Datenpotential des DORA-Informationsregisters

The DORA (Digital Operational Resilience Act) is a European Union regulation designed to strengthen digital resilience in the financial sector, which came into force in January 2025. It affects financial institutions and their service providers by imposing requirements on ICT risk management, incident reporting, testing, and dealing with third-party providers.

As part of the implementation of Regulation (EU) 2022/2554 (DORA), a project team from our company was commissioned by a German financial institution to support risk management in the taxonomic and content-related creation of the reportable information register, among other things.

According to Article 28(3) of DORA, financial institutions are required to maintain an information register. The information register provides an overview, according to a specified taxonomy, of all contracts with information and communication technology (ICT) service providers, known as third-party ICT service providers, who provide ICT services to the financial institution. By aggregating the information registers of all affected financial institutions, the EU and national supervisory authorities aim to identify dependencies, concentration risks, and critical third-party ICT service providers in the European and national financial sector.

The benefits at European and national level are clear, but to what extent can a financial institution, which is already required by DORA regulations to create an information register and report cyclically, generate added value for its own risk management from this? To answer this question, this article highlights the data potential of the information register and provides key insights for financial institutions.

The information register follows a specified tabular structure and content, which is organized as follows:

Each bullet point is presented taxonomically as a separate spreadsheet in the information register.

In summary, a financial institution collects data on its own organizational structure, business functions, contractual ICT services, and the corresponding third-party ICT service providers and their service-related subcontractors. This includes data on the identifying characteristics of the contractual ICT services and the corresponding third-party ICT service providers, the criticality of contracts and business functions, the degree of dependence of business functions on individual ICT services, types of services, annual past and projected costs per service provider and contractual agreement, location information of third-party ICT service providers, and a hierarchical representation of a third-party ICT service provider's subcontractor chain.

However, according to the DORA taxonomy, this data is stored in different spreadsheets and is insufficiently prepared and modeled for data analysis. To develop the data model, clearly referenced variables must be identified, known as primary keys, which relate data records between spreadsheets and thus make data evaluable across spreadsheets. Data modeling reveals variables that are categorically suitable for data analysis based on primary keys.

We were able to identify three primary keys in the information register:

Accordingly, data can be analyzed at the level of individual contracts with third-party ICT service providers, individual contractual ICT services, and third-party ICT service providers as contractual partners of the financial institution.

For data analysis, the data model allows the following content to be displayed for each primary key:

Contract:

Contractual service:

Third-party ICT service providers:

This information can be used in the following data analysis to display frequencies and distributions to identify dependencies and concentration risks within your own company.

In the project, data analysis based on the underlying data model provided key insights into the financial institution's existing dependencies on third-party ICT service providers.

This provided an overview of the frequencies of active ICT contracts, the types of contractual ICT services they contain, third-party ICT service providers as contractual partners, and business functions. The relative distribution of the degree of criticality was included within the frequencies. A ranking of third-party ICT service providers that significantly or completely support the most critical business functions with the majority of contractual ICT services revealed which third-party ICT service providers the institution is most dependent on.

Furthermore, a relative distribution of data storage locations revealed how many critical ICT services store and process data outside the EU and the EEA.

Finally, as part of a cost analysis, we were able to generate a ranking for the highest total ICT expenditure in the last year by individual ICT contracts and for the highest estimated total annual ICT expenditure by third-party ICT service providers as contractual partners.

The information register does not provide a sufficient data model for meaningful data insights. In addition, there are many variables that have been excluded from this article because they would not be useful for data analysis in the area of risk management.

However, after data preparation and development of the data model shown for the risk management of a financial institution, there is great potential for data analysis in the context of dependencies and concentration risks at third-party ICT service providers, the results of which can be used, for example, in internal reporting.

Harness the full potential of your information register and generate valuable insights for your company from reportable data.

As an experienced partner in this field, we would be happy to discuss this topic with you. Please contact us at mail@complion.de.

Author: Florian Müller