Missing identifiers biggest cause of failure in DORA data reporting dry run

Missing or invalid identifiers were the main reason for firms failing a data reporting dry run for the incoming EU Digital Operational Resilience Act (DORA), conducted by the European Supervisory Authorities (ESAs).

Financial firms omitting either their own, or their information and communications technology (ICT) providerʼs, unique identifying number was the main reason for failure.

Some financial entities “did not have a legal entity identifier (LEI)”, said Oleg Shmeljov, a senior policy adviser at the European Banking Authority, during a December 18 feedback call.

With less than a month to go before DORA kicks in on January 17, 2025, Shmeljov advised firms to ensure they included an LEI as it was a mandatory field for DORA reporting. “Please act now. Please go and obtain an LEI, because without [it], you will not be able to report and you will not be able to meet your obligations under DORA,” he said.

Firms must also submit an identifier for their third-party ICT providers — either an LEI or a European unique identifier (EUID), he added.

The dry run — which was voluntary and completed on a “best efforts” basis by participants — saw 1,039 financial firms submit their registers of ICT outsourcing arrangements to their national supervisors in August.

The template had 116 data fields and 6.5% of firms had no fails in their reports. A further 50% had five or fewer failed data points. Marc Andries, head of the DORA joint directorate at the ESAs, said the results were “very encouraging”.

In all, 84% of reporting failures related to missing data, with a further 6.5% caused by incorrect LEI numbers.

ICT identifier

Some 60% of reporting failures related to ICT providers, with financial firms failing to provide basic information such as where the ICT provider was headquartered, its ultimate parent, or its unique identifying code. Not providing a valid identifier for an ICT provider was considered a significant failure.

A key purpose behind DORA was to enable EU regulators to identify who are the critical third-party providers (CTPP) to the financial services sector as a whole.

Andries said while he understood that adapting to the mandatory reporting template was “probably a bit difficult”, it was essential that firms provided the required information on their ICT outsourcing arrangements . Accurate information was needed in order for the ESAs to draw up the list of CTPPs he said.

Shmeljov said from January 17 2025, any register submitted with missing data fields would be returned, and added that “completeness was key” as there was a reason for every data field.

The ESAs pointed out that firms submitting their data in an incorrect format was another reason for failure. Only ICT registers submitted in plain-CSV file format will be accepted. Shmeljov urged financial institutions to follow the detailed instructions the ESAs had provided on how to submit their registries in the correct file format.

Global interest

DORA is extraterritorial in that it applies to all financial services entities operating in the EU, and Andries remarked that it was gratifying to see such a global audience dialling into the feedback webinar.

“I can see that this exercise has attracted a lot of attention, which is very good for the preparation of DORA and the implementation of the new requirements,” he added.

All firms that participated in the dry run were given individual feedback on any data quality issues in their submission.