Requirements for submitting Registers of Information (RoI)
In accordance with Regulation (EU) 2022/2554 (DORA) and the Decision of the European Supervisory Authorities of 8 November 2024 on the time limits and conditions under which records of information must be provided by national supervisory authorities to the European Supervisory Authorities for the purpose of identifying essential ICT third-party service providers, financial institutions are required to maintain and submit RoI.
Financial institutions subject to the requirements of DORA shall, in accordance with Article 28(3), maintain and update a register of information relating to each contractual arrangement for ICT services provided by third parties.
Financial institutions must submit the information register to the Latvijas Banka for the first time by 15 April 2025, using data current as of 31 March 2025. Thereafter, financial institutions shall submit the register annually by 1 March, using data as of 31 December of the previous year.
Individual financial institutions shall submit the information register at the company level. Group entities shall prepare a consolidated RoI and submit a single register covering all group entities (DORA subjects) at the consolidated level.
The requirements for the content, structure, and format of the RoI are outlined in Commission Implementing Regulation (EU) 2024/2956. Information may be provided in Latvian or English.
The register must be submitted in accordance with the technical document “Requirements for the DORA Information Register Submitted to the Latvijas Banka.”
Questions and answers about the preparation and submission of the information register.
To support correct preparation and submission:
- The European Banking Authority (EBA) has issued explanatory materials on the preparation and verification of the information register.
- Financial institutions may either prepare the reporting files in the required format or use the Excel template provided by the Latvijas Banka.
- The European Securities and Markets Authority (ESMA) has published conclusions summarising the most common errors and problems identified during register submission testing.
Questions regarding the preparation or submission of the information register may be directed to the Latvijas Banka.
Example of types of ICT third-party service providers
Each financial entity shall identify and categorise its ICT third-party service providers in accordance with the applicable Implementing Technical Standards (ITS). The following examples illustrate common categories of ICT suppliers:
- Cloud computing service providers;
- Software suppliers, developers, and support providers;
- ICT project management and consulting service providers;
- ICT security, risk, and operational management service providers;
- ICT infrastructure providers, including physical equipment, premises, and data storage platforms;
- Communication service providers, including telecommunication systems and network operators;
- Data analysis and data processing service providers;
- Data centre service providers;
- Participants in the payment services ecosystem that provide payment processing or maintain payment infrastructure;
- Financial entities providing ICT services to other financial institutions;
- Intragroup service providers, i.e. companies within a financial group that deliver ICT services to parent companies, subsidiaries, or branches.