Reg­is­ters of in­for­ma­tion and no­ti­fi­ca­tion re­quire­ments: iden­ti­fy­ing con­cen­tra­tions in IT ser­vices

When financial entities use third-party serviceproviders for information and communication technology (), this increases the level of interconnectedness in the financial sector and creates new dependencies and risks. At the same time, the sector's attack surface, its total overall vulnerability, increases. incidents at key serviceproviders can quickly affect many financial entities at the same time. In a worst-case scenario, they can jeopardise the entire financial market. The incident at Crowdstrike in the summer of 2024 highlighted how swiftly problems at key serviceproviders can impact the global economy.

Recognising interconnectedness

To ensure effective risk managementand to be able to analyse third-party risks, financial entities and supervisory authorities must have an overview of how third-party serviceproviders are being used. This is the only way they can detect interconnectedness, tackle risks and identify critical third-party serviceproviders (CTPPs). third-party serviceproviders are considered critical within the meaning of the Digital Operational Resilience Act() if a significant portion of the European financial sector is dependent on them. Article28 of sets outclear documentation and reporting requirements in this regard. has been applicable since 17 January 2025.

One particularly important development is that financial entities must nowkeep a register of information. This is stipulated in the first subparagraph of Article28(3). The register of information is intended to record all contracts with third-party serviceproviders that provide services to the financial entity. For services that support critical or important functions, notonly the direct third-party serviceproviders must be recorded in the register, but also all the subcontractors that ensure the provision of the service.

Registers of information: helpful for supervisors and companies

The register of information does notjust serve supervisory purposes. Companies can use it to manage their third-party risk. It allows them to identify concentrations and geographical dependencies in services and effectively manage the resulting risks.

Supervisory authorities will use the registers to monitor companies' third-party risk and to analyse macro-level risks arising from the interconnectedness of the financial sector with third-party serviceproviders. will thus be able to analyse concentration risks at company, sector and financial market level and identify critical third-party serviceproviders for financial entities. The European Supervisory Authorities () will use the registers for their annual categorisation of critical third-party serviceproviders, in accordance with the Guidelineson oversight cooperation and information exchange between the and the competent authorities.

In addition to concentration risks, the register can also be used to analyse other risks in more detail. For example, supervisory authorities will be able to identify regional dependencies and analyse the effects of any geopolitical upheavals on the financial market. Geopolitical uncertainties increase the probability of failures at serviceproviders and interruptions in the associated services. At the same time, supervisors can also use the register data to better assess the impact of incidents at serviceproviders. Potentially affected companies can thus be identified and warned at an early stage.

Dry run in the summer of 2024

To help financial entities develop their register of information and test their own systems, the European Supervisory Authorities and national competent authorities such as conducted a dry run for the submission of registers of information in the summer of 2024. Participants in the dry run received individual feedback on the data quality of their registers; the objective was to enable them to submit a complete and error-free register in 2025.

The supervisory authorities also gained valuable insights from the exercise. Following the dry run, they revised and refined the requirements of Implementing Regulation () 2024/2956 on the register of information. In addition, they adjusted validation rules in order to improve data quality.

The published their findings in a report that revealed shortcomings. In some cases, for example, mandatory fields had notbeen completed. Moreover, identification codes for financial entities and third-party serviceproviders were often incorrect or missing altogether.

obligation for third-party serviceproviders?

Under , the key identification codefor financial entities is the legal entity identifier (). Every financial entity must have an and, in accordance with ChapterIII of , use the to identify itself in the register of information and for reporting incidents. This also applies to consolidated registers of information pertaining to groups or corporations and aggregated incident reporting by serviceproviders. In both cases, all the companies in the financial sector that are included in the respective report or register must be identified by their (see Figure 1).

Figure 1: Identification codes

Source: BaFin

For a longtime, it was unclear whether the would also be mandatory for identifying third-party serviceproviders. Implementing Regulation () 2024/2956 on the register of information of 29 November 2024 provided clarity in this regard. The Commission decided that, in addition to the , the European unique identifier (EUID) could also be used to identify these third-party serviceproviders. According to Article3(5) of Implementing Regulation () 2024/2956 on the register of information on the register of information, all third-party serviceproviders must be identified by means of one of these two IDs. If a third-party serviceprovider has both IDs, both must be provided. If natural persons act as serviceproviders, they can use other identification codes such as their personal identity card number.

What will happen next?

Financialentities must make their complete register of information available to the competent authority on request. This is stipulated in subparagraph 4 of Article28(3). Since the need the registers for the annual categorisation of critical third-party serviceproviders, Guideline5 of the JointGuidelineson the oversight cooperation and information exchange between the European Supervisory Authorities and the competent authorities requires competent authorities to transmit these registers to the .

For 2025, the have made clear in their Decision of on reporting of information for CTPP designation that they expect the registers to be submitted by the competent authorities by 30 April 2025. These should contain all contract information with the reference date 31 March 2025. In subsequent years, the reference date will be 31 December. The registers are then to be sent to the on 31 March.

Financialentities under BaFin's supervision must prepare to make their first submission of registers of information to by 28 April 2025 at the latest (see Figure 2). will closely support the companies until then and endeavour to clarify as many unresolved issues as possible. To this end, has created a new info page regarding the register of information on its website; this page is being updated on a regular basis. Financialentities may also consult the new info page to find outwhen they can begin submitting the registers to .

Figure 2: Timeline for the preparation, submission and transmission of registers

Source: BaFin

The registers of information are to be sent to via its reporting and publishing platform reporting and publishing platform (). To send the register of information, each financial entity must first activate accounts for the reporting agents who will be using the "Digital Operational Resilience Act()" specialised procedure on the platform. In recent months, has contacted all relevant financial entities in this regard. Further information on account activation is available on the website.

The registers of information must always be submitted as a structured file that corresponds to the ESAs' taxonomy. Unlike the dry run in the summer of 2024, the are notproviding a conversion tool. is familiar with the conversion difficulties, especially for small financial entities, and will soon publish a specially structured Excel templateon its website. Companies will also have the option of using the templatebut must adhere to the predefined structure of the file.

Besides submitting the register of information as a structured file, companies may also opt to submit the completed Excel templatevia the . Financialentities should always follow the validation rules for the data fields published by the . Those companies whose register is found to contain errors or incomplete data fields will be asked to correct their register and resubmit it.

Reporting requirements for agreements on the use of services

In addition to the submission of the register of information, Article28 of contains further reporting requirements. These include informing the competent authority once a year of the number of new arrangements regarding the use of services. Financialentities are also required to provide further information on the third-party serviceproviders and the services provided (see third subparagraph of Article28(3) of ).

According to Article31(10) of , this information is to be used by the competent authorities to categorise critical third-party serviceproviders. The complete registers of information will nowbe used for this purpose. This is regulated in Guideline5.1 of the Guidelineson the oversight cooperation and information exchange between the and the competent authoritie. The registers of information will be collected once a year in accordance with Article5 of the ESAs' Decision of on reporting of information for CTPP designation n.

currently assumes that the companies, by annually submitting the registers of information, will be providing all the information specified in subparagraph 3 of Article28(3) of . From BaFin's perspective, therefore, this reporting requirement will have been fulfilled. To ease the burden on financial entities, plans to use this data itself to obtain and analyse information on new arrangements - by comparing it with the previous year's register. For financial entities, this means there is no need for further action on their part.

prevents doublereporting

Subparagraph 5 of Article28(3) of requires financial entities to inform the supervisory authority of planned contracts on the use of services supporting critical or important functions. This also applies if a function only becomes critical or important at a later date. It is likely that these reports will often overlap with the reporting on (material) outsourcing under the set outin the German BankingAct(Kreditwesengesetz - ), the German Insurance Supervision Act(Versicherungsaufsichtsgesetz - ), the German Payment Services Supervision Act(Zahlungsdiensteaufsichtsgesetz - ), the German Investment Code(Kapitalanlagegesetzbuch - ) and the German Investment Firm Act(Wertpapierinstitutsgesetz - ).

To prevent doublereporting and ease the burden on the industry, will be modifying the specialised procedure for reporting outsourced activities and processes (Anzeige von Auslagerungen), which has been in use since the end of 2022. is currently revising the form to be completed for the procedure and expects to make it available from the second quarter of 2025. The form will be adapted to the current regulations concerning reports and be supplemented with a field.

Instead of doublereporting: one report on outsourcing

Financialentities that would otherwise have to meet two sets of reporting requirements will be expected to prioritise reporting their outsourced activities and processes; by ticking a box in the field of the form, they will declare that they are meeting both reporting requirements. In the period between the introduction of the new reporting requirements and the updating of the form for reporting outsourcing, financial entities should report their planned outsourcing via the as usual and then, once the updated form is available, revise their report - they need only tick the box and submit the revised report by way of a notification of change. is planning to hold workshops to explain the new form.

For services that do nothave to be reported as outsourcing, financial entities are to use an Excel form to notify of any planned contracts or changes to critical or important functions. On the website, financial entities will find an overview page dealing with the register of information and the reporting requirements; this overview page provides further information on the reporting process and the Excel form made available for this purpose.

will continue to support companies

The register of information and the other reporting requirements under Article28 of pose challenges. This is particularly the case with regard to the sectoral requirements already in place for outsourcing managementand the corresponding reporting obligations. is aware of these challenges and will continue to provide companies with further information and assistance after17 January 2025.

Overall, Article28 of reflects the international trend of taking a broader view and focusing notonly on outsourcing risks, but also on the third-party risk faced by financial entities. legislators are thus responding to recent international initiatives, such as those of the Financial Stability Board("Enhancing Third-Party Risk Managementand Oversight"), the (" Fundamental Elements for Third Party Cyber Risk Managementin the FinancialSector") and the ongoing work of the Basel Committee on Banking Supervision("Principles for the sound managementof third-party risk< /a>"). The European Banking Authority() is also currently revising its Guidelineson outsourcing arrangements. It is conceivable that the trend towards a stronger focus on third-party risk will result in further adjustments to regulatory requirements.