DORA Needs No Introduction
If you are reading this text, you definitely know what the Digital Operational Resilience Act (DORA) is. And most probably that your company is subject to DORA requirements.
Register of Information is one of the DORA requirements necessitating to create a structured report that regulated financial entities must maintain about all their third-party ICT service providers, critical dependencies, and relevant contracts that might impact their operational resilience.
The purpose of the Register of Information is to ensure transparency, risk management, and oversight regarding the ICT services on which financial institutions rely.
The Register of Information is a tool for financial regulators to maintain visibility over their licensee third-party relationships. By centralizing this information, the regulators will get a whole picture of operational resilience and risks of the market participants from digital dependencies and possible ICT disruptions.
Key Aspects of the DORA Information Register
Third-Party Service Providers:
The register must list all ICT service providers that deliver recurring ICT services to the financial institution, such as but not limited to cloud computing, cybersecurity services, data storage, and system maintenance.
Contractual Details:
Institutions must document the key elements of contracts with third-party ICT providers. This includes the scope of services, service-level agreements (SLAs), data security requirements, and any clauses related to incident reporting or termination rights.
ICT Dependencies Critical for Licensed Businesses:
The register must identify thrid-party ICT service providers that are critical to the institution's operational continuity. These are services that, if disrupted, could have a significant impact on the institution’s ability to deliver financial services or meet regulatory obligations.
Risk Management:
The Register of Information supports risk management by providing a clear overview of external dependencies. It helps institutions assess potential risks related to outsourcing, such as concentration risk (reliance on a single provider) or operational risk (due to service outages).
Regulatory Reporting:
The Register of Information must be kept up to date and made available to regulators (like CSSF in Luxembourg or equivalent national supervisors). This enables regulators to monitor how financial institutions are managing third-party ICT risks.
Review and Maintenance:
The register must be reviewed regularly, especially as new contracts are signed, services change, or risk profiles evolve. This ensures that the institution’s oversight of its ICT providers remains current and aligned with DORA’s regulatory requirements.
Not Just a New Report
There are many underwater stones along the path of maintaining the Information Register. The sooner you start preparing the more chances that you will be on time.
Of course, your staff can maintain the Information Register manually editing a sheet in MS Excel, but some of our clients would like to minimize the inevitable risks of human mistakes. Especially if they have to submit such Registers to several regulators in different countries.
Just don't forget that after the 17th of January 2025 it is no longer the responsibility of your IT team only, because DORA explicitly says that ICT resilience of financial institutions will have to be at the level of top-management. So, the DORA Register of Information is not just another report - It is a completely new approach to ensure business resilience and mitigate risks of dependency on the 3rd parties.
How MAQIT Helps
We help our clients to become and remain compliant to ICT regulatory requirements in EU countries since 2015. MAQIT Knowledge Base gathers the expertise of our team and the experience of our clients in the field of ICT regulatory, including DORA.
MAQIT could help your company:
to understand critical business function and their dependencies on ICT assets (both internal and outsourced)
to evaluate DORA compliance approach relevant to your business nature and size
to assess your DORA readiness analyzing existing ICT governance and internal documents
to prepare presentation of required organizational changes to your supervisory board
to draft new / update existing policies, procedures and control plans
to collect, keep and update all the data needed for the Information Register, and download it for submitting to regulators (e.g. CSSF in Luxembourg, DNB in the Netherlands, etc.) with our RegTech platform Regulat.io.
Please contact us to arrange a call and discuss your company's DORA relevant needs and compliance risks.
Comentários