When financial entities use third-party service providers for information and communication technology (ICT), this increases the level of interconnectedness in the financial sector and creates new dependencies and risks. At the same time, the sector’s attack surface, i.e. its total overall vulnerability, increases. IT incidents at key ICT service providers can quickly affect many financial entities at the same time. In a worst-case scenario, they can jeopardise the entire financial market. The IT incident at Crowdstrike in the summer of 2024 highlighted how swiftly problems at key service providers can impact the global economy.

Recognising interconnectedness

To ensure effective risk management and to be able to analyse third-party risks, financial entities and supervisory authorities must have an overview of how ICT third-party service providers are being used. This is the only way they can detect interconnectedness, tackle risks and identify critical ICT third-party service providers (CTPPs). ICT third-party service providers are considered critical within the meaning of the Digital Operational Resilience Act (DORA) if a significant portion of the European financial sector is dependent on them. Article 28 of DORA sets out clear documentation and reporting requirements in this regard. DORA has been applicable since 17 January 2025.

One particularly important development is that financial entities must now keep a register of information. This is stipulated in the first subparagraph of Article 28(3). The register of information is intended to record all contracts with third-party service providers that provide ICT services to the financial entity. For ICT services that support critical or important functions, not only the direct ICT third-party service providers must be recorded in the register, but also all the subcontractors that ensure the provision of the ICT service.

Registers of information: helpful for supervisors and companies

The register of information does not just serve supervisory purposes. Companies can use it to manage their ICT third-party risk. It allows them to identify concentrations and geographical dependencies in ICT services and effectively manage the resulting risks.

Supervisory authorities will use the registers to monitor companies’ ICT third-party risk and to analyse macro-level risks arising from the interconnectedness of the financial sector with ICT third-party service providers. BaFin will thus be able to analyse concentration risks at company, sector and financial market level and identify critical ICT third-party service providers for financial entities. The European Supervisory Authorities (ESAs) will use the registers for their annual categorisation of critical ICT third-party service providers, in accordance with the Guidelines on oversight cooperation and information exchange between the ESAs and the competent authorities.

In addition to concentration risks, the register can also be used to analyse other risks in more detail. For example, supervisory authorities will be able to identify regional dependencies and analyse the effects of any geopolitical upheavals on the financial market. Geopolitical uncertainties increase the probability of failures at service providers and interruptions in the associated ICT services. At the same time, supervisors can also use the register data to better assess the impact of IT incidents at service providers. Potentially affected companies can thus be identified and warned at an early stage.

Dry run in the summer of 2024

To help financial entities develop their register of information and test their own systems, the European Supervisory Authorities and national competent authorities such as BaFin conducted a dry run for the submission of registers of information in the summer of 2024. Participants in the dry run received individual feedback on the data quality of their registers; the objective was to enable them to submit a complete and error-free register in 2025.

The supervisory authorities also gained valuable insights from the exercise. Following the dry run, they revised and refined the requirements of Implementing Regulation (EU) 2024/2956 on the register of information. In addition, they adjusted validation rules in order to improve data quality.

The ESAs published their findings in a report that revealed shortcomings. In some cases, for example, mandatory fields had not been completed. Moreover, identification codes for financial entities and ICT third-party service providers were often incorrect or missing altogether.

LEI obligation for ICT third-party service providers?

Under DORA, the key identification code for financial entities is the legal entity identifier (LEI). Every financial entity must have an LEI and, in accordance with Chapter III of DORA, use the LEI to identify itself in the register of information and for reporting ICT incidents. This also applies to consolidated registers of information pertaining to groups or corporations and aggregated incident reporting by service providers. In both cases, all the companies in the financial sector that are included in the respective report or register must be identified by their LEI (see Figure 1).

Figure 1: Identification codes

Source: BaFin

For a long time, it was unclear whether the LEI would also be mandatory for identifying ICT third-party service providers. Implementing Regulation (EU) 2024/2956 on the register of information of 29 November 2024 provided clarity in this regard. The EU Commission decided that, in addition to the LEI, the European unique identifier (EUID) could also be used to identify these third-party service providers. According to Article 3(5) of Implementing Regulation (EU) 2024/2956 on the register of information on the register of information, all ICT third-party service providers must be identified by means of one of these two IDs. If a third-party service provider has both IDs, both must be provided. If natural persons act as service providers, they can use other identification codes such as their personal identity card number.

What will happen next?

Financial entities must make their complete register of information available to the competent authority on request. This is stipulated in subparagraph 4 of Article 28(3). Since the ESAs need the registers for the annual categorisation of critical ICT third-party service providers, Guideline 5 of the Joint Guidelines on the oversight cooperation and information exchange between the European Supervisory Authorities and the competent authorities requires competent authorities to transmit these registers to the ESAs.

For 2025, the ESAs have made clear in their Decision of ESAs on reporting of information for CTPP designation that they expect the registers to be submitted by the competent authorities by 30 April 2025. These should contain all contract information with the reference date 31 March 2025. In subsequent years, the reference date will be 31 December. The registers are then to be sent to the ESAs on 31 March.

Financial entities under BaFin’s supervision must prepare to make their first submission of registers of information to BaFin by 28 April 2025 at the latest (see Figure 2). BaFin will closely support the companies until then and endeavour to clarify as many unresolved issues as possible. To this end, BaFin has created a new info page regarding the register of information on its website; this page is being updated on a regular basis. Financial entities may also consult the new info page to find out when they can begin submitting the registers to BaFin.

Figure 2: Timeline for the preparation, submission and transmission of registers

Source: BaFin

The registers of information are to be sent to BaFin via its reporting and publishing platform reporting and publishing platform (MVP). To send the register of information, each financial entity must first activate accounts for the reporting agents who will be using the “Digital Operational Resilience Act (DORA)” specialised procedure on the platform. In recent months, BaFin has contacted all relevant financial entities in this regard. Further information on MVP account activation is available on the BaFin website.

The registers of information must always be submitted as a structured file that corresponds to the ESAs’ taxonomy. Unlike the dry run in the summer of 2024, the ESAs are not providing a conversion tool. BaFin is familiar with the conversion difficulties, especially for small financial entities, and will soon publish a specially structured Excel template on its website. Companies will also have the option of using the template but must adhere to the predefined structure of the file.

Besides submitting the register of information as a structured file, companies may also opt to submit the completed Excel template via the MVP. Financial entities should always follow the validation rules for the data fields published by the ESAs. Those companies whose register is found to contain errors or incomplete data fields will be asked to correct their register and resubmit it.

Reporting requirements for agreements on the use of ICT services

In addition to the submission of the register of information, Article 28 of DORA contains further reporting requirements. These include informing the competent authority once a year of the number of new arrangements regarding the use of ICT services. Financial entities are also required to provide further information on the ICT third-party service providers and the ICT services provided (see third subparagraph of Article 28(3) of DORA).

According to Article 31(10) of DORA, this information is to be used by the competent authorities to categorise critical ICT third-party service providers. The complete registers of information will now be used for this purpose. This is regulated in Guideline 5.1 of the Guidelines on the oversight cooperation and information exchange between the ESAs and the competent authoritie. The registers of information will be collected once a year in accordance with Article 5 of the ESAs’ Decision of ESAs on reporting of information for CTPP designationn.

BaFin currently assumes that the companies, by annually submitting the registers of information, will be providing all the information specified in subparagraph 3 of Article 28(3) of DORA. From BaFin’s perspective, therefore, this reporting requirement will have been fulfilled. To ease the burden on financial entities, BaFin plans to use this data itself to obtain and analyse information on new arrangements – by comparing it with the previous year’s register. For financial entities, this means there is no need for further action on their part.

BaFin prevents double reporting

Subparagraph 5 of Article 28(3) of DORA requires financial entities to inform the supervisory authority of planned contracts on the use of ICT services supporting critical or important functions. This also applies if a function only becomes critical or important at a later date. It is likely that these DORA reports will often overlap with the reporting on (material) outsourcing under the <sectoral regulations set out in the German Banking Act (Kreditwesengesetz – KWG), the German Insurance Supervision Act (Versicherungsaufsichtsgesetz – VAG), the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ZAG), the German Investment Code (Kapitalanlagegesetzbuch – KAGB) and the German Investment Firm Act (Wertpapierinstitutsgesetz – WpIG).

To prevent double reporting and ease the burden on the industry, BaFin will be modifying the MVP specialised procedure for reporting outsourced activities and processes (Anzeige von Auslagerungen), which has been in use since the end of 2022. BaFin is currently revising the form to be completed for the procedure and expects to make it available from the second quarter of 2025. The form will be adapted to the current regulations concerning reports and be supplemented with a DORA field.

Instead of double reporting: one report on outsourcing

Financial entities that would otherwise have to meet two sets of reporting requirements will be expected to prioritise reporting their outsourced activities and processes; by ticking a box in the DORA field of the form, they will declare that they are meeting both reporting requirements. In the period between the introduction of the new DORA reporting requirements and the updating of the MVP form for reporting outsourcing, financial entities should report their planned outsourcing via the MVP as usual and then, once the updated form is available, revise their report – they need only tick the DORA box and submit the revised report by way of a notification of change. BaFin is planning to hold workshops to explain the new MVP form.

For ICT services that do not have to be reported as outsourcing, financial entities are to use an Excel form to notify BaFin of any planned contracts or changes to critical or important functions. On the BaFin website, financial entities will find an overview page dealing with the register of information and the reporting requirements; this overview page provides further information on the reporting process and the Excel form made available for this purpose.

BaFin will continue to support companies

The register of information and the other reporting requirements under Article 28 of DORA pose challenges. This is particularly the case with regard to the sectoral requirements already in place for outsourcing management and the corresponding reporting obligations. BaFin is aware of these challenges and will continue to provide companies with further information and assistance after 17 January 2025.

Overall, Article 28 of DORA reflects the international trend of taking a broader view and focusing not only on outsourcing risks, but also on the third-party risk faced by financial entities. EU legislators are thus responding to recent international initiatives, such as those of the Financial Stability Board („Enhancing Third-Party Risk Management and Oversight“), the G7 („G7 Fundamental Elements for Third Party Cyber Risk Management in the Financial Sector“) and the ongoing work of the Basel Committee on Banking Supervision („Principles for the sound management of third-party risk“). The European Banking Authority (EBA) is also currently revising its Guidelines on outsourcing arrangements. It is conceivable that the trend towards a stronger focus on third-party risk will result in further adjustments to regulatory requirements.