Search for Q&As

Enquirers can use various factors to search for a Q&A:

  • These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
  • Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

List of Q&A's

Correct classification of services related to the 'reselling' of software provided in SaaS mode

With reference to the correct identification of the type of ICT services, taking into account the types contained in ANNEX III of Regulation (EU) 2024/2956, how should services related to the 'reselling' of software provided in SaaS mode be classified?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/2956 - ITS on the register of information

Register of Information Taxonomy reporting vs ITS on Register of Information

In the industry workshop of 18 of December 2024, which was a summary of Dry Run, it was stated that the reporting taxonomy provided shall be used for the reporting , while the current DORA 4.0 validation rules does not follow the instructions provided in the ROI ITS. We kindly ask you to confirm if the reporting shall follow the DORA 4.0 validation rules despite the mismatch with the ROI ITS. Differences between the law and the taxonomy: Requirement in Law Requirement in Taxonomy Additional question   B_01_01_0010 stated as non-nullable, but is mentioned as nullable in "LEI - EUID checks VR-2"     B_01_02_0010 stated as non-nullable, but is mentioned as nullable in "LEI - EUID checks VR-12"   B_02.03 does not include an extra column c0030 b_02.03 has a column c0030, that is required to be filled out What is the extra column used for? B_03.01 does not include an extra column c0030 b_03.01 has a column c0030, that is required to be filled out What is the extra column used for? B_03.03 does not include an extra column c0031 b_03.03 has a column c0031, that is required to be filled out What is the extra column used for? B_04.01 clarifies that column c0040 is only mandatory if the financial entity making use of the ICT service(s) is a branch of a financial entity (B_04.01.0030) B_04.01 column c0040 is mandatory. Which also requires at least 1 branch in B_01.03. What should be reported if a reporting entity does not have any branches? Should both B_01.03 and B_04.01 be empty. Or? B_05.01 c0030 & c0040 is optional B_05.01 c0030 & c0040 is required when c0070 = Legal person, excluding individual acting in a business capacity   B_05.01 c0110 is mandatory if the ICT-third party service provider is not the ultimate parent undertaking B_05_01_0110 is mandatory all the time according to the DPM   B_05.02 column c0060 & c0070 is mandatory, but not applicable for rank 1. An empty value should be reported if rank = 1  B_05.02 column c0060 & c0070 is always required. What should be reported in c0060 & c0070 if the rank = 1? B_01_01_0050 is mandatory in case of reporting B_01_01_0050 is always mandatory   B_01_01_0060 is mandatory in case of reporting B_01_01_0060 is always mandatory   B_01_02_0060 is mandatory B_01_02_0060 is optional in DPM   B_02_01_0030 is mandatory B_02_01_0030 is optional in DPM   B_02_02_0040 is mandatory B_02_02_0040 is optional in DPM   B_02_02_0130 is mandatory if the ICT service is supporting a critical or important function B_02_02_0130 is optional in DPM   B_02_02_0140 is mandatory if the ICT service is supporting a critical or important function B_02_02_0140 is optional in DPM   B_02.02.0150 is mandatory if Yes is reported in c0140 B_02.02.0150 is mandatory in DPM   B_02.02.0160 is mandatory if the ICT service is based on or foresees data processing B_02.02.0160 is mandatory in DPM   Additional to the question above: If changes will be made to the Taxonomy, when will these be made available? Do you foresee to apply changes to solve the aforementioned mismatch? If so, can you please share when this is expected to be done? If the current Taxonomy, DORA 4.0, must be followed for reporting, can we expect that all local authorities are required to accept the Register of Informations in the format aligned with the Taxonomy? We have experienced differences while doing a mock exercise to submit the reports to local authorities from the reporting technical package. To our knowledge, these discrepancies shall not exist and the national authorities to which entities have to report to are required to accept files that follow the reporting technical package. In this scenario, what actions can we expect to be taken?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/2956 - ITS on the register of information

Part 2 – Template specific instructions to template B_06.01

Data point B_06.01.0050 is missing from the official ITS templates. Is this data point no longer applicable?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/2956 - ITS on the register of information

Regulatory technical standards - subcontracting ICT services supporting critical or important functions

Where and when was the Comission Delegated Regulation (EU) supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards to specify the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions as mandated by Article 30(5) of Regulation (EU) 2022/2554 oficially published? 

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

The scope of the regulation described in Article 6 mismatches what is presented as an option in the Annex I, Part 2 of the same regulation

Do financial entities must include non-financial entities within the same group in the Register of Information? If not, why is there an option to do so?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/2956 - ITS on the register of information

Applicability of Regulation (EU) 2022/2554 (DORA) to ICT services provided by financial entities.

Clarification is needed on whether financial institutions providing ICT services to other financial institutions – regardless of whether these services are ancillary to regulated financial activities – can be qualified as ICT third-party service providers under Regulation (EU) 2022/2554. If they are, must their contractual relationships comply with the mandatory provisions outlined in Article 30 of the mentioned Regulation or are these requirements inapplicable since such entities are already authorised/licenced/registered? 

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Template specific instructions – primary keys

How to report data fields in case of missing values?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/2956 - ITS on the register of information

Template specific instructions – field B_05.02.0060 (Identification code of the recipient of sub-contracted ICT services)

How to report data field B_05.02.0060 if the ICT third-party service provider is a direct provider (rank =1)?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/2956 - ITS on the register of information

Template specific instructions – field B_05.01.0020 (Type of code to identify the ICT third-party service provider)

How to report type of identification code in data field B_05.01.0020 when using codes other than LEI or EUID?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/2956 - ITS on the register of information

Template specific instructions – field B_02.02.0160 (Location of management of the data)

How to report data field B_02.02.0160 where the ICT service is not based or does not foresee data processing?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/2956 - ITS on the register of information

Template specific instructions – field B_02.02.0130 (Country of the governing law of the contractual arrangement)

How to report field B_02.02.0150 where the ICT service is not related to storage of data (B_02.02.0140 = 'No')?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/2956 - ITS on the register of information

Template specific instructions – field B_02.02.0130 (Country of the governing law of the contractual arrangement)

How to report field B_02.02.0130 where the ICT service is not supporting a critical or important function considering that according to the data model this data field is a primary key?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/2956 - ITS on the register of information

Template specific instructions - field B_01.02.0060 (LEI of the direct parent undertaking of the financial entity)

What should be reported in case the financial entity does not have a direct parent undertaking (for example, is the parent undertaking itself) or reports the register on an individual basis?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/2956 - ITS on the register of information

Template specific instructions – field B_01.02.0050 (Hierarchy of the financial entity within the group)

What does ‘where applicable’ mean in the title of data field B_02.01.0050?  What should be reported in this field in case the entity that is being reported in this template is not a financial entity (i.e., option 22, 23, or 24 was selected in field B_01.02.0040 for the entity type)?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/2956 - ITS on the register of information

Financial entities subject to supervisory mechanisms as ICT third-party service providers.

Should financial entities providing ICT services to other financial entities (even if these ICT services are ancillary to regulated financial services)  be considered as ICT third-party service providers under the Regulation (EU) 2022/2554 and, consequently, should their contractual arrangements for the use of relevant ICT services include the key contractual provisions set out in Article 30 of the DORA Regulation; or otherwise, does the fact that these entities are already authorised/licenced/registered mean that they should not be considered as ICT providers and, therefore, that their contractual arrangements do not need to contain the requirements set out in Article 30?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Application of DORA Regulation to sub-threshold AIFMs which have chosen to opt-in to the application of the AIFMD (Art. 3(4)), if the thresholds regarding AuM referred to under Article 3(2) of AIFMD are not exceeded

Are sub-threshold alternative investment fund managers (AIFMs) as referred to in Article 3(2) of Directive 2011/61/EU (“AIFMD”), which have chosen to opt-in to the application of the AIFMD according to Article 3(4) of that Directive, captured within the scope of application of Regulation (EU) 2022/2554 (“DORA”) under Articles 2(1)(k) and 2(3)(a) of DORA, if the thresholds regarding assets under management (“AuM”) referred to under Article 3(2) of AIFMD are not exceeded by such AIFM?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Are trust services under the scope of DORA, whatever the nature of the services

Financial institutions (EEFFs) subject to the DORA Regulation understand that Trust services, whatever they are, are “ICT services” and therefore their providers (Trust Service Providers / TSPs) are included in the scope of the DORA Regulation. However, these Trust services do not always constitute or are part of an essential or important function for the operation of such entities, but serve for auxiliary or internal functions of the entities.  Let's take the case of an electronic signature certificate used by a representative to sign contracts with suppliers or internal legal documents: is it essential for the continued operation of a bank, and would the suspension of the service significantly affect the authorized activity of the entity?  Another example: could the use of a platform that allows the remote management of electronic notifications sent to EEFFs by public administrations thanks to connectors that allow the entity to be identified with electronic certificates be considered essential for the EEFFs' operations? It is really a tool that facilitates the administrative procedures of the entity and is not part of the services it provides to its customers.    

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Scope for dependent financial intermediaries

The dependent financial intermediaries (agents), who acting on behalf of credit institutions, are covered by the DORA Regulation?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Scope of Register of Information for Contractual Arrangements on the use of ICT Services Provided by ICT Third-party Service Providers

According to Article 28(3) of DORA, must an EU parent bank, which has subsidiaries both within and outside the EU, maintain the register of information regarding all contractual arrangements for the use of ICT services only for subsidiaries that are subject to DORA (financial entities established in the EU), or does this requirement extend to subsidiaries established outside the EU for which DORA does not apply?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable