On October 15, 2024, the European Supervisory Authorities - European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), and European Securities and Markets Authority (ESMA) - issued an opinion regarding the European Commission's rejection of the proposed Implementing Technical Standard (ITS) for the "register of information" under the Digital Operational Resilience Act (DORA).
The commission believes that financial entities should have the freedom to choose how ICT third-party service providers are identified in the register, either by using the Legal Entity Identifier (LEI) or the European Unique Identifier (EUID). The EUID is widely accepted as an identifier for legal entities across the European Union and can be obtained free of charge. However, the LEI is primarily used for financial entities and less for ICT service providers. The commission suggests that the ‘register of information’ under DORA can use either the EUID or the LEI, based on the principle of proportionality.
The ESAs disagree with the inclusion of the EUID as an additional identifier in the ‘register of information’. They believe that it would add unnecessary complexity for financial entities and competent authorities. Allowing the use of EUID would create unforeseen implementation and maintenance challenges for financial entities and make it more difficult to verify information provided to competent authorities and the ESAs. It would also complicate the identification of critical ICT third-party service providers in the EU.
If the European Commission does not follow the advice of the ESAs, they propose the addition of three new fields to the reporting requirements:
- 'Name of the ICT third-party service provider in Latin alphabet'
- 'Additional identification code of ICT third-party service provider',
- 'Type of the additional identification code'.
The LEI should be used as the primary identifier whenever possible.
The ESAs urge the commission to swiftly adopt the DRAFT ITS and advise financial entities to increase their implementation efforts to ensure they can submit their ‘register of information’ by the first half of 2025.
