European Supervisory Authorities Contest EC's Rejection of DORA Technical Standards

European financial regulators have issued a formal opinion challenging the European Commission's (EC) recent rejection of proposed technical standards under the Digital Operational Resilience Act (DORA). This dispute highlights the complexities in implementing digital resilience measures across the European Union's financial sector.

The European Supervisory Authorities (ESAs), comprising the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), and European Securities and Markets Authority (ESMA), were tasked with developing implementing technical standards (ITS) for DORA. These standards aim to establish templates for a register of information on contractual arrangements between financial entities and their IT service providers.

On January 17, 2024, the ESAs submitted their draft ITS to the European Commission. However, on September 3, 2024, the EC rejected the proposal, citing concerns over the mandatory use of the Legal Entity Identifier (LEI) for identifying IT third-party service providers.

The main point of contention is the identification method for IT service providers. The ESAs proposed using the LEI exclusively, while the EC suggests allowing financial entities to choose between the LEI and the European Unique Identifier (EUID) for providers registered in the EU.

The ESAs argue for the LEI based on its global adoption and regulatory consistency. Endorsed by the G20 in 2012, the LEI system has been implemented by nearly three million entities across over 200 countries. The ESAs emphasize that the LEI facilitates better risk assessment and aligns with existing financial reporting standards.

The EC, however, points out that the EUID is already freely available to most EU-registered companies under the Company Law Directive (EU) 2017/1132, potentially simplifying the process for some entities.

Concerns & Recommendations

The supervisory authorities warn that introducing the EUID alongside the LEI could lead to several challenges:

1. Increased implementation costs for financial entities to modify their systems and collect additional data
2. Complications in data management and quality assurance
3. Potential delays in identifying critical IT third-party service providers

To mitigate these issues, the ESAs have proposed adaptations should the EC proceed with its dual-identifier approach. These include introducing new data fields in the ITS templates to accommodate the EUID and establishing a clear framework for using both identifiers, with a preference for the LEI when available.

The ESAs also stress the importance of resolving this issue promptly, as they are scheduled to begin designating critical IT third-party service providers in 2025. Any delays in adopting the ITS could impede the overall implementation of DORA and its objectives to enhance the financial sector's digital resilience.

As this regulatory dialogue continues, stakeholders across the European financial sector are closely monitoring developments. The final decision will need to balance robust operational resilience with practical implementation strategies.

The outcome of this disagreement could set important precedents for future regulatory frameworks in financial technology, highlighting the critical role of standardized identification in the increasingly complex ecosystem of financial services and IT providers.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.