On January 17, 2024, the final version of the Register of Information was published by the three Supervisory Authorities (European Supervisory Authorities - ESA), consisting of EBA, ESMA, and EIOPA. Following formal endorsement by the European Commission, filling out, maintaining, and reporting the Register of Information will become mandatory for financial institutions within the scope of DORA (EU - 2022/2554).

Background and Purpose of the Register of Information:

Article 28(3) of Regulation (EU) 2022/2554 (DORA) requires financial institutions (FIs) as part of their ICT risk management framework, to keep and update an register of information at the individual, partial consolidation, and consolidation levels for all contractual arrangements on the use of ICT services provided by ICT service providers. Additionally, FIs must provide the competent authorities with the Information Register and all information necessary for effective supervision of the FIs and understanding of the ICT dependencies of the FIs to support the supervisory framework for critical third-party ICT service providers. To meet these requirements, the Register of Information was created, consisting of 15 templates with over 100 attributes, serving the following purposes:

a. Capturing the minimal and necessary information on contractual arrangements and assessing the associated risks for financial institutions.

b. Documenting the entire supply chain (outsourcing chain) for ICT services, focusing on subcontractors of ICT services that support a critical or important function or essential parts thereof.

c. Uniquely identifying ICT service providers and consistently assigning them to the receiving FIs to enable efficient aggregation of relevant information.

d. Identifying the critical or important (essential) functions provided by ICT service providers by following these steps:  
i. FIs identify all their operational and business functions, meaning FIs must document their business processes in a current and consistent form and assign ICT services and outsourcings to them.  
ii. FIs determine which functions are considered critical or important according to their internal assessment and the definition in Article 3(22) of DORA, integrating the definition into the risk analysis and assessing the criticality or importance of the outsourced function at the latest during the risk analysis.
iii. FIs identify all outsourced ICT services (not just essential ones or those supporting critical or important functions).iv. FIs identify and document their internal and external ICT services.

e. Reporting this information to the competent authorities.

The Register of Information - A Challenge in Outsourcing Management:

There are already numerous requirements for data management and reporting in outsourcing management. Institutes supervised by BaFin or the ECB must maintain different outsourcing registers to meet reporting requirements to BaFin's MVP portal or the ECB's IMAS portal. Now, an additional register must be created and maintained, which differs in content from the known outsourcing registers, meaning an institute must maintain at least two outsourcing registers (the outsourcing register according to MVP or IMAS and the Information Register), which represents increased effort. Expanding the existing outsourcing register with additional fields from the new Information Register is not always practical, as the supervisory authorities often expect different contents for the same fields in the two registers (such as the type of company or service categories).

New Requirements for Data Management in Outsourcing Management:Selected requirements from the final draft of the Information Register are examined more closely:

RT.01.02 — List of entities within the scope of the register of information:

Institutes must maintain an Information Register that includes all ICT services with service providers within and outside the supervisory consolidation group, incorporating the structure of the supervisory consolidation group (group structure) into the register.

RT.05.02: ICT service supply chains:

Authorities expect a complete mapping of the entire outsourcing chain for each essential ICT service, highlighting the importance of sub-outsourcing and concentration risks along the outsourcing chain.

RT.06.01: Functions identification:

In addition to general attributes of the outsourced function and service recipient, availability metrics such as RTO (Recovery Time Objective) and RPO (Recovery Point Objective) are required, which must be determined as part of Business Continuity Management (BCM) for the affected functions.

Summary & Outlook:

• The Information Register introduces further innovations, heralding a new era of data management in outsourcing management for financial institutions of all sizes.
• Maintaining and keeping the Information Register will significantly increase the efforts in outsourcing management.
• Without a suitable technical solution, neither compliance nor efficiency can be ensured.

‍