Tech & Sourcing @ Morgan Lewis


Beginning January 17, 2025, the European Union’s Digital Operational Resilience Act (DORA) will require financial entities to maintain and submit to EU regulators a comprehensive register of their contractual arrangements with third-party information and communication technology (ICT) service providers. Financial entities are being given the opportunity to sign up for a voluntary reporting exercise by May 31, 2024, running between July and August 2024, to help them prepare for one of the most challenging aspects of implementing DORA.

Scope and Objective

DORA will apply to a broad scope of EU financial entities, including banking institutions, payment institutions, investment firms, and insurance undertakings.

One of DORA’s key objectives is to strengthen financial entities’ operational resilience by ensuring prudent risk management of ICT services, which under the latest draft guidance, covers technology services, cloud services, software applications, and data subscription services, among others. This includes ensuring transparency regarding contractual arrangements with third-party ICT service providers and, as we previously noted, compliance with mandatory contractual provisions under DORA.

Voluntary Reporting Exercise

Financial entities are invited to submit registers of information on a “best-efforts basis” to their competent national regulator in the European Union, which will then pass the submissions to the European Supervisory Authorities (ESAs). The applicable reporting requirements and formats are set out in the draft Implementing Technical Standards published in January 2024—these have not yet been adopted by the European Commission and so may be subject to change before January 17, 2025.

Participating financial entities will receive support from the ESAs to do the following:

  • Build their register of information in a format that is as close as possible to the steady-state reporting format of 2025
  • Test the reporting process
  • Address data quality issues
  • Improve internal processes and the quality of their registers of information

In an introductory workshop for the voluntary reporting exercise, the ESAs stated that nearly 4,000 financial entities had already registered by April 30. The ESAs also stressed that they would not use the information collected for this exercise as part of supervision under DORA.

Before the end of the year, the ESAs will host a “lessons learnt” workshop on the quality of data received during the voluntary reporting exercise, which will be open to all financial entities.

Further information on the reporting exercise can be found on the European Banking Authority’s website.