EBA Regular Use

ESAs workshop on DORA dry run lessons learnt and

data quality
Wednesday, 18 December 2024, 10:00 – 13:00 CET
Online
EBA Regular Use

Housekeeping

1. Go to slido.com, enter event code #DORA2024 and your full name and organisation (e.g.
“Mario Rossi (EIOPA)”)
2. Submit written comments/questions through Slido and upvote questions of interest
submitted by other participants.
3. If your question is very popular, we will read it during the meeting
The moderator will not accept inputs which are offensive or are specific to one entity
Inputs related to areas of DORA not covered during this event, will be given a lower priority
compared to those in scope
We will try to archive all inputs

Please note that the meeting will be recorded on the basis of Article 29(1)(e) of Regulation (EU) 1094/2020. The recording will be published
afterwards on the websites of EBA, EIOPA and ESMA for the purpose of facilitating the implementation of DORA. If you do not wish to be recorded,
please send your question/s, if any, without stating your name.
EBA Regular Use

Agenda

1. Opening remarks by Marc Andries, ESAs Director for DORA Joint Oversight
2. Overview of the dry run exercise
• Focus on data quality assurance process and key findings
3. Key lessons learnt from the dry run exercise
4. Preparations for official reporting of the registers of information in 2025
• Key changes in the requirements for the registers following the adoption of the ITS
5. Questions and answers
EBA Regular Use

1. Opening remarks
Marc Andries, ESAs Director for DORA Joint Oversight

4
EBA Regular Use

Objectives and key take-aways of the dry run exercise

To help financial entities and competent authorities with their preparations for establishing and reporting the
Registers of Information (on ICT outsourcing arrangements), the ESAs ran a dry-run exercise

High participation rate: 1,039 financial entities from most DORA entity types and from all EU Member States
Objectives of the exercise achieved!
• Participating FEs were provided with feedback on the data quality issues
• The ESAs provided tools, material, workshops and ‘frequently asked questions’ framework to support the exercise that would
also help with formal reporting of the registers
• The ESAs published a report with high-level observations about data quality and also organise this workshop to share their
general findings and observations with the wider industry

Key take-aways
• With 6.5% of submitted registers having passed all data quality checks and 50% of the remaining registers having failed less
than 5 out of 116 data quality checks, the objective of having good quality data that can also be used for the designation of
critical ICT third-party service providers (CTPPs) is within reach! However, additional efforts from industry are still needed
• Financial entities are encouraged to follow instructions provided in the final ITS
• Where a trade off between data quality or completeness needs to be made, financial entities should prioritise data quality
• The use of identifiers is crucial for the registers and CTPP designation 5
EBA Regular Use

2. Overview of the dry run exercise

6
EBA Regular Use

Timeline and milestones

• 30 April – introductory workshop for the industry

• 31 May – launch for the industry: materials, specifications and tools made
Announceme
nt in April
available to the participating FEs, and list of involved FEs confirmed by the CAs
• 10 June – Workshop for the industry on the tools and materials
Launch in
• 4 July – Updated FAQ published (additional updates on 29 July)
May
• 1 July-30 August – registers of information collected (no resubmissions
envisaged) from participating FEs through their competent authorities
Collection in • 6 September – Data frozen for the analysis
July - August
• 31 October – end of the data cleaning and quality checks. Feedback provided
Feedback to to the participating FEs via their competent authorities
FEs in
October - • 17 December – publication of aggregated data quality report
November
• 18 December – Summary workshop for the industry

7
EBA Regular Use

Tools and materials provided

Tools for the registers Tools for reporting
• Templates for the register of information (.xls for • Draft data point model (DPM) annotated table
filling) layout
• Two examples of filled-in templates • Draft taxonomy
• FAQ covering dry run and filling the registers • DORA plain-csv sample reporting package
• XLS to CSV conversion tool (VBA macro) plus
instructions

All materials are available on the dedicated webpage: Preparation for DORA application | European
Banking Authority

Important disclaimer: materials and tools published on 31 May and later in the context of the dry run exercise were meant solely for the
purposes of the dry run exercise as they:
(1) were based on the Final report on the Draft ITS on registers of information published and submitted in January 2024 by the ESAs
and, therefore, do not reflect the final legal act adopted by the EU Commission,
(2) were presented in a draft form (DPM and validation rules). The final technical package for the steady-state reporting, which will start
in 2025, will be published in December 2024.
EBA Regular Use

Participation and coverage

Type of entity Number of financial Share in total
• 1,139 FEs originally declared their interest to entities
Country
AUSTRIA
FE count
137
participate Credit institutions 260 27.46% MALTA 72
Insurance and reinsurance undertakings 225 23.76% HUNGARY 67
• 1,039 FEs submitted their registers Investment firms 122 12.88% ITALY 65
Asset management companies 86 9.08% GERMANY 60
• 947 registers were analysed with data quality Payment institution 50 5.28% FRANCE 59
feedback provided to them Managers of alternative investment funds 40 4.22% POLAND 57
Institutions for occupational retirement provision 36 3.80% LUXEMBOURG 57
• Most of the registers have been submitted at the Electronic money institutions 30 3.17% NETHERLANDS 50
consolidated level (over 58%)  increasing total Other financial entity 21 2.22% SPAIN 47
Trading venues 18 1.90% PORTUGAL 46
number of FEs covered to 3,447 Insurance intermediaries, reinsurance intermediaries 17 1.80% IRELAND 39
and ancillary insurance intermediaries BELGIUM 38
• Among the 3,447 entities covered through the Central security depository 7 0.74% LIECHTENSTEIN 31
consolidated registers: Central counterparties 6 0.63% GREECE 17
Crowdfunding service providers 5 0.53% CROATIA 17
– credit institutions (30%) Account information service providers 4 0.42% FINLAND 14
Administrator of critical benchmarks 3 0.32% BULGARIA 13
– insurance and reinsurance undertakings Credit rating agency 3 0.32% CZECH REPUBLIC 11
(19.3%) Crypto-asset service providers 3 0.32% SLOVAKIA 10
Non-financial entity: Other than ICT intra-group 3 0.32% SWEDEN 10
– Non-financial entities (other than ICT intra- service provider SLOVENIA 9
Trade repositories
group service providers) (19%) Data reporting service providers
3
2
0.32%
0.21%
ROMANIA
CYPRUS
6
6
– investment firms (8%) Non-financial entity: ICT intra-group service provider 2 0.21% LITHUANIA 3
Securitisation repository 1 0.11% LATVIA 3
– asset management companies (6%) Total 947 100.00% ESTONIA 3
EBA Regular Use

Key observations

• 18,387 functions were reported, of which 14,768 were assessed as critical (80%)
Coverage • Around 25,000 unique contractual arrangements were reported
• Around 10,000 unique TPPs identified

• Extensive support materials and tools provided through a dedicated webpage

• Three workshops with the industry
• Three updates of FAQ document (127 questions)
Support and interaction • Individual data quality feedback provided
• More than 350 emails from FEs and 190 emails from CAs answered
• Extensive lessons learnt for ESAs  updates made in the ITS on the Registers of information

• 6.5% successfully passed all data quality checks,

• 50% of the others failed less than 5 out of 116 data quality checks
Data quality • Missing mandatory data fields most common error – in line with ‘best efforts’ basis
• Use of identifiers is very important
• Follow the instructions provided
EBA Regular Use

2. Data quality assurance process and key findings

11
EBA Regular Use

Data quality assurance process

Two-step data quality assurance process run by the ESAs on each submission received

1: Integration checks

• 3 technical checks run upon reception. Ensure the submission could be processed:
• Naming convention respected
• No test submission / dummy files
• Submission included completed template b_01.01 (entity maintaining the RoI)
• If integration checks failed, submission discarded and not processed further

2: Data quality checks

116 checks belonging to 5 main areas:

• Unique identifier: keys of each template are not repeated
• LEI code validity: checked against GLEIF
• Drop-down list value: use of the DPM members respected
• Mandatory fields: checks if information needed for the designation are reported
• Validity of date values reported
EBA Regular Use

Results of the data quality assurance process (1/2)

• At the end of September 2024 the ESAs shared individual feedback with the competent authorities, including:
• failing integration checks: feedback on which integration check led to exclusion
• data quality checks: detailed feedback with each record affected by the data quality issue
• list of all checks run shared for transparency.

• Feedback transferred to participating entities from their competent authorities – no direct sharing from ESAs to
participating entities
• If no feedback received until now, please contact your competent authority

• Out of 1,039 submissions received:

• 92 (9%) discarded due to failing integration checks  no resubmissions were included in the dry run
• 947 (91%) remaining submissions accepted, processed and screened for 116 data quality checks. Conclusive
report based on these submissions
• 6.5% of submissions did not fail any data quality check
• 50% of the remaining registers failed less than 5 data quality checks
• The maximum number of checks failing for a given entity is 43 out of 116
EBA Regular Use

Results of the data quality assurance process (2/2)

• Total number of failed data quality checks: 235,000
• Volume of failed data quality checks is proportional to the number of data points submitted. Overall ratio of 2.5%
• Proportion varies by type of financial entity. Some examples:
• credit institutions: 1.9%
• investment firms: 2.4%
• insurance and reinsurance undertakings: 3.3%

Type of financial entity Submissions Data quality Data points Share of

received checks failed submitted checks failed
Insurance and reinsurance undertakings 225 97,289 2,935,579 3.3%
Credit institutions 260 56,511 2,931,767 1.9%
Institutions for occupational retirement 36 10,434 344,283 3.0%
provision
Investment firms 122 6,078 248,988 2.4%
Asset management companies 86 2,170 209,306 1.0%
Managers of alternative investment funds 40 1,124 90,016 1.2%
Payment institution 50 1,877 63,318 3.0%
Insurance intermediaries, reinsurance 17 1,417 49,906 2.8%
intermediaries and ancillary insurance
intermediaries
Electronic money institutions 30 1,073 42,320 2.5%
Central security depository 7 466 38,150 1.2%
EBA Regular Use

Failed data quality checks by type

• Most problematic check: mandatory information missing

• In line with “best-effort” nature of exercise, but
• 2025 official reporting: all fields mandatory. Missing values will trigger
resubmission request
• Most problematic field: provision of identification codes for ICT TPPs and
their parent undertakings

• Second most problematic: invalid LEI codes

• All codes checked for validity against GLEIF
• Unexpected finding: more invalid LEIs (national codes, other types of
codes) provided for financial entities than for TPPs
• Low % of invalid LEIs for parent undertakings: issue is that LEIs are
missing more than invalid
EBA Regular Use

Deactivated/problematic data quality checks

• Some checks were deactivated and excluded from the results presented in the conclusive report:

• DOR_0021: key values in b_02_02, columns 0010 to 0060 should not be repeated.
» In the FAQ, instructions were given to multiply the entries for these fields when multiple locations for data storage / data management.
• DOR_0094: value in b_06_01 column 0060 should not be missing
» The field was indicated as optional in the instructions
• DOR_0117: value in b_06_01 column 0060 should not be missing if value in column 0050 is populated with “Yes”
» The field was indicated as optional in the instructions

• Other checks can be disregarded depending on specific conditions:

• DOR_0091 and DORA_0092: parent undertaking’s identifier (b_05.01.0080) and type of identifier (b_05.01.0090) considered mandatory
fields.
» Should be mandatory only when the TPP reported in b_05.01 is not already a parent undertaking
• DOR_0052: currency (b_05.01.0060) of the amount reported in b_05.01.0070 (total annual expense or estimated cost of the ICT TPP)
considered mandatory field
» Field b_05.01.0070 is not applicable to subcontractors
The experience from the data quality checks, in particular, in problematic checks have been reflected in designing the data quality
checks for the official reporting
EBA Regular Use

3. Key lessons learnt from the dry run exercise

17
EBA Regular Use

Key lessons learnt for the ESAs and the competent authorities

Revised data model and draft validation

rules reflecting the dry run experience
Review, Adjust and and questions/feedback on the data
quality checks were published on 15
simplify and finalise the November (available here)
clarify the data model
requirements and
- reporting validation
instructions rules
Changes to the reporting instructions
based on the industry feedback and
questions throughout the dry run have
been reflected in the ESAs Opinion on
the rejection of the ITS on Registers of
Information published on 15 October
(available here)  final ITS incorporates
all those changes
EBA Regular Use

Key lessons learnt for the industry

Completeness Adherence to Adaptation to the Identifiers are very Reporting formats

instructions final ITS requirements important

• Reported records • Important to • Final ITS on • LEI is the only • Plain-csv is the
should be follow instructions Registers of acceptable format that will be
compete and provided in the ITS information identifier for accepted by the
contain all (general and data introduced financial entities ESAs
mandatory data filed-specific)  important in template • Registers shall be
fields  missing they have been changes: (1) B_01.02 – all FEs reported following
mandatory fields updated following added: EUID as in DORA scope the reporting
will be flagged as the dry run alternative should obtain LEIs specifications (zip
data quality issues • Important to identifier for TTPs, • LEI or EUID to be file with csv files
requiring follow data point (2) removed: used as identifiers inside)
resubmissions model requirement to of TPPs that are • Same approach as
maintain expired legal persons used in dry run
contracts in the • Choice of • Financial entities
register additional are encouraged to
identifiers for TPPs choose the most
that are private appropriate
persons technical solutions
for maintaining
the registers
EBA Regular Use

4. Preparations for official reporting of the registers of

information in 2025

20
EBA Regular Use

Registers of information - reminder

• DORA requires all financial entities (FE) in its scope to have a register of
Internal risk
information of all their contractual arrangements with ICT third-party providers management
available at entity, sub-consolidated and consolidated levels (Article 28(3) of tool
DORA)
• The content of the registers of information is specified in ITS developed by the
ESAs which has been adopted by the European Commission on 29 November as
Commission Implementing Regulation (EU) 2024/2956 (see here)
• FE will need to keep the registers up-to-date and be ready to report them to the Registers of
Information
competent authorities (CA) starting from early 2025
• The CAs will use the registers for their supervisory purposes and will report
Information
them further to the ESAs for the ESAs Supervisory
to designate info for CAs
• The ESAs will use the registers as a main source of information for the CTPPs
designation of critical ICT third-party service providers (CTPPs) tat will be subject
to the DORA oversight by the ESAs
EBA Regular Use

Changes to the ITS on the Register of Information

• ITS developed by the ESAs which has been adopted by the European Commission on 29 November as Commission Implementing Regulation (EU)
2024/2956 (see here)
• The final ITS follows the text published by the ESAs in their Opinion on the rejection of the ITS by the EU Commission from 15 October

Simplification from the EU Commission

• Removal of the requirement to maintain the expired contracts in the register

Addition from the EU Commission

• Giving choice to FEs of identifiers for the EU-registered TPPs – either LEI or EUID, or both, if available

Simplifications and clarifications from the ESAs

• Aligned the text with the integrated Data Dictionary (use of codes and references)
• Clarified what firms should be reported and where (financial entities in templates B_01.02 and all TPPs in B_05.01)
• Additional changes to support EUID implementation (introduction of additional data fields)
• Simplified approach to reporting currencies (no need to convert to base currency)
• Clarified reporting of contractual arrangements with subcontractors, where only first external contract is to be reported for intra-group
providers
• Clarified the need to add additional rows, where several values are to be reported but only one is permitted by the DPM
EBA Regular Use

Changes to the ITS on the Register of Information: EUID

implementation (1/3)
EU Commission has introduced EUID for the identification of ICT third-party service providers:
“Financial entities shall use a valid and active legal entity identifier (LEI) or the European Unique Identifier referred to in Article 16
of Directive (EU) 2017/1132 (‘EUID’), and where available both of these identifiers, to identify all of their ICT third-party service
providers that are legal persons, except for individuals acting in a business capacity”

• EUID is available to most of the EU-registered

companies in the national business registers
then can be found using the EU Commission
tool – Business Register Interconnection
System (BRIS)
• NB: only manual searches on BRIS are
available and there are no API for batch
processing
EBA Regular Use

Changes to the ITS on the Register of Information: EUID

implementation (2/3)
• To facilitate the implementation of EUID in the registers of information template B_05.01 has been amended  three additional
data fields have been introduced
Data field Data field name Mandatory Comment

B_05.01.0010 Identification code of ICT third-party service provider Yes Existing data field, instructions clarified

B_05.01.0020 Type of code to identify the ICT third-party service provider Yes Existing data field, instructions clarified with simplified fill-in
options

B_05.01.0030 Additional identification code of ICT third-party service provider No New data field to allow for both LEI and EUID to be reported

B_05.01.0040 Type of additional identification code to identify the ICT third- No New data field to allow for both LEI and EUID to be reported.
party service provider Simplified fill-in options

B_05.01.0050 Legal name of the ICT third-party service provider Yes Existing data point clarified for EUID implementation – Legal name
in original alphabet for Latin, Cyrillic or Greek alphabets  to
allow check of EUID in BRIS

B_05.01.0060 Name of the ICT third-party service provider in Latin alphabet Yes New data filed for EUID implementation for legal names in Cyrillic
or Greek alphabets  to allow check of EUID in BRIS
EBA Regular Use

Changes to the ITS on the Register of Information: EUID

implementation (3/3)
TPP type Possible identifiers
EU-registered legal entity LEI
EUID
Third-country-registered legal entity LEI
Individual acting in business capacity LEI
CRN – for corporate registration number
VAT – for VAT number
PNR – for passport number
NIN – for national identity number
EBA Regular Use

Timelines for reporting to the ESAs

• Official reporting of the registers from the competent authorities to the ESAs is done on the basis of the ESAs Decision
of 8 November 2024 (see here)
• For the purposes of CTPP designation the competent authorities would need to collect the registers of information from
the financial entities and report them to the ESAs on annual basis
First reporting in 2025

31 March 2025 CAs will set 30 April 2025

Reference date up specific Remittance
deadlines for deadline for
reporting reporting to
from FEs to the ESA
CAs

Reporting from 2026 onwards

31 December CAs will set up 31 March (Year N)

(Year N-1) specific deadlines Remittance
Reference date for reporting from deadline for
FEs to CAs reporting to the ESA
EBA Regular Use

Data point model and validation rules

• Data point mode (DPM) updated to reflect final ITS (as adopted on 29 November)
• Data model and validation rules published on 15 November (together with the reporting decision) – draft unofficial
version to help with the preparations
• Final publication of the complete technical package expected before Christmas (will cover data point model, validation
rules and taxonomies)
NB: there are some minor inconsistencies between the DPM taxonomies and the final ITS instructions (e.g. cannot have blank values in the data
fields that are keys in the data model) that would be explained through official Q&A  the ESAs are working on this with the publication of the Q&As
expected in January

Validation rules and data quality checks

Validation rules
Technical checks • Ca. 125 data quality checks covering:
• ca. 50 rules (see worksheet ‘Technical checks’ here) • DPM checks
• Adaptation of the existing EUCLID checks used by the EBA • Business checks of LEI and EUID
for prudential reporting • see worksheet ‘Validation rules’ here
• Automatic feedback to the submitter (competent • Feedback to the submitter (competent authorities) in case of failures
authorities) in case of failures  request to resubmit  request to resubmit within the timeline indicated (before CTPP
designation cut-off date)
EBA Regular Use

Reference materials

• Dedicated dry run page with preparatory materials: Preparation for DORA application | European Banking Authority

• ESAs Decision on reporting of information for CTPP designation

• ITS on the Registers of information (Regulation (EU) 2024/2956)
• Data model for the register of information
• Draft validation rules for reporting of registers to the ESAs
• Reporting technical package (not available yet, but will be published here)
EBA Regular Use

Thank you for your attention!

Questions and answers

29