DE
The countdown is on: The Digital Operational Resilience Act (DORA) comes into force on January 17, 2025, and the financial sector is preparing intensively for the new requirements. DORA is currently the dominant topic in the industry – as demonstrated by the great response to the BaFin conference “IT supervision in the financial sector: What does DORA mean in practice?” on September 26, 2024. Thousands of participants learned about the final steps towards implementation. A central instrument in the practical implementation of DORA is the register of information. In this article, you will learn what the register of information is all about, how to create it and why the right approach is crucial to meeting the requirements efficiently and on time.
What is the DORA register of information?
The register of information under DORA is a standardized central database that records all contractual agreements of a financial company with ICT third-party service providers. It contains detailed information about the ICT services utilized, the providers, and the supported business and operational functions. The register enables systematic monitoring of dependencies and risks arising from the use of ICT third-party providers and serves to provide this information to the relevant supervisory authorities. It encompasses all ICT services; however, particularly critical or important functions must be listed in more detail.
Main Benefits:
- For financial companies: The register of information helps companies systematically capture and monitor all contractual dependencies related to ICT services. This facilitates risk management, enhances transparency regarding critical ICT third-party providers, and enables better preparation for potential ICT-related incidents.
- For the entire financial sector: The register of information allows supervisory authorities to comprehensively monitor the dependencies of financial institutions on ICT third-party providers and identify critical service providers. This ensures that systemic risks are recognized early and coordinated measures are implemented to maintain digital resilience throughout the financial sector.
How do you create a DORA-compliant register of information?
The creation of a DORA-compliant register of information involves four main steps:
- Identification of critical and important functions: First, determine which operational and business functions are essential for maintaining business operations and meeting regulatory requirements.
- Documentation of ICT third-party service providers: Identify all providers delivering ICT services, and document the contractual details and dependencies.
- Documentation of ICT services: Record all ICT services and associate them with the identified critical or important functions.
- Consolidation of information: Enter the collected information into the standard templates specified by DORA to ensure uniform reporting.
Why Excel is not enough
Many companies initially rely on Excel to manage the register of information, as it appears to be a quick and cost-effective solution. However, practice shows that Excel quickly reaches its limits for the long-term management of such a complex and dynamic register:
- Limited scalability: as the complexity of the company grows, maintaining a register of information in Excel becomes confusing and difficult to manage (PwC, 2023).
- Security risks: DORA requires strict security measures to protect sensitive data. However, Excel only offers rudimentary security functions (EBA, 2023).
- Lack of versioning and consistency: In Excel, it is difficult to track changes and ensure consistency, especially if several people are working on it at the same time (BaFin, 2024b).
- High manual effort and susceptibility to errors: Merging and consolidating data from different sources is time-consuming and prone to human error.
The advantages of our tool-based solution
In order to meet the requirements of DORA and manage the information register efficiently, companies should rely on a tool-supported solution. This offers the following advantages:
- Automation: Reduce manual input and minimize errors through automated processes.
- Central data management: Instead of working in different Excel files, all parties involved can access the current information register via a central platform.
- Increased security: Tool-based solutions such as the GRC Toolbox offer advanced security features to ensure the protection of sensitive data in accordance with DORA (European Commission, 2023)
Conclusion
The information register is an essential component of the DORA requirements and will be the focal point for the digital resilience of financial service providers. In light of the upcoming enforcement of DORA and the increasing relevance of this topic, it is crucial for companies to take the right steps now. Those who invest early in a structured and efficient solution will be well-prepared not only to meet the new regulatory requirements but also to benefit in the long term from the insights gained.
Would you like to learn more about how to efficiently and DORA-compliantly design your information register? Feel free to contact us for more information about the solutions from Swiss GRC. You can also book a Discovery Call directly to find out how we can support your company: swissgrc.com/discoverycall.
