The opinion of the ESAs on the rejection of the ROI ITS on the 03/09/2024 on the basis of the envisaged mandatory use of the LEI to identify ICT third-party service providers under Article 3(5) and (6) of the draft ITS3 was published on the 15th of October 2024, by the ESA.
KPMG’s Risk Consulting Partner and DORA Co-Lead Jackie Hennessy and the Risk Consulting team have reviewed the publication and have summarised the key messages.
Rationale for the rejection
The European Commission considered that it is necessary to give the choice to financial entities to identify their EU-registered ICT third-party service providers via the use of the LEI or the European Unique Identifier (EUID), as for most EU-registered companies this EU identifier is already attributed to the relevant legal entity free of charge.
The European Commission has not changed the approach to the use of the identifiers for financial entities and for their ICT third-party service providers that are registered in third countries, allowing in both cases to use only the LEI as proposed by the ESAs.
What is the impact?
The ESA sees the changes (use of both LEI and EUID) as impactful for the implementation of DORA. The introduction of the EUID as an identifier for the ICT third-party service providers within the registers of information would require previously not planned implementation and maintenance efforts and costs for the financial entities.
Should the European Commission proceed with its proposal and introduce the EUID alongside the LEI in the final ITS, additional changes to the text of the ITS and data fields will be necessary for the operationalisation of the use of the EUID, including for the purposes of designation of the critical ICT third-party service providers.
What is the ESA suggesting?
The ESAs suggest clarifying the proposed framework of co-existence of two identifiers by giving priority to using LEI in the cases where both identifiers are available to the financial entity.
Additionally, the ESAs suggest introducing three new fields, namely ‘Name of the ICT third-party service provider in Latin alphabet’, ‘Additional identification code of ICT third-party service provider’ and the ‘Type of the additional identification code’, to existing fields in the Annex to the ITS.
What is the rationale behind the other proposed changes?
- Ensure as much consistency as possible in data modelling and reporting already in place for some of the types of financial entities under DORA, which also fall under the sectoral prudential regulation (prudential reporting).
- Reflect the practical feedback received from the dry run exercise. These changes are mostly focused on the reporting instructions, with the view to improving their understanding by the financial entities through additional clarifications or simplifications.
- Reinstating important provisions clarifying some requirements. In particular, Recital 7 has been amended with a new drafting to avoid misinterpretation of the initial meaning.
Get in touch
Whether you require additional resources or expert knowledge, the skills across our Consulting practice can be drawn upon to aid with the various aspects of your DORA programme.
If you would like to discuss the potential impact of DORA on your business, please contact Jackie Hennessy or Dani Michaux of our Digital Operational Resilience team. We look forward to hearing from you.
Jackie Hennessy
Partner
KPMG in Ireland
Dani Michaux
Partner, EMA Cyber Leader
KPMG in Ireland