DORA Regulation: European Commission’s Rejection of Draft ITS
The ESAs published responses to the European Commission's proposal, defending LEI use under DORA regulation against EUID cost-reduction measures
In October 2024, the European Supervisory Authorities (ESAs) published three key letters responding to the European Commission's rejection of their draft Implementing Technical Standards (ITS) under the Digital Operational Resilience Act (DORA). These letters addressed the EC’s concerns over the mandatory use of the Legal Entity Identifier (LEI) for identifying ICT third-party service providers, which the Commission argued should be replaced or complemented by the European Unique Identifier (EUID) to reduce costs for smaller providers. The ESAs' letters defended the use of the LEI, emphasising its global applicability and importance for regulatory consistency and oversight. The background for these letters lies in the ongoing regulatory process to ensure financial entities' digital resilience under DORA, focusing on how to best structure the register of information for managing ICT risks.
Source
[1]
[2]
Background of the Dispute
At the heart of the dispute between the ESAs and the European Commission is a core requirement under the DORA Regulation: financial entities must maintain a register of information detailing their contractual arrangements with ICT third-party service providers. This register, mandated by DORA, is essential for enhancing ICT risk management and allows supervisors to designate certain ICT providers as "critical" to the financial system. The register is pivotal to ensuring that financial entities adhere to the principles of digital operational resilience, which is a cornerstone of the DORA Regulation.
In January 2024, the ESAs submitted a draft ITS to the European Commission, proposing standard templates for this register of information. However, the Commission rejected the draft, particularly opposing the mandatory use of the Legal Entity Identifier (LEI) for identifying ICT third-party service providers. The EC argued that financial entities should have the flexibility to choose between using the LEI or the European Unique Identifier (EUID), which is more widely available and free for most EU-registered companies. According to the Commission, this flexibility would ease the compliance burden, particularly for smaller ICT providers operating within the EU under DORA Regulation.
The EC’s Rationale: Flexibility and Proportionality in DORA Regulation
The European Commission's stance on allowing the use of either the LEI or EUID stems from its commitment to proportionality, a key principle under EU law. The EC argued that enforcing the LEI as the sole identifier could impose unnecessary costs on smaller ICT providers that already have EUIDs. The EUID, which is provided for free under EU company law, is a more cost-effective and practical solution for most EU-registered companies.
The EC stressed that offering flexibility in compliance with DORA Regulation would help reduce the burden on smaller entities, enabling financial institutions to adopt a simpler, more cost-efficient approach to identifying ICT providers. This flexibility would ensure that financial entities still comply with the operational resilience principles outlined in the DORA Regulation without imposing excessive financial or administrative burdens.
The ESAs’ Position: LEI as a Pillar of Standardisation in DORA Regulation
The ESAs, however, expressed significant concerns about the proposed changes under DORA Regulation. The LEI has been a fundamental tool for regulatory oversight and financial reporting, especially since the 2008 financial crisis. It is already widely used across several EU financial regulations, such as EMIR, MiFIR, and SFTR, and plays a vital role in ensuring transparency and standardization within financial markets. The ESAs argue that mandating the LEI under DORA Regulation would enhance transparency, particularly for cross-border financial activities where entities interact with global ICT providers.
The LEI system provides high-quality, standardized data that allows regulators to trace the interconnectedness of the financial system, a critical aspect of operational resilience mandated by DORA Regulation. The ESAs warned that introducing the EUID as an alternative identifier alongside the LEI could unnecessarily complicate the regulatory landscape. Financial institutions would need to manage two identifiers, leading to higher administrative costs and potential data inconsistencies in reporting, which could hinder the regulatory goals of DORA Regulation.
Impact on Financial Entities: DORA Regulation Compliance with Dual Identifiers
For financial entities, the inclusion of the EUID alongside the LEI presents both opportunities and challenges. While the EUID could reduce costs for ICT providers within the EU, the ESAs argue that this flexibility could result in higher compliance costs for financial institutions under DORA Regulation. Adapting to a system that uses both the LEI and EUID would require significant updates to existing reporting systems, potentially introducing inconsistencies in data quality.
Financial entities would also need to invest more resources in manually collecting and verifying EUIDs, which are not as easily accessible as LEIs. The LEI is supported by the Global Legal Entity Identifier Foundation (GLEIF), which ensures consistent and real-time data verification. In contrast, the EUID relies on national business registers, which may not always be up-to-date or as reliable, posing challenges for compliance under DORA Regulation.
This difference in data accessibility and reliability could lead to delays in reporting, undermining the broader objectives of DORA Regulation—particularly the goal of enhancing the financial sector's operational resilience in the face of ICT risks.
Supervisory Concerns: Consistency in DORA Regulation Framework
For supervisory authorities, the introduction of two identifiers—LEI and EUID—could complicate the process of overseeing financial entities' compliance with DORA Regulation. The ESAs argue that using a single, globally recognized identifier (the LEI) would streamline regulatory oversight, ensuring consistency across different reporting frameworks. The EC’s proposal, by allowing both identifiers, could fragment the regulatory landscape, making it more difficult for supervisors to monitor systemic risks and assess digital operational resilience under DORA Regulation.
The ESAs also raised concerns about the potential impact of the dual-identifier approach on the designation of critical ICT third-party providers. Under DORA Regulation, supervisors need to assess the criticality of ICT providers accurately. The LEI, with its robust data structure and global recognition, offers a clear, standardized approach to identifying these critical providers. In contrast, the EUID could introduce ambiguities, particularly in cross-border situations where supervisors need to trace complex relationships between financial entities and their ICT service providers.
Looking Ahead: Balancing Flexibility and Standardisation in DORA Regulation
The ongoing debate between the European Commission and the ESAs over the use of LEI versus EUID highlights a broader tension in the implementation of DORA Regulation: balancing flexibility with the need for standardized, rigorous oversight. While the EC’s proposal for the EUID offers cost savings and reduces regulatory burdens for smaller ICT providers, the ESAs’ defense of the LEI emphasizes the importance of maintaining a unified global standard for identifying ICT service providers under DORA Regulation.
In practical terms, the outcome of this debate will have significant implications for financial institutions, ICT service providers, and supervisors alike. If the EC’s proposal moves forward, financial institutions will need to adapt their systems to accommodate both identifiers, potentially facing higher costs and operational complexities. This could delay the achievement of DORA Regulation’s core goal: enhancing digital operational resilience across the financial sector.
On the other hand, maintaining the LEI as the sole identifier would support global convergence in financial data reporting and enable more efficient oversight of digital resilience under DORA Regulation. The ESAs argue that the LEI is essential for achieving the regulatory objectives of DORA, ensuring that supervisors can monitor ICT risks effectively and designate critical providers as needed.
The Path Forward Under DORA Regulation
As the financial sector moves toward full compliance with DORA Regulation, the outcome of the debate over the use of LEI versus EUID will play a pivotal role in shaping the future of digital operational resilience in Europe. Both the ESAs and the European Commission share the same goal: safeguarding the financial system from ICT risks and operational disruptions. However, their approaches to achieving this under DORA differ, with the Commission favoring flexibility and the ESAs advocating for a more standardised, global solution.
Ultimately, the decision will center around whether regulators prioritise short-term flexibility for smaller ICT providers or long-term consistency and data quality for the financial system as a whole. Regardless of the outcome, the DORA Regulation marks a significant step forward in strengthening the digital resilience of Europe’s financial sector, ensuring it can withstand the growing threats posed by cyber risks and operational disruptions.
Reduce your
compliance risks
