LEI Regulation Spotlight
DORA – Digital Operational Resilience Act
Understand how DORA strengthens ICT resilience across EU financial services, and how the Legal Entity Identifier (LEI) supports third‑party risk and reporting alignment.
Overview
The Digital Operational Resilience Act (DORA) establishes a unified framework for managing ICT and operational risk across the EU financial sector. It applies to banks, insurers, investment firms, payment institutions, and their critical ICT service providers. The regulation’s goal is to ensure that financial entities can prevent, respond to, and recover from digital disruptions.
Objectives and scope
- Define governance and ICT risk management requirements (policies, roles, controls, testing).
- Standardise major incident reporting and information sharing.
- Introduce digital operational resilience testing (including TLPT for significant entities).
- Establish oversight of critical ICT third‑party providers at EU level.
- Supervision by the ESAs (EBA, ESMA, EIOPA) via the Joint Committee.
- In force since January 2023. Application from 17 January 2025. RTS/ITS phased through 2024–2025.
Why organisation identity matters
To manage operational risk effectively, financial institutions must identify and monitor their ICT supply chains. Without consistent legal identity data, risk assessments and reporting become fragmented.
The Legal Entity Identifier (LEI) provides a verified, persistent identifier that links suppliers, subsidiaries, and service providers to their parent entities, supporting transparency and accountability.
| Regulatory requirement | LEI contribution |
|---|---|
| Identify and catalogue ICT third-party providers and material subcontractors | Use LEI as the primary global identifier for each legal entity; avoid name/translation variance. |
| Assess concentration and substitution risk | Use GLEIF Level 2 parent data to map groups and ultimate parents; link to risk registers. |
| Standardise incident communication and reporting | Embed LEIs in ISO 20022/other reporting fields to reference affected providers consistently. |
| Coordinate across multiple regulatory regimes | Reuse LEIs already required under MiFID II/EMIR/SFTR; align with FATF payment data. |
Implementation insight
To prepare for DORA:
Scope & Discover
Inventory in‑scope legal entities and all material ICT providers; request LEIs where missing.
Data Quality
Validate LEIs against the GLEIF API; store legal name, status, jurisdiction and renewal date.
Integrate
Add LEI fields to vendor risk, onboarding, contract and incident systems; enable API checks.
Map Hierarchy
Use Level 2 data to link subsidiaries and parents for concentration and contingency analysis.
Operate
Automate renewal reminders and periodic reconciliations; include LEIs in playbooks and TLPT scenarios.
Register LEIRapidLEI support and next steps
RapidLEI automates LEI registration and renewal for regulated financial entities and ICT vendors. Bulk registration, API connectivity, and hierarchy-mapping tools help institutions maintain accurate, real-time visibility of supplier risk across jurisdictions.
Key resources
- What is an LEI? An introduction to Legal Entity Identifiers and the LEI ecosystem
- Official Regulation (EU) 2022/2554
- ESAs Joint Committee DORA Guidelines and Q&A
- GLEIF “The LEI in Operational Resilience”