z8” “Activity B” and ‘Function X” |
| B_07.01 | Assessments of the ICT services |
This template captures information in relation to the risk assessment of the ICT services (e.g. substitutability, date of last audit, etc.) when those ICT services are supporting a critical or important function or material part thereof. |
| B_99.01 | Definitions from entities making use of the ICT Services |
This template captures entity-internal explanations, meanings, and definitions of the closed set of indicators used by the financial entity in the register of information. Example: In template B_07.01 the financial entity shall provide an indication of the impact of discontinuation of the ICT services by using a closed set of options (low, medium, high). In template B_99.01 the financial entity shall specify the meaning of those options. |
TEMPLATE B_01.01: General information on the financial entity maintaining and updating the register of information
| Code | Field Name | Type | Definition | Requirement |
|---|---|---|---|---|
| b_01.01.0010 | LEI of the entity maintaining the register of information | Alphanumerical | Identify the entity maintaining and updating the register of information using the LEI, 20-character, alpha-numeric code based on the ISO 17442 standard | Mandatory |
| b_01.01.0020 | Name of the entity | Alphanumerical | Legal name of the entity maintaining and updating the register of information | Mandatory |
| b_01.01.0030 | Country of the entity | Country | Identify the ISO 3166–1 alpha–2 code of the country where the license or the registration of the entity reported in the Register on Information has been issued. | Mandatory |
| b_01.01.0040 | Type of entity | Closed set of options | Identify the type of entity using one of the options in the corresponding dropdown list. Where the register of information is maintained at the group level by the parent undertaking, which is not itself subject to the obligation to maintain such register, i.e. it does not fall under the definition of financial entities set out in Article 2 of the Regulation (EU) 2022/2554 (e.g., financial holding company, mixed financial holding company or mixed-activity holding company) ‘Other financial entity’ option shall be chosen. | Mandatory |
| b_01.01.0050 | Competent Authority | Alphanumerical | Identify the competent authority according to Article 46 of Regulation (EU) 2022/2554 to which the register of information is reported. | Mandatory in case of reporting |
| b_01.01.0060 | Date of the reporting | Date | Identify the ISO 8601 (yyyy–mm–dd) code of the date of reporting | Mandatory in case of reporting |
TEMPLATE B_01.02: General information on the entities in the consolidation
| Code | Field Name | Type | Definition | Requirement |
|---|---|---|---|---|
| b_01.02.0010 | LEI of the financial entity | Alphanumerical | Identify the entity reported in the Register on Information using the LEI, 20-character, alpha-numeric code based on the ISO 17442 standard | Mandatory |
| b_01.02.0020 | Name of the financial entity | Alphanumerical | Legal name of the entity reported in the register of information. | Mandatory |
| b_01.02.0030 | Country of the financial entity | Country | Identify the ISO 3166–1 alpha–2 code of the country where the license or the registration of the entity reported in the Register on Information has been issued. | Mandatory |
| b_01.02.0040 | Type of financial entity | Closed set of options | Identify the type of entity using one of the options in the corresponding dropdown list | Mandatory |
| b_01.02.0050 | Hierarchy of the entity within the group (where applicable) | Closed set of options | Identify the hierarchy of the entity within the scope of consolidation using one of the options in the corresponding dropdown list. | Mandatory |
| b_01.02.0060 | LEI of the direct parent undertaking of the financial entity | Alphanumerical | Identify the direct parent undertaking of the financial entity using the LEI, 20-character, alpha-numeric code based on the ISO 17442 standard | Mandatory |
| b_01.02.0070 | Date of last update | Date | Identify the ISO 8601 (yyyy–mm–dd) code of the date of the last update made on the Register of information. | Mandatory |
| b_01.02.0080 | Date of integration in the Register of information | Date | Identify the ISO 8601 (yyyy–mm–dd) code of the date of integration in the Register of information | Mandatory |
| b_01.02.0090 | Date of deletion in the Register of information | Date | Identify the ISO 8601 (yyyy–mm–dd) code of the date of deletion in the Register of information. If the entity has not been deleted, ‘9999-12-31’ shall be reported. | Mandatory |
| b_01.02.0100 | Currency | Currency | Identify the ISO 4217 alphabetic code of the currency used for the financial entity’s financial statements. | Mandatory only if B_01.02.0110 is reported |
| b_01.02.0110 | Value of total assets – of the financial entity | Monetary | Monetary value of total assets of the entity making use of ICT services as reported in its annual financial statement. | Mandatory if the entity is a financial entity |
TEMPLATE B_01.03: Identification of the branches of financial entities located outside the home country
| Code | Field Name | Type | Definition | Requirement |
|---|---|---|---|---|
| b_01.03.0010 | Identification code of the branch | Alphanumerical | Identify a branch of a financial entity located outside its home country using a unique code for each branch. One of the options in the following closed list shall be used: – LEI of the branch if unique for this branch and different from b_01.03.0020; – Other identification code used by the financial entity to identify the branch (if the LEI of the branch is equivalent to the one in b_01.03.0020 or equivalent to the LEI of another branch). |
Mandatory |
| b_01.03.0020 | LEI of the financial entity head office of the branch | Alphanumerical | As referred to in b_01.02.0010 Identify the financial entity head office of the branch, using the LEI, 20-character, alpha-numeric code based on the ISO 17442 standard. |
Mandatory |
| b_01.03.0030 | Name of the branch | Alphanumerical | Identify the name of the branch. | Mandatory |
| b_01.03.0040 | Country of the branch | Country | Identify the ISO 3166–1 alpha–2 code of the country where the branch is located. | Mandatory |
TEMPLATE B_02.01: General information on the contractual arrangements
| Code | Field Name | Type | Definition | Requirement |
|---|---|---|---|---|
| b_02.01.0010 | Contractual arrangement reference number | Alphanumerical | Identify the contractual arrangement between the financial entity or, in case of a group, the group subsidiary and the direct ICT third-party service provider. The contractual arrangement reference number is the internal reference number of the contractual arrangement assigned by the financial entity. The contractual arrangement reference number shall be unique and consistent over time at entity, sub-consolidated and consolidated level, where applicable. The contractual arrangement reference number shall be used consistently across all templates of the register of information when referring to the same contractual arrangement. For the case where an entity is acting on behalf of a financial entity for all the activities of the financial entity including the ICT services (refer to recital 7), the contractual arrangement reference number can be the contractual arrangement between the entity and its direct ICT third-party service provider. |
Mandatory |
| b_02.01.0020 | Type of contractual arrangement | Closed set of options | Identify the type of contractual arrangement by using one of the options in the corresponding dropdown list. | Mandatory |
| b_02.01.0030 | Overarching contractual arrangement reference number | Alphanumerical | Not applicable if the contractual arrangement is the ‘overarching contractual arrangement’ or a ‘standalone arrangement’. In the other cases, report the contractual arrangement reference number of the overarching arrangement, which shall be equal to the value as reported in b_02.01.0010 when reporting the overarching contractual arrangement. |
Mandatory |
| b_02.01.0040 | Currency of the amount reported in B_02.01.0050 | Currency | Identify the ISO 4217 alphabetic code of the currency used to express the amount in b_ |
TEMPLATE B_02.02: Specific information on the contractual arrangements
| Code | Field Name | Type | Definition | Requirement |
|---|---|---|---|---|
| b_02.02.0010 | Contractual arrangement reference number | Alphanumerical | As reported in b_02.01.0010 | Mandatory |
| b_02.02.0020 | LEI of the financial entity making use of the ICT service(s) | Alphanumerical | Identify the entity making use of the ICT service(s) using the LEI, 20-character, alpha-numeric code based on the ISO 17442 standard | Mandatory |
| b_02.02.0030 | Identification code of the ICT third-party service provider | Alphanumerical | Code to identify the ICT third-party service provider as reported in B_05.01.0010 for that provider. | Mandatory |
| b_02.02.0040 | Type of code to identify the ICT third-party service provider | Pattern | Type of code to identify the ICT third-party service provider in B_02.02.0030 as reported in B_05.01.0020 for that provider. | Mandatory |
| b_02.02.0050 | Function identifier | Pattern | As defined by the financial entity in b_06.01.0010 | Mandatory |
| b_02.02.0060 | Type of ICT services | Closed set of options | One of the types of ICT services referred to in Annex III | Mandatory |
| b_02.02.0070 | Start date of the contractual arrangement | Date | Identify the date of entry into force of the contractual arrangement as stipulated in the contractual arrangement using the ISO 8601 (yyyy–mm–dd) code | Mandatory |
| b_02.02.0080 | End date of the contractual arrangement | Date | Identify the end date as stipulated in the contractual arrangement using the ISO 8601 (yyyy–mm–dd) code. If the contractual arrangement is indefinite, it shall be filled in with ‘9999-12-31’. | Mandatory |
| b_02.02.0090 | Reason of the termination or ending of the contractual arrangement | Closed set of options | Identify the reason of the termination or ending of the contractual arrangements using one of the options in the corresponding dropdown list. | Mandatory if the contractual arrangement is terminated |
| b_02.02.0100 | Notice period for the financial entity making use of the ICT service(s) | Natural number | Identify the notice period for terminating the contractual arrangement by the financial entity in a business-as-usual case. | Mandatory if the ICT service is supporting a critical or important function |
TEMPLATE B_02.03: Information on the links between intra-group contractual arrangements and contractual arrangements with ICT third-party service providers which are not part of the group using the contractual reference numbers when part of the ICT service supply chain is intra-group
| Code | Field Name | Type | Definition | Requirement |
|---|---|---|---|---|
| b_02.03.0010 | Contractual arrangement reference number | Alphanumerical | Reference number of the contractual arrangement between the entity making use of the ICT service(s) provided and the ICT intra-group service provider. The contractual arrangement reference number shall be unique and consistent over time and across all the group. |
Mandatory |
| b_02.03.0020 | Contractual arrangement linked to the contractual arrangement referred in B_02.03.0010 | Alphanumerical | Contractual arrangement reference number of the contractual arrangement between the ICT intra-group service provider of the contractual arrangement in b_02.03.0010 and its direct ICT third-party service provider. | Mandatory |
TEMPLATE B_03.01: Information on the entities signing the contractual arrangements with the direct ICT third-party service providers for receiving ICT services or on behalf of the entities using the ICT
| Code | Field Name | Type | Definition | Requirement |
|---|---|---|---|---|
| b_03.01.0010 | Contractual arrangement reference number | Alphanumerical | As reported in b_02.02.0010 Identify the contractual reference number signed by the entity. |
Mandatory |
| b_03.01.0020 | LEI of the entity signing the contractual arrangement | Alphanumerical | Identify the entity signing the contractual arrangement using the LEI, 20-character, alpha-numeric code based on the ISO 17442 standard. | Mandatory |
TEMPLATE B_03.02: Identification of the ICT third-party service providers signing the contractual arrangements for providing ICT services
| Code | Field Name | Type | Definition | Requirement |
|---|---|---|---|---|
| b_03.02.0010 | Contractual arrangement reference number | Alphanumerical | As reported in b_02.02.0010 Identify the contractual arrangement reference number signed by the ICT third-party service provider. |
Mandatory |
| b_03.02.0020 | Identification code of ICT third-party service provider | Alphanumerical | As reported in b_05.01.0010 Code to identify the ICT third-party service provider. |
Mandatory |
| b_03.02.0030 | Type of code to identify the ICT third-party service provider | Pattern | As reported in B_05.01.0020 Type of code to identify the ICT third-party service provider in B_03.02.0020 as reported in B_05.01.0020 for that provider. |
Mandatory |
TEMPLATE B_03.03: Identification of the entities signing the contractual arrangements for providing ICT services to other entities in the consolidation
| Code | Field Name | Type | Definition | Requirement |
|---|---|---|---|---|
| b_03.03.0010 | Contractual arrangement reference number | Alphanumerical | As reported in b_02.02.0010 Identify the contractual reference number signed by the entity for providing ICT service(s) |
Mandatory |
| b_03.03.0020 | LEI of the entity providing ICT services | Alphanumerical | As reported in b_01.02.0010 Identify the entity providing ICT services using LEI, 20-character, alpha-numeric code based on the ISO 17442 standard |
Mandatory |
TEMPLATE B_04.01: Information on the entities making use of the ICT services provided by the ICT third-party service providers
| Code | Field Name | Type | Definition | Requirement |
|---|---|---|---|---|
| b_04.01.0010 | Contractual arrangement reference number | Alphanumerical | As reported in b_02.01.0010 Identify the contractual reference number in relation to the entity making use of the ICT services provided |
Mandatory |
| b_04.01.0020 | LEI of the entity making use of the ICT service(s) | Alphanumerical | Identify the entity making use of the ICT service(s) using the LEI, 20-character, alpha-numeric code based on the ISO 17442 standard | Mandatory |
| b_04.01.0030 | Nature of the entity making use of the ICT service(s) | Closed set of options | One of the options in the corresponding dropdown list shall be used | Mandatory |
| b_04.01.0040 | Identification code of the branch | Alphanumerical | Identification code of the branch as reported in b_01.03.0010 | Mandatory if the entity making use of the ICT service(s) is a branch of a financial entity (B_04.01.0030) |
TEMPLATE B_05.01: Information on the direct ICT third-party service providers and subcontractors
| Code | Field Name | Type | Definition | Requirement |
|---|---|---|---|---|
| b_05.01.0010 | Identification code of ICT third-party service provider | Alphanumerical | Code to identify the ICT third-party service provider. Where LEI is used, it shall be provided as a 20-character, alpha-numeric code based on the ISO 17442 standard. Where EUID is used, it shall be provided as specified in Article 9 of the Commission Implementing Regulation (EU) 2021/1042. |
Mandatory |
| b_05.01.0020 | Type of code to identify the ICT third-party service provider | Pattern | Type of code to identify the ICT third-party service provider reported in B_05.01.0010. 1. ‘LEI’ for LEI 2. ‘EUID’ for EUID 3. ‘Country Code’+Underscore+’Type of Code’ for non LEI and non EUID code Only LEI or EUID shall be used for legal persons, as identified in B_05.01.0070, whereas alternative code may be used only for an individual acting in a business capacity. |
Mandatory |
| b_05.01.0030 | Additional identification code of ICT third-party service provider | Alphanumerical | Additional code to identify the ICT third-party service provider, where available. | Mandatory |
| b_05.01.0040 | Type of additional identification code to identify the ICT third-party service provider | Pattern | The type of additional code to identify the ICT third-party service provider reported in B_05.01.0030: 1. ‘LEI’ for LEI 2. ‘EUID’ for EUID 3. CRN for Corporate registration number 4. VAT for VAT number 5. PNR for Passport Number 6. NIN for National Identity Number LEI or EUID shall be used for legal persons, as identified in B_05.01.0070, whereas alternative code may be used only for an individual acting in a business capacity. |
Mandatory |
| b_05.01.0050 | Legal name of the ICT third-party service provider | Alphanumerical | Legal name of the ICT third-party service provider as registered in business register in Latin, Cyrillic or Greek alphabets. | Mandatory |
| b_05.01.0060 | Name of the ICT third-party service provider in Latin alphabet | Alphanumerical | Name of the ICT third-party service provider in Latin alphabet. Where the name of the ICT third-party service provider reported in B_05.01.0050 is in Latin alphabet, it shall be repeated also in this data field. |
Mandatory |
| b_05.01.0070 | Type of person of the ICT third-party service provider | Closed set of options | One of the options in the following closed list shall be used: 1. Legal person, excluding individuals acting in business capacity 2. Individual acting in a business capacity |
Mandatory |
| b_05.01.0080 | Country of the ICT third-party service provider’s headquarters | Country | Identify the ISO 3166–1 alpha–2 code of the country in which the global operating headquarters of ICT third-party service provider are located (usually, this country is the country of tax residence). | Mandatory |
| b_05.01.0090 | Currency of the amount reported in B_05.01.0070 | Currency | Identify the ISO 4217 alphabetic code of the currency used to express the amount in B_05.01.0100. The currency reported shall be the same currency used by the financial entity for the preparation of the financial statements at entity, sub-consolidated or consolidated level, as applicable. |
Mandatory if B_05.01.0100 is reported |
| b_05.01.0100 | Total annual expense or estimated cost of the ICT third-party service provider | Monetary | Annual expense or estimated cost for using the ICT services provided by the ICT third-party service provider to the entities making use of the ICT services. Monetary value shall be reported in units. |
Mandatory if the ICT third-party service provider is a direct ICT third-party service provider |
| b_05.01.0110 | Identification code of the ICT third-party service provider’s ultimate parent undertaking | Alphanumerical | Code to identify the ICT third-party service provider’s ultimate parent undertaking. The code used to identify ultimate parent undertaking in this field shall match the identification code provided in B_05.01.0010 for that ultimate parent undertaking. Where the ICT third-party service provider is not part of a group, the identification code used to identify that ICT third-party service provider in B_05.01.0010 shall be repeated also in this data field. |
Mandatory if the ICT third-party service provider is not the ultimate parent undertaking |
| b_05.01.0120 | Type of code to identify the ICT third-party service provider’s ultimate parent undertaking | Pattern | Type of code to identify the ICT third-party service provider’s ultimate parent undertaking in B_05.01.0110. The type of the code used to identify ultimate parent undertaking in this field shall match the identification code provided in B_05.01.0020 for that ultimate parent undertaking. Where the ICT third-party service provider is not part of a group, the type of the identification code used to identify that ICT third-party service provider in B_05.01.0020 shall be repeated also in this data field. |
Mandatory if the ICT third-party service provider is not the ultimate parent undertaking |
TEMPLATE B_05.02: Information on the ICT service supply chain
| Code | Field Name | Type | Definition | Requirement |
|---|---|---|---|---|
| b_05.02.0010 | Contractual arrangement reference number | Alphanumerical | As reported in b_02.01.0010 | Mandatory |
| b_05.02.0020 | Type of ICT services | Closed set of options | One of the types of ICT services referred to in Annex III | Mandatory |
| b_05.02.0030 | Identification code of the ICT third-party service provider | Alphanumerical | As reported in b_05.01.0010 | Mandatory |
| b_05.02.0040 | Type of code to identify the ICT third-party service provider | Pattern | As reported in b_05.01.0020 | Mandatory |
| b_05.02.0050 | Rank | Natural number | Where the ICT third-party service provider is signing the contractual arrangement with the financial entity, it is considered as a direct ICT third-party service provider and the ‘rank’ to be reported shall be 1; Where the ICT third-party service provider is signing the contract with the direct ICT third-party service provider, it is considered as a subcontractor and the ‘rank’ to be reported shall be 2; The same logic applies to all the following subcontractors by incrementing the ‘rank’. |
Mandatory |
| b_05.02.0060 | Identification code of the recipient of sub-contracted ICT services | Alphanumerical | To be left blank if the ICT third-party service provider (template B_05.02.0030) is a direct ICT third-party service provider (rank 1). Where the ICT third-party service provider is at ‘rank’ r = n where n > 1, indicate the ‘Identification code of the recipient of the sub-contracted services’ at ‘rank’ r=n-1 that subcontracted the ICT service. |
Mandatory (Not applicable for rank 1) |
| b_05.02.0070 | Type of code to identify the recipient of sub-contracted ICT services | Pattern | To be left blank where the ICT third-party service provider (template B_05.02.0030) is at rank r = 1. Where the ICT third-party service provider is at ‘rank’ r = n where n > 1, indicate the ‘Type of code to identify the recipient of the sub-contracted service’ at ‘rank’ r=n-1 that subcontracted the ICT service. |
Mandatory (Not applicable for rank 1) |
TEMPLATE B_06.01: Information on the identification of functions
| Code | Field Name | Type | Definition | Requirement |
|---|---|---|---|---|
| b_06.01.0010 | Function Identifier | Pattern | The function identifier shall be composed by the letter F (capital letter) followed by a natural number (e.g. “F1” for the 1st function identifier and “Fn” for the nth function identifier with “n” being a natural number). Each combination between ‘LEI of the financial entity making use of the ICT service(s)’ (b_06.01.0040), ‘Function name’ (b_06.01.0030) and ‘Licenced activity’ (b_06.01.0020) shall have a unique function identifier. |
Mandatory |
| b_06.01.0020 | Licenced activity | Closed set of options | One of the licenced activities referred to in Annex II for the different types of financial entities. In case the function is not linked to a registered or licenced activity, ‘support functions’ shall be reported. |
Mandatory |
| b_06.01.0030 | Function name | Alphanumerical | Function name according to the financial entity’s internal organisation. | Mandatory |
| b_06.01.0040 | LEI of the financial entity | Alphanumerical | As reported in b_04.01.0020 Identify the financial entity using the LEI, 20-character, alpha-numeric code based on the ISO 17442 standard. |
Mandatory |
| b_06.01.0060 | Criticality or importance assessment | Closed set of options | Use this column to indicate whether the function is critical or important according to the financial entity’s assessment. | Mandatory |
| b_06.01.0070 | Reasons for criticality or importance | Alphanumerical | Brief explanation on the reasons to classify the function as critical or important (300 characters maximum). | Optional |
| b_06.01.0080 | Date of the last assessment of criticality or importance | Date | Identify the ISO 8601 (yyyy-mm-dd) code of the date of the last assessment of criticality or importance in case the function is supported by ICT services provided by ICT third-party service providers. In case the function’s assessment of criticality or importance is not performed, it shall be filled in with ‘9999-12-31’. |
Mandatory |
| b_06.01.0090 | Recovery time objective of the function | Natural number | In number of hours. If the recovery time objective is less than 1 hour, ‘1’ shall be reported. In case the recovery time objective of the function is not defined ‘0’ shall be reported. |
Mandatory |
| b_06.01.0100 | Recovery point objective of the function | Natural number | In number of hours. If the recovery point objective is less than 1 hour, ‘1’ shall be reported. In case the recovery time objective of the function is not defined ‘0’ shall be reported. |
Mandatory |
| b_06.01.0110 | Impact of discontinuing the function | Closed set of options | Use this column to indicate the impact of discontinuing the function according to the financial entity’s assessment. | Mandatory |
TEMPLATE B_07.01: Information on the assessment of the ICT services provided by ICT third-party service providers supporting a critical or important function or material parts thereof
| Code | Field Name | Type | Description | Requirement |
|---|---|---|---|---|
| b_07.01.0010 | Contractual arrangement reference number | Alphanumerical | As reported in b_02.01.0010 | Mandatory |
| b_07.01.0020 | Identification code of the ICT third-party service provider | Alphanumerical | As reported in b_05.01.0010 | Mandatory |
| b_07.01.0030 | Type of code to identify the ICT third-party service provider | Pattern | As reported in b_05.01.0020 | Mandatory |
| b_07.01.0040 | Type of ICT services | Closed set of options | One of the types of ICT services referred to in Annex III | Mandatory |
| b_07.01.0050 | Substitutability of the ICT third-party service provider | Closed set of options | Use this column to provide the results of the financial entity’s assessment in relation to the degree of substitutability of the ICT third-party service provider to perform the specific ICT services supporting a critical or important function. | Mandatory |
| b_07.01.0060 | Reason if the ICT third-party service provider is considered not substitutable or difficult to be substitutable | Closed set of options | One of the options in the corresponding dropdown list shall be used. | Mandatory in case “not substitutable” or “highly complex substitutability” is selected in B_07.01.0050 |
| b_07.01.0070 | Date of the last audit on the ICT third-party service provider | Date | Use this column to provide the date of the last audit on the specific ICT services provided by the ICT third-party service provider. This column relates to audits conducted by: (i) the internal audit department or any other additional qualified personnel of the financial entity, (ii) a joint team together with other clients of the same ICT third-party service provider (“pooled audit”) or (iii) a third party appointed by the supervised entity to audit the service provider. This column shall be used to report all types of audits performed by any of the subjects listed above concerning fully or partially the ICT services provided by the ICT third-party service provider. To report the date, the ISO 8601 (yyyy-mm-dd) code shall be used. If no audit has been performed, it shall be filled in with ‘9999-12-31’. |
Mandatory |
| b_07.01.0080 | Existence of an exit plan | [Yes/No] | Use this column to report the existence of an exit plan from the ICT third-party service provider in relation to the specific ICT service provided. | Mandatory |
| b_07.01.0090 | Possibility of reintegration of the contracted ICT service | Closed set of options | One of the options in the corresponding dropdown list shall be used. In case the ICT service is provided by an ICT third-party service provider that is not an ICT intra-group service provider. |
Mandatory |
| b_07.01.0100 | Impact of discontinuing the ICT services | Closed set of options | Use this column to provide the impact for the financial entity of discontinuing the ICT services provided by the ICT third-party service provider according to the financial entity’s assessment. | Mandatory |
| b_07.01.0110 | Are there alternative ICT third-party service providers identified? | Closed set of options | In principle, for each ICT third-party service provider supporting a critical or important function, the assessment to identify an alternative service provider shall be performed. | Mandatory |
| b_07.01.0120 | Identification of alternative ICT TPP | Alphanumerical | If ‘Yes’ is reported in b_07.01.0110, additional information could be provided in this column. | Optional |
Usefull links
CAA Circular LC25-01 : https://www.caa.lu/uploads/documents/files/LC25-01_FR.pdf
CSSF Webpage : https://www.cssf.lu/en/digital-operational-resilience-act-dora/
EIOPA Webpage : https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en
EBA Webpage : https://www.eba.europa.eu/risk-and-data-analysis/reporting-frameworks