The Digital Operational Resilience Act (DORA) and the potential role of the LEI code: what we know so far
Table of Contents
- Improving digital operational resilience in the financial sector
- The current state of the DORA
- The potential role of the LEI in the DORA
- Supervision of ICT risks
Discover the potential role of the LEI in the DORA and how it might contribute towards improving digital operational resilience in the financial sector.
The Digital Operational Resilience Act (DORA), introduced by EU Regulation 2022/2554, is one of the main European Union initiatives to strengthen digital operational resilience in the financial sector. The aim of the DORA is to mitigate the risks connected to information and communication technology (ICT) and the third-party providers that offer these services to financial entities (FEs).
One tool that may play an important role within the DORA is the Legal Entity Identifier (LEI), a code that unambiguously identifies legal entities and that could facilitate monitoring and supervision of contractual relationships between the FEs and the ICT service providers. However, it must be stressed that the use of the LEI code has not yet been confirmed, and it is being discussed as an option in the documents drawn up by ESMA, more specifically within the context of the draft technical standards for registration of information relating to contracts with third-party ICT service providers, pursuant to Article 28(9) of EU Regulation 2022/2554.
The current state of the DORA
The DORA proposes to guarantee that financial entities adopt a strategic and proactive approach in managing risks arising from external ICT services, thus strengthening security in the European financial sector. At the centre of the regulation, FEs must maintain and keep updated a detailed information register documenting all contractual relationships with ICT service providers (Third-Party Providers or ICT TPPs). This register will provide the Competent Authorities (CAs) with a clear and constant view of the ICT dependency of FEs, allowing more precise, targeted supervision.
Among the options currently under discussion is that of adopting the LEI code as an unambiguous identifier of the entities involved in contracts with ICT providers, which would improve transparency and facilitate more efficient management of the operational risks associated with the use of these services. However, its implementation has not yet been confirmed.
The potential role of the LEI in the DORA
The Legal Entity Identifier (LEI) is already used in the financial sector to unambiguously identify legal entities, improving transparency in financial transactions. Within the context of the DORA, an LEI might be a useful means of identifying and monitoring ICT service providers and financial entities, allowing the information on contracts and the associated risks to be aggregated and managed in a standardised way.
This standardisation would be crucial to avoid duplication and reduce the burden of reporting for FEs. More specifically, the LEI might be used in the information register required by the DORA not only to identify the legal entities, but also to collect information on contractual relationships, both within the financial group (for example between subsidiary companies) and externally with third-party providers. This approach would make it easier for the authorities to analyse more precisely the data regarding the risks connected to using ICT services. However, as indicated by ESMA in its draft technical standards, the adoption of the LEI code has not yet been finalised.
Supervision of ICT risks
A central element of the DORA is the need to classify the critical or important functions that are dependent on the external ICT service providers. FEs are required to identify not only their own operational and corporate functions, but also to assess which of these are supported by third-party providers. This process is essential to understand and mitigate the operational risks connected to the outsourcing of ICT services.
The regulations also envisage a principle of proportionality: the level of information that the FEs must indicate varies according to the complexity and number of providers involved. For example, an entity that uses many ICT providers will have to provide greater details than one using only a few external services. Information on sub-contractors is also required, to allow the authorities to monitor the entire ICT supply chain in full.
Essentially, the DORA represents a significant step towards strengthening digital operational resilience in the European financial sector, with a particular focus on the management of risks connected to ICT service providers. Although the Legal Entity Identifier (LEI) may prove to be a valuable tool to guarantee greater transparency and uniformity in managing contractual relationships with ICT providers, its formal adoption is still under evaluation.
The European Supervisory Authorities (ESAs) have recently issued an opinion on the Implementing Technical Standards (ITS) for standard information register forms pursuant to Article 28(9) of EU Regulation 2022/2554 (DORA). This register has the aim of improving the ICT risk management by financial entities and helping the supervisory authorities to monitor those risks. Although the ESAs have proposed compulsory use of the LEI (Legal Entity Identifier) to identify third-party ICT service providers, the European Commission has suggested that the use of both the LEI and the European Unified ID (EUID) be allowed. The ESAs express perplexities on this dual approach, stressing that it might increase the implementation efforts and the complexity for financial entities.
Future regulatory decisions, such as those proposed by ESMA, will clarify whether and how the LEI will be integrated into the DORA operational framework. What is certain is that the attention given to digital security and ICT risk management will continue to be a central priority to guarantee the stability and resilience of the financial sector in an increasingly complex technological scenario.
