BaFin Highlights New Transparency Requirements for ICT Third-Party Services Under DORA

Frankfurt, May 2025 – Germany’s Federal Financial Supervisory Authority (BaFin) is emphasizing the importance of the newly mandated register of information under the Digital Operational Resilience Act (DORA). The register, which must be maintained by all financial entities, aims to identify concentration and dependency risks arising from the use of ICT third-party service providers. According to BaFin, the register enhances transparency for both companies and supervisors, helping detect critical ICT providers and sector-wide vulnerabilities. This development follows a 2024 dry run coordinated by the European Supervisory Authorities (ESAs), which revealed data quality issues now being addressed through revised validation rules.

Financial entities must submit their first complete register to BaFin by 28 April 2025, with contract data referencing 31 March 2025. The register must include all direct and indirect ICT providers supporting critical functions and comply with identification standards using LEI or EUID codes.

To avoid duplicate reporting, BaFin will revise its existing MVP procedure for outsourcing reports to integrate DORA-related data, simplifying compliance for affected institutions.

BaFin will continue to support institutions through workshops and updates on its dedicated info page.

Source: BaFin, summarized by Lucht Probst Associates