This Implementing Regulation establishes standard templates and formats for maintaining registers of information about ICT third-party service providers by financial entities in the EU.The regulation implements technical standards for documenting contractual arrangements between financial entities and their ICT service providers, as required by the Digital Operational Resilience Act (DORA). It establishes detailed requirements for recording information about service providers, contracts, services provided, and risk assessments.The key structural elements include:
- Standard templates for recording information about financial entities, service providers, contractual arrangements, functions supported by ICT services, and risk assessments
- Detailed instructions for completing each template and data field
- Requirements for maintaining data quality and consistency
- Rules for identifying and documenting ICT service supply chains and subcontractors
The main provisions require financial entities to:
- Maintain detailed records of all ICT service providers and contractual arrangements
- Document the criticality and importance of ICT services
- Assess and record risks related to ICT service providers
- Use standardized identifiers and codes for consistent reporting
- Ensure accuracy and regular updates of the information
- Follow specific data formats and validation rules
The regulation includes extensive annexes with detailed templates, instructions, and reference data to ensure standardized implementation across the EU financial sector.
