DORA: Register of ICT Contract Information – the Polish Financial Supervision Authority will soon give the ‘I’m checking’ signal

One of the important responsibilities that the DORA regulation imposes on financial entities is to maintain and submit to the Polish Financial Supervision Authority a register of information on ICT contracts (ROI).

This register is more than a list of contracts with ICT suppliers. Its purpose is to create a database of key information for ICT risk management. The ROI is intended to map the relationships between the financial entity and its suppliers, providing supervisory bodies with full insight and control over these relationships.

The deadline for preparing and submitting the first ROI to the KNF is approaching. According to the KNF, the first ROI reports will be submitted in April 2025 (the exact date will be announced at the beginning of April).

Scope of responsibilities and key challenges

In order to prepare the ROI, financial entities will have to collect a range of information, including:

• Information on specific ICT contracts, including basic information such as the parties, the type of services, the dates of conclusion and validity, as well as more detailed information on the contract value, notice periods, place of service provision or data storage.
• LEI numbers of ICT suppliers and subcontractors.
• For contracts that support critical or important functions, comprehensive information about the supply chain is necessary.

For many financial institutions, the key challenge is obtaining data for the ROI register. This information is often not centrally collected, which requires the involvement of various organisational units and external ICT providers, which can delay the process.

Formal requirements, validation and changing guidelines

Collecting data is only the first step. The next challenge is to correctly fill in the ROI register in accordance with the requirements of the Polish Financial Supervision Authority (KNF).

The reporting obligation will be fulfilled via the KNF reporting system, using dedicated ROI forms. The register must meet certain standards – incorrect data format, missing required fields or incorrect file name can result in rejection, which means urgent correction and resubmission.

The changing regulatory environment is an additional challenge. Taxonomies, forms and instructions are constantly updated, so financial institutions must follow KNF and EBA guidelines to comply with the latest requirements and avoid problems when submitting the register.

Consolidation of data in capital groups

For capital groups, the consolidation of the ROI register is an additional challenge. A financial entity required to maintain a consolidated ROI must include not only its own contracts with ICT suppliers, but also similar information from its subsidiaries (if they are subject to DORA).

For financial entities, this means the need to:

✔ Verify whether and to what extent their ROI is subject to consolidation,

✔ If they are required to consolidate, obtain data from subsidiaries in time to verify it and enter it in the register.

Standardising the way data is reported by individual entities is key to avoiding inconsistencies in the consolidated ROI register.

How to prepare?

Due to the complexity of the process of preparing a correct ROI, in my opinion, the key to the success of the entire undertaking is the implementation of an internal process for preparing the register, which should include:

1. careful familiarisation with the definitions in DORA and implementing acts, as well as the interpretation of KNF guidelines;
2. for capital groups: identify the entities covered by the register – determine which entities within the financial group are subject to the reporting obligation;
3. collect and complete data in the appropriate forms – identify missing information and contact suppliers to obtain it.
4. comply with formats and taxonomy
5. Regularly monitoring regulatory changes – keeping track of updates from the KNF and EBA to ensure that the organisation is working on the correct forms and in accordance with current guidelines.

o summarise…

The ICT Contract Information Register is a key obligation for financial entities covered by DORA, and its preparation requires time, special care and precision. Failure to comply with the PFSA’s requirements may result in the report being rejected and, in extreme cases, severe sanctions.

Financial institutions should work intensively on their records and also monitor updates provided by the PFSA and EBA, as changing guidelines may force additional adjustments in reporting.

Useful materials

• EBA:Guidelines and materials regarding DORA
• KNF: DORA reporting portal (reporting forms, detailed instructions and KNF guidelines, requires login)