In a voluntary exercise involving nearly 1,000 submissions to check Dora regulation compliance, the European Supervisory Authorities found that only 6.5% of the registers passed all data checks, with missing required information being the most common issue. Photo: Shutterstock

In a voluntary exercise involving nearly 1,000 submissions to check Dora regulation compliance, the European Supervisory Authorities found that only 6.5% of the registers passed all data checks, with missing required information being the most common issue. Photo: Shutterstock

The European Supervisory Authorities’ Dora preparedness “dry run” revealed that 93.5% of the 947 voluntary submissions contained at least one data error across 116 quality checks. Despite these issues, the ESAs concluded that most financial entities are on track to meet the 2025 deadline, though additional efforts will be required to achieve full Dora compliance.

As the 17 January 2025 deadline for the digital operational resilience act (Dora) approaches, the European Supervisory Authorities (ESAs)--comprising the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (Eiopa) and the European Securities and Markets Authority (Esma)--on Tuesday 17 December 2024  the key findings from their “dry run” exercise. This exercise, which took place from April to August 2024, tested the readiness of financial entities for Dora reporting and aimed to assess the quality of the data submitted by institutions in preparation for official reporting starting in 2025.

While the exercise identified areas for improvement, particularly in data quality, the ESAs confirmed that meeting the required standards for Dora compliance remains achievable.

Data quality

A total of 1,039 financial entities across the European Union participated in the dry run, including 57 from Luxembourg, with the reporting deadline set for 30 August 2024. These institutions were tasked with submitting their registers of information (Roi) detailing their contractual arrangements with ICT third-party service providers, a key component of Dora compliance. Of the 947 registers that passed the initial data integration checks, 6.5% met all 116 data quality requirements, while 50% of the remaining submissions failed fewer than five checks. In total, 93.5% of submissions (886 out of 947) exhibited at least one data quality issue.

The ESAs noted that the quality of the data submitted was in line with expectations, considering the voluntary nature of the exercise. However, the findings highlighted several common issues, particularly the missing mandatory information, which accounted for 86% of the errors. Other frequent issues included the improper use of unique identifiers for both financial entities and their ICT third-party service providers, with the legal entity identifier (LEI) being the mandatory identifier for financial entities.

Among the different types of financial entities, credit institutions exhibited the lowest proportion of data quality issues, with only 1.9% of errors relative to the number of data points submitted. This was followed by investment firms (2.4%) and insurance and reinsurance undertakings (3.3%).

Registers of information

Dora requires financial entities to maintain a comprehensive register of their ICT third-party service providers. This register must be available at entity, sub-consolidated and consolidated levels. The Roi will serve multiple purposes: it will help financial entities monitor their ICT third-party risk, provide a tool for EU competent authorities to supervise the management of this risk and serve as the basis for the ESAs to designate critical ICT third-party service providers (CTPPs), who will be subject to ESA oversight.

As part of the compliance process, financial entities are required to report their Roi to the relevant competent authorities, which will then provide the data to the ESAs.

Next steps

While the dry run exercise has concluded, the ESAs stressed that ongoing preparations are crucial for meeting the 2025 reporting deadline. The feedback provided to financial entities during the exercise is expected to guide further improvements to the quality of their data. Entities will need to ensure that their Roi are complete, meet all regulatory requirements and contain the necessary information for the ESAs to designate critical third-party ICT providers. Meeting these standards will be vital for compliance with Dora when official reporting begins in January 2025.

The complete 28-page summary report is available .

Related articles