One of the key instruments required by the Digital Operational Resilience Act (DORA) is an effective information register. It is intended to ensure that financial service providers maintain an overview of existing dependencies on third party providers. What seems comparatively trivial is actually one of the higher hurdles on the road to compliance, which must be achieved by January 2025. There are tools for this – but their quality has yet to be proven.
DORA focuses on dealing appropriately with the financial sector’s increasing dependence on third-party providers. The aim is to maintain operational stability in the event of a serious disruption. The prerequisite for this is obvious: a bank must have a comprehensive and up-to-date picture of its third-party providers and keep an eye on the contractual relationships.
Therefore, a core requirement and an essential part of the management of ICT third party risk from DORA is the establishment and maintenance of the information register, “(…) which relates to all contractual agreements on the use of ICT services provided by ICT third party service providers (…)”. In future, every financial company must maintain such a register – a pure outsourcing register in accordance with the EBA and EIOPA guidelines is not sufficient in terms of its information content. And this is by no means a subordinate regulation: European (EBA, EIOPA and ESMA) and national supervisors (BaFin, FMA) have repeatedly made it clear in their hearings and publications that they will not “cut any corners” with regard to the deadline for the information register.
Fewer and fewer providers, ever higher concentration risks
An information register contributes significantly to the core ideas of DORA. European and national financial market supervisory authorities are aware of the high level of outsourcing of ICT services to third parties – the outsourcing rate and dependency of financial companies are correspondingly high.
The fact is that fewer and fewer service providers are able to meet the supervisory and regulatory requirements indirectly. This inevitably reduces the number of providers that banks and insurance companies can fall back on. At the same time, more and more financial companies are also using the public cloud environments of US hyperscalers such as AWS, GCP and Microsoft Azure for critical applications and data, which creates a high degree of concentration risk. If operational disruptions occur in a company’s ICT services or if a company is successfully attacked from outside and its data and systems are corrupted, the risk of infection increases due to the high level of dependencies, meaning that these incidents multiply and an isolated incident becomes a systemic threat.
In order to manage these risks, the information register in question must document all contractual agreements relating to the use of ICT services provided by third party ICT service providers. And financial companies must be able to make it available to the supervisory authorities at any time, in whole or in part, to enable the latter to understand the company’s ICT-related dependencies.
Simple requirement, highly complex implementation
The supervisory authorities provide an Implementing Technical Standard (ITS) for implementation. It provides standardized templates for recording with 15 (!) spreadsheets, which are linked to each other through the use of various specific keys, and the associated around 100 (!) attributes/data fields. In this way, information related to the ICT third party service providers commissioned by the financial companies can be recorded and permanently maintained. The associated data records are significantly more extensive than the outsourcing and hive-off registers in accordance with EBA and EIOPA guidelines, and more data points are requested per data record. Contract information must be available for up to five years after termination of the contract.
The challenge in practical implementation initially lies in the complexity of the ICT third party service provider contracts to be recorded in the register. DORA uses a much broader definition of “ICT” than has been common practice to date. Under DORA, it no longer matters whether outsourcing or spin-off is involved; the new leading generic term is “ICT third party service”, which means that the sheer number of contracts to be recorded increases many times over.
The requirement to record third party ICT contracts in the register at company (parent company), sub-consolidated and consolidated (subsidiary) level provides even more depth of information. If the ICT service supports an “important” or “critical” function in the company, the ICT service chains resulting from the subcontractors must also be shown in the information register. The aim is to be able to identify, document and monitor the associated risks.
However, practice currently shows that only the commissioned ICT third party service provider as the main contractor can provide all relevant information on the entire ICT sub-service provider chain; at present, the service providers often lack the necessary understanding and knowledge.
Revision security as a stumbling block for simple tables
The practical implementation of the information register on the basis of spreadsheets, for example with MS Excel, is not promising for reasons of complexity alone. In addition, against the background of the requirements, comprehensive history and log management is required in order to establish the necessary revision compliance. The last aspect in particular suggests that the supervisory authorities will no longer consider implementation via spreadsheets to be viable in the long term.
Practical options for approval processes and reporting are also important for efficient processes at financial service providers when it comes to handling contracts. Against this backdrop, many banks are using the current process of introducing the register to select a tool for ICT third party risk management, which can also be used to manage the corresponding ICT third party service provider contracts and to analyze and monitor the associated risks. And it shows that the most comprehensive approach possible, as pursued by tools such as CloudGate, promises more success than individual tools for individual requirements such as the information register.
.It will be interesting to see what findings emerge from the voluntary test runs for the information register, which were carried out by BaFin and the FMA until early fall 2024. The supervisory authorities will provide feedback, for example on the current quality of their data stored in the register,
