There is still no detailed feedback from the European Banking Authority on the submitted registers of information. This means that no substantive analyses of the approx. 3,000 registers of information in Germany and approx. 30,000 registers of information in the EU have been communicated yet. Defaulting institutions have not yet been requested to submit or correct their registers.
From September 2025, the first DORA audits will begin at major institutions directly supervised by the European banking authority.
The register of information (referred to as “Inforegister”) is one of the “centerpieces” of DORA. It provides an overview of all information and communication technology (ICT) service providers of the reporting institution. The register must be submitted in an Excel format specified by the European supervisory authority. The current register of information and additional related resources can be found at the end of this article. With 105 data fields and 15 separate tabs, it is extensive. It covers the following six areas:
- Responsible and reporting entities
- Contract data
- Contractors and principals including any group linkages
- Provider data
- Functions/processes
- ICT services
Storing all ICT services in an Excel file is permitted. However, it must be submitted separately to the supervisory authority at the level of the entire group as well as its subsidiaries. For subsidiaries under partial control, a sub-consolidated register must also be submitted. This means that the supervisory authority requires each reporting entity to submit a separate register that takes into account the entities it controls.
The responsibility for creating, continuously updating, and submitting the register arises from DORA Article 28 (3). The information register must be submitted to the competent supervisory authority at least once a year. In Germany, this is done via BaFin’s reporting and publication platform (MVP). All relevant information for initial registration and further steps can be found on the corresponding website.
According to DORA Article 28 (9), the information register is detailed by a regulatory technical standard. This standard is 113 pages long and includes, among other things, the exact classification of the ICT services to be considered. The standard is currently in “draft” status, as the consultation phase is still ongoing and the official approval by the European Commission has not yet been granted. The end of the consultation phase has been postponed to September 2024.
A test run for the information register is currently underway, which began on May 31, 2024. The test is being conducted by the European Banking Authority (EBA). It officially concluded on October 31, 2024, with feedback provided to the participating institutions. On December 18, 2024, a report on the data quality of the information registers submitted during the test run will be presented. Registration for the workshop is possible until December 16, 2024, via the EBA website.
The European Authority announced on 15 November 2024 via a statement on its website that it expects the full submission of the registers of information by the competent authorities by 30 April 2025 at the latest.
It is the responsibility of the respective national authorities to request the registers of information from the reporting financial institutions in advance. The reporting is based on the specifications published by the European Banking Authority in January 2024. Experts therefore expect 31 March 2025 as the deadline for financial institutions to fully submit their registers of information.
The EU Commission stated that it rejects or is considering rejecting the technical regulatory standard for the register of information. Both formulations appear in the official statement. The main argument here concerns the unique identification of ICT service providers. The regulatory standard stipulates the use of the Legal Entity Identifier (LEI) for this purpose. According to the EU Commission, unique identification should also be possible using the European Unique Identifier (EUID). This is already the leading identifier for companies in some existing directives and is also freely available.