ESAs raise concerns over EC’s dual identifier proposal for vendors in DORA

The European Supervisory Authorities — European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA) and European Securities and Markets Authority (ESMA) — issued an Opinion on the European Commission’s (EC) rejection of the draft Implementing Technical Standards (ITS) on the registers of information under the Digital Operational Resilience Act (DORA).

The ESAs raise concerns over the impacts and practicalities of the proposed EC changes to the draft ITS on the registers of information in relation to financial entities’ contractual arrangements with ICT third-party service providers.

The draft ITS proposed by the ESAs were rejected by the EC on the grounds that it is necessary to allow financial entities the choice of identifying their ICT third-party service providers registered in the EU either by using the Legal Entity Identifier (LEI) or by using the European Unique Identifier (EUID).

In the ESAs’ view, the EC’s proposal of adding an additional identifier, allowing EU-based companies to use the EUID, will cause unnecessary complexity and could have negative impacts on the implementation of DORA by financial entities, competent authorities and the ESAs.

The ESAs note that, although the EUID is available free of charge to EU-registered companies, its introduction in the registers of information would entail unforeseen implementation and maintenance efforts for the financial entities.

In particular, it would limit the access to and the possibility for verification of the information by the financial entities and competent authorities. This would lead to a potential increase in the overall reporting burden for financial entities in the context of DORA. In addition, the coexistence of two identifiers could bring additional complexity that would negatively impact the quality of data used, and risk delays in the designation of critical ICT third-party service providers (CTPPs) by the ESAs.

If the EC decides to proceed with the introduction of the EUID, despite the above concerns, additional changes to the draft ITS will be necessary. The Opinion indicates how the draft ITS should be adapted further to cater for the use of the EUID. Without these changes, the ITS could not be practically applied for a proper identification of the ICT third-party service providers, which would negatively impact the designation of CTPPs.

The ESAs also note that in the case of co-existence of both LEI and EUID, the financial entities should be given the preference for using LEI, especially where both identifiers are available to them, and for the case of groups, it is important to ensure homogeneity in the registered identification codes for all ICT third-party service providers.

The ESAs also suggest in their Opinion further changes to the draft ITS, reflecting the practical feedback received from financial entities participating in the voluntary dry run exercise on reporting of registers of information.

The ESAs call for the final decision on the use of identifiers and the swift adoption of the draft ITS by the EC. This is particularly relevant for the ESAs, who will be designating CTPPs in 2025. Finally, leveraging on the experience of the dry run exercise, the ESAs call financial entities to increase their implementation efforts in order to be ready to submit their registers of information to the competent authorities in the first half of 2025.

Read the full opinion

Related Posts

Previous Post
Clearstream’s digital securities platform D7 reaches €10 billion milestone
Next Post
S&P Global: European IPO activity plummets in Q3 but Q4 upturn expected

Fill out this field
Fill out this field
Please enter a valid email address.

X

Reset password

Create an account