There are now just over 20 working days before financial entities in scope of DORA will need to submit their first Register of Information (“RoI”). While there are still a number of matters under discussion by the European Supervisory Authorities (“ESAs”), an updated FAQs on the reporting of registers of information reporting under DORA was released earlier in this month.

Key Updates to the FAQ

While there are a significant number of updates compared to the FAQ from July 2024, overall financial entities should be pleased to note that the majority of questions removed relate to the Dry-Run Exercise conducted during Q3 2024, while many of the questions added are responses to those queries previously addressed by the ESAs in their joint Q&As.

That being said, some of the key points to note from the latest FAQ are summarised below:

• Entity Type: Many entities offer a broad range of services meaning they could be considered as more than one financial entity type. As only one entity type can be linked to an LEI code, financial entities are encouraged to liaise with their regulator, or Supervision Team where relevant, to determine the most appropriate entity type to use.
• Treatment of Branches: All EU-domiciled financial entities, alongside their EU-domiciled branches should be included in the RoI. Any non-EU domiciled subsidiaries and branches may be excluded from the reporting.
• Non-EU Parent Entities: Where the parent of a financial entity is non-EU domiciled, the financial entity should complete the RoI on a stand-alone basis. However, if any non-EU domiciled entities within the group, including the parent entity, provide ICT services to the reporting entity, they should be treated as an intra-group service provider.

What remains under discussion?

 Some of the key matters which are still under discussion, and which may impact the ability of certain firms to complete the RoI are as follows:

• Payment Processing Activities: Guidance was recently issued on how to differentiate financial services from ICT services (See our recent article: DORA Compliance: What is an ICT Service?). However, the question remains as to whether external services such as those provided by VISA, Mastercard should be considered ICT Services.
• Non-EU AIFMs: Non-EU AIFMs that manage and/or market AIFs in the EU may also be in scope for DORA, subject to the proportionality principle. For any AIFM who is uncertain of the applicability of DORA to their entity, we would encourage them to contact their usual Arthur Cox contact, or any member of the Arthur Cox Asset Management and Investment Funds group, as soon as possible.
• Sub-Contracting of ICT Services: The Regulatory Technical Standards on subcontracting ICT services supporting critical or important ICT functions are yet to be finalised with an updated version expected to be published during March 2025.

Key Dates for the Register

Financial entities will need to submit their first RoI containing the 105 prescribed data points for each contract with an ICT Service Provider during the first week of April. The reference date for the first ROI is 31 March 2025 which means that financial entities will need to be may particular attention to any changes which have occurred during the data gathering process, particularly around the identification or appointment of additional sub-contractors, that may need to be re-confirmed with the ICT Service Providers.

Going forward, the reference date of the ROI will be set to 31 December of the preceding year.

Next Steps

For those financial entities regulated by the Central Bank of Ireland, further guidance on how to submit the RoI through the Portal will be made available in March; no exact date has been confirmed. Other regulators, including the Pensions Authority, have yet to confirm when they expect to release similar guidance.

The Central Bank of Ireland will shortly begin to upgrade the multi factor authentication (MFA) mechanisms which apply to the Portal, which will impact how users authenticate themselves. The Central Bank is encouraging users to pre-enrol with the new service to ensure a seamless transition and to avoid any undue delays when it comes to filing the RoI. More information on the MFA changes can be found on the Central Bank website.

How can we help?

Arthur Cox will continue to release updates and further guidance as and when more information becomes available on our DORA Homepage. We would encourage all financial entities to closely monitor developments in this space given the tight timeframes highlighted in this article.

For any specific queries or areas of concern, please do not hesitate to contact your usual Arthur Cox contact(s), or any member of the Governance and Consulting Services or Technology and Innovation teams to discuss how we can help you.

The authors would like to thank Jennifer Floyd for her contribution to this article.