News

Navigating DORA Compliance: Reporting ICT Third-Party Contracts to DNB by April 23, 2025

Logo LinesWave
Navigating DORA Compliance: Reporting ICT Third-Party Contracts to DNB by April 23, 2025

As of January 17, 2025, the Digital Operational Resilience Act (DORA) mandates that financial institutions maintain a comprehensive register of all contractual agreements involving ICT services provided by third-party providers. This requirement, outlined in Article 28(3) of DORA, aims to enhance transparency and oversight in the financial sector’s reliance on external ICT services.

Key Reporting Deadline: April 23, 2025

Financial institutions under the supervision of De Nederlandsche Bank (DNB) are required to submit their registers of information by April 23, 2025. The reporting request became accessible from April 1, 2025, through the MyDNB portal via the Reporting Service. Institutions must report their information register as an xBRL-CSV file with a table-oriented layout. For those unable to implement the xBRL-CSV standard on time, an alternative delivery method is available this year in the form of a standardized Excel template. DNB will convert the Excel template to the xBRL-CSV standard upon submission. However, the responsibility for the accuracy and completeness of the reported information remains with the financial institutions themselves at all times.

Purpose of the Register

The register serves multiple functions:

  • Internal Risk Management: Helps institutions monitor and manage ICT third-party risks.
  • Regulatory Oversight: Provides competent authorities with the necessary information to supervise the management of ICT third-party risks.
  • Critical Provider Designation: Assists the European Supervisory Authorities (ESAs) in identifying and designating critical ICT third-party service providers, who will then be subject to their oversight.

Reporting Requirements

Financial institutions must include the following information in their registers:

  • Contractual Details: Information on all agreements with ICT third-party service providers, distinguishing between those supporting critical or important functions and those that do not.
  • Service Categories: Details on the categories of ICT services and functions being provided.
  • Provider Information: Data on the ICT third-party service providers, including their legal entity identifiers (LEIs).
  • Contractual Terms: Information on the terms and conditions of the agreements, including termination clauses and applicable legislation.

Next Steps for Financial Institutions

To ensure compliance with DORA, financial institutions should:

  1. Review Existing Contracts: Assess all current ICT third-party agreements to ensure they are accurately reflected in the register.
  2. Utilize Available Templates: Download and complete the standardized Excel template provided by DNB, if necessary.
  3. Submit on Time: Ensure the completed register is submitted by the April 23, 2025 deadline.
  4. Maintain Accuracy: Regularly update the register to reflect any new or terminated agreements, ensuring ongoing compliance.

By adhering to these steps, financial institutions can effectively manage their ICT third-party risks and comply with DORA’s requirements.

Enhance Your Reporting Efficiency with Anove AI

Looking to streamline your DORA reporting process? Discover Anove AI, a cutting-edge platform designed to simplify and automate the management of third-party ICT agreements. With Anove AI, you can efficiently compile, validate, and submit your information register, ensuring compliance with DORA’s stringent requirements. Start your free trial today and experience the future of regulatory reporting.

Cookie preferences