The three European financial sector supervisory authorities--European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (Eiopa) and the European Securities and Markets Authority (Esma)--collectively expressed their concerns following the European Commission’s rejection of the draft implementing technical standards (ITS) concerning the registers of information under the digital operational resilience act (Dora). In a press statement on Tuesday 15 October 2024, the ESAs highlighted the implications of the EC’s proposed amendments to the ITS, particularly concerning financial entities’ contractual arrangements with Information and Communications Technology (ICT) third-party service providers.

The ESAs submitted their draft ITS to the EC on 17 January 2024, which it on 3 September 2024, stating that it was necessary to grant financial entities the option to identify their ICT third-party service providers registered in the EU using either the legal entity identifier (LEI) or the European unique identifier (EUID). The ESAs asserted that the introduction of the EUID “will cause unnecessary complexity and could have negative impacts on the implementation of Dora by financial entities, competent authorities and the ESAs”.

While acknowledging that the EUID is available at no cost to EU-registered companies, the ESAs argued that its incorporation into the registers of information would likely lead to unforeseen implementation and maintenance burdens for financial entities. They warned that this dual identifier system could complicate the verification process and limit access to crucial information for both financial entities and competent authorities. Consequently, the ESAs suggested that this situation could exacerbate the overall reporting obligations under Dora.

Moreover, the ESAs expressed concerns that having two identifiers might diminish data quality and potentially delay the identification of critical ICT third-party service providers. If the commission opted to move forward with the EUID, the ESAs indicated that further adjustments to the draft ITS would be essential to accommodate this identifier effectively. Without such modifications, the ITS would be impractical for identifying ICT third-party service providers, adversely affecting the timely designation of critical ICT third-party service providers. Essentially, the ESAs indicated that without a timely agreement, the planned Dora implementation on 17 January 2025 could be delayed.

The ESAs recommended that if both the LEI and EUID coexisted, financial entities should have a preference for using the LEI, particularly when both identifiers are available. Additionally, for groups of companies, ensuring consistency in the registered identification codes for all ICT third-party service providers was deemed crucial.

In their opinion, the ESAs proposed further changes to the draft ITS, reflecting feedback received during a voluntary exercise on the reporting of registers of information, which aimed to enhance the reporting process for financial entities. They urged the EC to swiftly adopt the draft ITS and make a final decision regarding the identifiers. This urgency was emphasised, as the ESAs planned to designate critical ICT third-party service providers in 2025, making timely implementation vital.