Understanding DORA Compliance: The Legal Entity Identifier (LEI) Requirement for Financial Entities
Understanding DORA Compliance: The Legal Entity Identifier (LEI) Requirement for Financial Entities
As the digital landscape evolves, the financial sector faces increasing regulatory requirements to strengthen its digital resilience. One such mandate is the Digital Operational Resilience Act (DORA), established under Regulation (EU) 2022/2554, with applicability from January 17, 2025. This Regulation, along with related amendments such as Directive (EU) 2022/2556, introduces comprehensive measures aimed at enhancing the digital resilience of financial entities in the European Union. A critical aspect of this regulation is the Legal Entity Identifier (LEI) requirement for maintaining a standardised Register of Information (RoI) on ICT-related third-party service arrangements.
Key Components of the DORA Regulation
Under DORA, financial entities are required to adopt robust digital resilience measures, aligning with technical standards and guidelines developed to bolster operational security and resilience. A focal point of this compliance effort is the maintenance of a detailed Register of Information (RoI) concerning all ICT third-party service providers (ICT TPPs) with whom financial entities have contractual arrangements. According to Article 28(3) of the DORA Regulation, this RoI must be made available to the relevant regulatory authority upon request. The purpose of the RoI is to give regulators comprehensive insights into a financial entity’s reliance on third-party ICT providers, fostering transparency and improving regulatory oversight within the sector.
The Role of the Legal Entity Identifier (LEI) in DORA Compliance
To ensure consistency and traceability, DORA mandates that financial entities obtain and maintain an LEI by January 17, 2025. This identifier will play an essential role in the standardized reporting requirements associated with DORA. An LEI uniquely identifies legal entities involved in financial transactions, enabling regulators to monitor the systemic risk posed by these interconnected relationships.The LEI requirement also extends to the Register of Information reporting. Financial entities must use the LEI as part of the standard template that details ICT TPP arrangements. The standard template, outlined in the Final Report on Draft Implementing Technical Standards (ITS), is currently in draft form and may undergo further revisions. However, the overarching goal remains clear: to create a uniform reporting structure that supports regulatory review and enhances operational transparency.
Preparing for Compliance: Key Actions for Financial Entities
- Obtain and Maintain an LEI: All financial entities falling under the scope of DORA must acquire an LEI by the January 2025 compliance date. This identifier will be a key component of reporting and must be kept current.
- Update the LEI Profile in the LH Portal: It is essential to keep the corporate profile associated with the LEI updated. This includes ensuring accurate and timely data reporting, which regulators will rely on for comprehensive oversight.
- Establish and Maintain an Accurate RoI: Financial entities should ensure that their RoI comprehensively details all arrangements with ICT TPPs. This register should be updated regularly and in alignment with the latest ITS template.
- Monitor Further Regulatory Updates: As the draft ITS template is subject to changes, entities should remain vigilant for updates from the European Supervisory Authorities and/or Malta Financial Services Authority (MFSA) and the European Supervisory Authorities to ensure full compliance by the deadline.