.svg)
New Q&As from the European Banking Authority (EBA) address the management of ICT third-party risks and obligations related to the Register of Information (RoI).
The guidance answers questions from industry stakeholders, including the Association for Financial Markets in Europe (AFME), on the scope of ICT subcontractors in the register, reporting timelines and exemptions for certain financial entities.
The updated information should benefit IT and compliance teams by clarifying their obligations and, in some cases, reducing the scope of their compliance obligations and allowing them to simplify their operations.
ICT subcontractors and the RoI
One of the clarifications set out by the EBA that financial entities are not required to include ICT subcontractors of non-ICT third-party service providers in the RoI.
Recital 7 of the Implementing Technical Standards (ITS) suggested that financial entities should assess whether non-ICT providers rely on ICT services, and potentially reclassify them as ICT providers.
However, the EBA has clarified that this applies only if subcontracted ICT services directly underpin critical or important functions. Otherwise, ICT subcontractors remain outside the scope of DORA’s RoI obligations.
Financial entities must still comply with other applicable regulatory requirements, such as Guidelines, and if a subcontracted ICT service materially supports critical functions, DORA rules remain in place.
Overall, the clarification will be a relief for compliance teams, as it reduces compliance scope and simplifies financial entities’ operations.
A change such as this means that firms can avoid tracing multiple subcontracting layers for low-risk suppliers, cutting administrative work and focusing resources on higher-risk ICT arrangements.
It aligns with DORA’s proportionality principle, meaning that compliance efforts match actual risk exposure while maintaining oversight where it is necessary.
Even the smallest firms must comply
The EBA also responded to a submitted by a national competent authority, clarifying that financial entities exempt under Article 16(1) of DORA, which excludes certain smaller entities from Articles 5 to 15, are not exempt from Article 28 requirements.
Article 28 mandates all financial entities to maintain and update a register of ICT third-party service providers, regardless of size or exemption status.
Nonetheless, the EBA emphasised proportionality in applying DORA’s risk management frameworks, noting that microenterprises or entities with simplified ICT risk frameworks may adopt less complex controls, reflecting their lower risk profile.
In practice, this means that exempt firms will need to implement at least a basic supplier register, keep it up to date and integrate it into their broader ICT third-party risk management processes, albeit with fewer procedural demands.
This could still require additional work for smaller firms that previously assumed they would have no RoI obligation, but it gives supervisors a consistent dataset for identifying and assessing systemic ICT risk across all financial entities.
The impact of this clarification is that even the smallest DORA-regulated firms must maintain some sort of RoI, regardless of their exemption from other ICT risk management requirements under Articles 5 to 15 of the legal framework.
This closes any potential interpretation gap that might have allowed exempt firms, such as microenterprises, to avoid recording their ICT third-party service arrangements entirely.
Reporting reference periods confirmed
Another Q&A technical questions about the reporting reference period for the parameters.csv file used in the RoI submissions, which has mostly administrative relevance for firms.
The EBA confirmed that for 2025 reports, the reference date should be March 31, 2025. From 2026 onwards, this date will move to December 31 of the preceding year, aligning with the European Supervisory Authorities’ (ESAs) decision to standardise reporting timelines.
This clarification removes uncertainty over the reference date financial entities must use when preparing their DORA RoI submissions.
The alignment with the ESAs’ standardised reporting timelines allows firms to integrate DORA reporting into existing year-end data collection processes, reducing duplication of work and easing coordination across different regulatory reports.
It also provides clarity for IT and compliance teams preparing the parameters.csv file, ensuring consistency in submissions and avoiding the risk of rejection due to incorrect reference periods.
