The Register of Information in relation to Contractual Arrangements for ICT Services

We continue our examination, continuing on from our previous article, of the first set of Implementing Technical Standards (ITS) and Regulatory Technical Standards (RTS) related to the DORA Regulation.

We begin with the ITS concerning the Register of Information in relation to Contractual Arrangements for ICT Services (the Register).

According to Article 28(3) of the DORA Regulation, “financial entities shall maintain and update at entity level, and at sub-consolidated and consolidated levels, a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers.”

The Register serves a dual purpose. On one hand, it provides financial entities with an updated map of their relationships with third-party suppliers, containing all relevant information in an easily accessible format. On the other hand, it allows supervisory authorities to check whether and to what extent financial entities are fulfilling their obligations by consulting the register.

The ITS on the Register has particular relevance. By proposing a harmonized standard that all financial entities must adopt, the ESAs aim to facilitate the tasks of both financial entities and competent authorities.

Within the Register, information is organized in open tables with a specific alphanumerical identifier, composed as follows: RT.xy.wz. The first numbers (xy) indicate a particular category or scope to which the information refers, and the second numbers (wz) represent specific information or instruction to be included in the table in relation to the category.

The ITS identifies the following information that must be included in the Register:

RT.01 – Financial entity and related group

• RT.01.01: general information on the financial entity maintaining the Register at an entity level and on a consolidated and sub-consolidated level.
• RT.01.02: general information about the entities belonging to the group.
• RT.01.03: identification of subsidiaries of the financial entities referred to in table RT.01.02, located outside the country of origin.

RT.02 – ICT contracts

• RT.02.01: general information on contracts with ICT service providers.
• RT.02.02: detailed information on each contract referred to in table RT.02.01.
• RT.02.03: information on connections between intra-group contracts and contracts with non-group ICT providers.

RT.03 – Parties to ICT contracts

• RT.03.01: information on the entities that sign contracts with ICT providers.
• RT.03.02: identification of ICT service providers.
• RT.03.03: identification of entities referred to in table RT.01.02 that sign contracts referred to in table 2.02.01 to provide ICT services to other group entities.

RT.04 – Entities using ICT services

• RT.04.01: information on entities that use ICT services provided by suppliers.

RT.05 – ICT service supply chain

• RT.05.01: information on all ICT suppliers included (i) direct suppliers; (ii) intra-group suppliers; and (iii) subcontractors included in the supply chains referred to in table RT.05.02.
• RT.05.02: information on connections between each supplier and between these and their respective sub-supply chain.

RT.06 – Functions of the entity

• RT.06.01: information on the functions of the financial entity using ICT services.

RT.07 – Service evaluation

• RT.07.01: information on the risk evaluation conducted by the financial entity (eg substitutability, date of the last audit, and its results) on the ICT services being supplied.

RT.99 – Definitions and terms

• RT.99.01: definitions and terms used by the financial entity within the Register.

For each table, the ITS includes specific compilation instructions and the exact information it must contain. We refer to the ITS draft attachments for a precise list in this regard.¹ In any case, the information entered in the Register must be accurate and constantly updated.

Finally, the ITS stipulates that the financial entity can delete information in the Register only after five years from the date of termination of the contract with the supplier to which the information refers.

While waiting for Commission to approve the ITS, it’s essential that financial entities begin collecting and organizing the necessary information for effective control over their ICT suppliers, preparing to facilitate checks by the competent authorities.

In our next articles, we’ll continue to explore the other standards proposed by the ESAs. The next article will address the RTS on internal policy relating to ICT service providers that support critical or important functions.