Published the Implementing Regulation (EU) 2024/2956 laying down technical rules for the application of the DORA Regulation on standard templates for the register of information of contractual agreements with third-party ICT service providers.

The EU Commission's Implementing Regulation (EU) 2024/2956-applicable as of December 22, 2024-introduces the standard templates in relation to the register of information on contracts with third-party information and communication technology (ICT) service providers.

Article 28(3) of the DORA Regulation requires financial entities to maintain a detailed register of all contractual arrangements with third-party ICT service providers that fall within the scope of management of emerging risks represented by specific ICT service providers supporting business processes and financial services rendered by financial entities (banks, insurance companies, brokers, etc.). This register should include specific information about the contracts, such as duration, services provided, and security measures taken.

The implementing regulation therefore introduces standard templates for recording information, ensuring uniformity and consistency in data collection and management. These templates help facilitate supervision and management of cyber risks represented by third-party ICT service providers. The information collected in the registry is essential for the internal management of financial entities' cyber risks and for effective supervision by competent authorities. ESAs (EBA, EIOPA, ESMA) will use this information for their inspection and monitoring tasks and to designate critical third-party ICT service providers, a designation that will be precisely based on the information collected in the registries by financial entities.