Apr 152025

Financial Entities in the EU: Time to Register Your ICT Third-Party Service Providers under DORA

Anila Rayani, Lauren Cuyvers and William RM Long
, , , , ,

The European Union’s (“EU”) Digital Operational Resilience Act (“DORA”) became effective on 17 January 2025. Since then, financial entities (such as banks, insurance companies and investment firms) and their ICT third-party service providers operating in the EU have been – directly or indirectly – subject to the new regime. One of the first key DORA compliance deadlines, for financial entities to register their ICT service providers with competent EU Member State authorities, is coming into effect across most of the member states this month.

What is DORA?

DORA introduces a number of new and reinforced cybersecurity obligations on financial entities when engaging the services of ICT third-party service providers – which are broadly defined in DORA and include cloud, data centre, hardware, telecom, analytics, IT consulting, and software providers. The aim of DORA is to address and manage risk in the financial sector emanating from outsourcing ICT services to external or internal ICT service providers. DORA targets digital operational disruption risk that could impact the stability of EU financial markets or infrastructure when a financial institution’s ICT service providers or their products are impacted by a security incident or other disruption (see our previous Data Matters Blog, here).

What is the Register of Information Requirement?

Importantly, under DORA, financial entities must compile and submit to their competent EU Member State financial services authority a Register of Information that contains details on their third-party ICT service providers and the related contracts (“Register”). The exact deadlines vary by EU Member State, however most EU Member State financial services authorities have set the deadlines for such reporting at early to mid-April 2025.

Why Is It Relevant?

Ultimately, these Registers will be used by the authorities in the context of DORA enforcement, and, at EU level, by the European Supervisory Authorities for the identification and designation of the so-called “critical” ICT third-party service providers. ICT service providers are deemed “critical” if any disruption they face could have substantial or systemic impact on EU financial infrastructure. Critical ICT third-party service providers are directly subject to more stringent regulatory DORA requirements by virtue of a tailor-made regulatory framework (called the “Oversight Plan”) and a specific regulatory authority (called the “Lead Overseer”).

What Information Must be Provided in the Register?

The information that must be contained in the Register is detailed and, as provided in EU Commission Implementing Regulation (EU) 2024/2956 (see here), must contain, for each ICT service provider, among other details:

  • identification and details on the financial entity that is subject to DORA and is maintaining the register;
  • identification and details on the ICT service provider (including location and headquarters, total expense or estimated cost under contract, ultimate parent company);
  • details about contracts with the ICT third party service providers and which entities within the corporate group receive services;
  • details about the ICT service supply chain – i.e. mapping of all direct ICT third-party service providers (who the financial entity is contracting with) but also intra-group ICT service-providers, and importantly, the subcontractors of the ICT service provider; and
  • details about assessments of ICT services performed where such services support a critical or important function in the financial entity (including identification of alternative providers, impact of discontinuation of the services, exit plans, etc.).

Due to the high level of detail and information required, these requirements pose significant administrative burden for financial entities as well as the ICT service providers who contract with EU financial entities, as they will be requested by their financial entity-customers to conduct mapping of their own ICT service supply chain for DORA reporting. An added complexity is that there is currently no guidance or market standard as to how far down the ICT supply chain the reports must cover.

Examples of EU Member State Deadlines

The deadlines to Register vary from one EU Member State to another but, examples of deadlines in EU Member States include:

  • 31 March 2025: Austria, to the Financial Market Authority (see here)
  • 4 April 2025: Ireland, to the Central Bank of Ireland (see here)
  • 10 April 2025: Belgium, to the Financial Services and Markets Authority (see here)
  • 15 April 2025: Luxembourg to the Commission de Surveillance du Secteur Financier (see here)
  • 22 April 2025: Spain, to the Comisión Nacional del Mercado de Valores (see here)

Financial entities who have not yet submitted their Register to their competent EU Member State authorities should take steps to prepare their Register and verify the deadlines applicable to them.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Anila Rayani

London

anila.rayani@sidley.com

Lauren Cuyvers

Brussels

lcuyvers@sidley.com

William RM Long

London

wlong@sidley.com

You might also like
EU Commission Publishes AI Continent Action Plan and Seeks Input

On April 9, 2025 the European Commission adopted a communication on the so-called AI Continent Action Plan – its strategy to shape the next phase of AI development in Europe, with consultation to follow. The Commission’s declared objective is to transform the EU into a global leader in AI by fostering innovation, ensuring trustworthy AI, and enhancing competitiveness while safeguarding democratic values and cultural diversity. Keep monitoring Data Matters for more on the Commission’s consultation, when available.

New UK Consumer Rules Herald Stricter Enforcement and Significant Fines

Consumer protection is rising to the top of the regulatory agenda worldwide. The UK consumer protection regime is undergoing a major shift: The Competition and Markets Authority (CMA) now has powerful new tools under the Digital Markets, Competition, and Consumers Act (DMCCA) (see our Sidley Update here), including the ability to directly enforce consumer law and fine companies up to 10% of global annual turnover for serious infringements.

Meeting EU Data, Cybersecurity, and Artificial Intelligence Law Obligations: A Checklist for Swiss Life Sciences Companies

For Swiss companies, the next six months are critical for preparing to meet new Digital Data Law obligations. In this briefing, we outline the key timelines, compliance requirements, and practical steps to align with EU requirements.