The European Supervisory Authorities — European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA) and European Securities and Markets Authority (ESMA) — published a summary report with the key findings from the 2024 Dry Run exercise on reporting the registers of information under the Digital Operational Resilience Act (DORA).
With DORA becoming applicable on 17 January 2025, financial entities in its scope need to have a comprehensive register of their contractual arrangements with ICT third-party service providers available at entity, sub-consolidated and consolidated levels.
The quality of data observed in the registers submitted by almost 1,000 financial entities across the EU was in line with the ESAs’ expectations, considering the ‘best effort’ nature of the exercise. Of the registers analyzed, 6.5% successfully passed all data quality checks, while 50% of the remaining registers failed less than 5 out of 116 data quality checks.
The ESAs are confident that the objective of having registers of sufficient quality in 2025 that would allow for the designation of critical third-party service providers (CTPPs) is not out of reach, subject to some additional efforts from the industry.
The key findings presented in the summary report and all supporting materials provided by the ESAs should be carefully considered by all industry stakeholders, including those financial entities that did not participate in the Dry Run exercise, as they will help them to be better prepared to report the registers in 2025.
The individual data quality feedback provided to financial entities should help continue improving the quality of their data and ensure that the registers to be submitted in 2025 meet the regulatory requirements, are complete and provide all the necessary information for the designation of critical ICT third-party providers (CTPPs) by the ESAs.