WHAT IS DORA? 🇪🇺
The Digital Operational Resilience Act (DORA) is a new piece of legislation introduced by the European Commission in January 2025. The overall objective of the regulation, which applied to regulated Financial Services organisations in the EU, is to create a regulatory framework which enhances operational resilience by requiring firms to demonstrate that they can withstand, respond and recover from all elements of an ICT related disruption or threat.
To find a more comprehensive overview of DORA, or solution, please visit NEXUS Assurance: DORA Hub.
DORA and the Legal Entity Identifier (LEI)
All entities falling under the considerable scope of DORA, will be required to submit a register of information detailing the critical components of their operations, and provide a register of outsourced partners, identified by way of Legal Entity Identifier (LEI). Read the DORA LEI requirements in an ESMA overview.
“Identify unambiguously and consistently the ICT third-party service providers and the FEs by using the Legal Entity Identifier (LEI)2 to enable an efficient aggregation of relevant information”
- ESMA, Final Report on Register of Information
This means that all third party outsourcing partners to a regulated firm, will be required to obtain an LEI before January 2025.
It is not clear who the responsibility of obtaining an LEI belongs to, therefore, the regulated entity should assume responsibility.
If you are a Financial Services firm, your ICT providers are obligated to obtain an LEI code, you can quickly conduct an LEI check using our LEI Look Up tool, track those LEIs, and export to excel for the DORA register upload using the LEI Watchlist tool.
If you are a European ICT provider with clients in Financial Services, click here to register an LEI for DORA.
N.B! The DORA LEI requirement specifically states that na LEI must be active. Where an LEI exists, and it is in a Lapsed state, it will need to be renewed.
Financial entities shall use a valid and active legal entity identifier (LEI) to identify all of their ICT third-party service providers that are legal persons, except for individuals acting in a business capacity who chose not to obtain an LEI.
- ESMA
Why ICT Companies Need an LEI under DORA
The LEI is the only global identifier that maintains an up to date record of a specific entity within a groupo structure, which is freely accessible and publicly available.
- Transparency and Traceability
- Third-Party Risk Management
- Incident Reporting
- Regulatory Compliance and Oversight
LEIs help regulators and financial entities track the relationships between different entities, providing greater transparency in the financial ecosystem. For ICT companies, this means their involvement and roles in providing critical services can be easily identified and monitored.
DORA emphasizes robust risk management practices concerning third-party ICT service providers. Financial entities must ensure that these providers can be reliably identified and assessed for potential risks. The LEI enables a standardized identification system, making it easier for financial entities to manage and report third-party risks.
In case of significant ICT-related incidents, financial entities are required to report to regulatory authorities. Having an LEI helps in the accurate identification of involved entities, ensuring clarity and consistency in incident reports.
Regulators can more effectively oversee and enforce compliance with DORA when all critical ICT service providers have an LEI. This standardized identifier allows for streamlined data collection, analysis, and regulatory supervision.
DORA Recommendations for regulated entities (regarding the LEI component)
1. Conduct a GAP analysis
Identify areas where current practices fall short of DORA requirements and plan necessary improvements.
2. Examine Current Practices
Review and enhance ICT systems, processes , and controls to align with DORA's standards.
3. Engage Legal and Compliance Terms
Involve legal and compliance experts to develop a robust compliance strategy well ahead of the January 2025 deadline.
4. Develop a Comprehensive Compliance Program
Create a detailed roadmap for achieving and maintaining DORA compliance, including timelines and responsibilities.
5. Enhanced Documentation and Certifications
Keep thorough records of ICT risk management practices and pursue relevant certifications like ISO 27001 to demonstrate adherence to best practices and regulatory expectations.
6. Utilise a DORA specific platform that strealines requirements
There is no need to recreate the wheel. Source a reliable, DORA specific platform which hosts and integrates all your DORA related policies, controls, and risk outcomes, including the digitised register of information.
6. Utilise our services
Here at LEI Worldwide we will provide an LEI portfolio health check, streamline all LEIs to one location and automate the renewal process of LEIs.
---------
How to get an LEI for you, or your ICT third party providers:
- Registration: Submit the necessary information about your entity, including legal name, registered address, and company type.
- Verification: The LOU will verify the information provided and cross-reference it with official business registries.
- Issuance: Once verified, the LOU issues the LEI, which is valid for one year and needs to be renewed annually.
LEI Worldwide opens new offices in Pune, India
.png)
LEI Worldwide nominated Finalist in FS Awards in Association with KPMG
Partnership Announcement: LEI Worldwide and Trrue.io
.png)
GLEIF & Finbridge Global announce partnership to Streamline Identity Verification for Fintechs
Bank of England mandates LEI: CHAPS RTGS Payment Messages ISO 20022
.png)
LEI Worldwide attend Global Funds Conference 2024
