Financial institutions face mounting risks from cyber threats, system failures, and third-party vulnerabilities. To help address these challenges, in 2023 the European Union introduced the Digital Operational Resilience Act (DORA), a landmark regulation designed to strengthen the financial sector’s ability to withstand ICT (Information and Communication Technology) related disruptions. As the compliance deadline of January 2025 has now passed, businesses must prioritise operational resilience, and at the heart of this mandate lies the crucial need for trustworthy and reliable organisational identity.

What is DORA?

DORA was enacted on 16 January 2023 and became fully applicable on 17 January 2025. It establishes a comprehensive regulatory framework for digital operational resilience in the EU financial sector, standardising how institutions manage ICT risks, respond to incidents, and oversee third-party service providers.

The regulation applies to banks, insurers, investment firms, and a broad range of financial entities, requiring them to:

  • Implement rigorous ICT risk management measures.
  • Report major ICT-related incidents in a timely manner.
  • Conduct digital operational resilience testing to identify vulnerabilities.
  • Manage risks posed by third-party ICT service providers.
  • Foster information sharing on cyber threats and best practices.

DORA seeks to ensure that financial institutions and their third-party providers maintain strong security postures to mitigate operational risks. This is particularly critical as institutions increasingly rely on third-party service providers, including cloud computing and cybersecurity service providers, for their day-to-day operations. The regulation acknowledges the growing interconnectedness of the modern financial ecosystem.

Understanding ICT in the Context of DORA

ICT, or Information and Communication Technology, refers to the broad range of technologies and services used to store, process, and transmit data. In the context of DORA, ICT encompasses everything from cloud computing services and data centres to cybersecurity solutions and network infrastructure. Given the increasing reliance on third-party ICT providers, ensuring their resilience and accountability is crucial for the financial sector’s stability.

The Role of Organisational Identity

One of DORA’s key provisions is the requirement for financial institutions to maintain an up-to-date register of all third-party ICT providers that support critical functions. To ensure transparency and regulatory compliance, these providers must be uniquely identifiable via an organisational identity.

LEI vs. EUID: Identifying Third-Party Providers

DORA specifies two possible organisational identifiers for third-party ICT service providers: the Legal Entity Identifier (LEI) and the European Unique Identifier (EUID).

  • LEI (Legal Entity Identifier): A globally recognised, 20-character alphanumeric code that uniquely identifies legal entities involved in financial transactions. The LEI enhances transparency by providing a standardised, internationally accepted means of identification.
  • EUID (European Unique Identifier): A European-based identifier primarily used within the EU’s business registry system. While useful within Europe, it lacks the global scope and interoperability of the LEI.

Using identifiers like the LEI or EUID can significantly improve the ability of regulators and financial institutions to track third-party ICT providers, mitigating risks associated with outsourcing and reliance on external vendors. The unique identification of ICT providers ensures accountability and supports better decision-making in operational risk management.

Why the LEI is the Stronger Choice

While both identifiers serve the purpose of organisation recognition, the LEI is the only global organisational identifier. Its adoption under DORA could facilitate broader compliance efforts, streamline reporting, and reduce operational risks across international supply chains. By requiring ICT service providers to register and maintain an LEI, financial institutions can ensure better data consistency, regulatory alignment with the 300+ regulations that require LEIs, and protect more effectively against identity fraud.

The benefits of the LEI extend beyond regulatory compliance. Because it is a universally recognised identifier, providing a live record public record of “who is who?” and “who owns whom?” it adds significant efficiency and anti-fraud value to cross-border transactions by enhancing the transparency in the global financial system. For financial institutions operating with complex group structures and across different jurisdictions, the LEI provides a reliable and globally standardised means of identifying business partners and third-party providers, with a goal of reducing the complexity of compliance across different regulatory regimes.

In contrast, while the EUID serves a valuable role within the EU, it is clearly designed for European residents and organisations. For example, only EU-based organisations can issue compatible digital wallets and digital credentials. This limitation makes it a partial solution at best for financial institutions engaged in global operations, where third-party providers may be based in different countries. In addition, the technical and legal specifications for organisational identities under EUID are still under heavy development and subject to change – as is the cost. Therefore, LEI arguably performs as the more versatile, readily adoptable and future-proof option for meeting DORA’s requirements.

Statistics – the impact of DORA

Although it is still early days since DORA was enacted, the Global LEI System (GLEIS) is already seeing positive impact. Since DORA went live, the LEI universe has seen substantial growth across Europe, Asia, and the Americas in key regions supporting the EU finance industry with ICT services. Comparing new LEI issuance in January 2024 to January 2025, year-on-year growth rates stand at 30% in Europe, 45% in the Americas, and 75% in Asia. While not all of this growth can be attributed solely to DORA, given the influence of over 300 other regulations requiring LEI, the immediate effect should not be overlooked.

DORA impact LEI

Next steps for Financial Institutions

With the DORA compliance deadline already passed, financial institutions must act swiftly to ensure they meet the regulatory requirements. Organisations should begin by assessing their current third-party risk management frameworks and ensuring that all third-party ICT providers are properly identified using an LEI or EUID.

If your institution is preparing to comply with DORA, Ubisecure RapidLEI can support you in understanding the LEI requirements of DORA and provide the solution to efficiently manage LEIs for both your group and your clients.

As a GLEIF-accredited LEI Issuer and the world’s largest provider of Legal Entity Identifiers (LEIs), RapidLEI plays a pivotal role in ensuring LEIs are accessible across all jurisdictions and industries. Our automation and technology-driven approach enables rapid issuance and streamlined management, positioning us as a trusted partner for some of the world’s leading financial institutions as they navigate regulatory requirements impacted by the LEI.

Financial institutions seeking to enhance their LEI capabilities can leverage our GLEIF-approved Validation Agent (VA) programme to streamline LEI registrations, automate processes, and efficiently manage LEIs at scale.

Contact Ubisecure RapidLEI today to discuss how we can support your institution.

 

Further reading: European Securities and Markets Authority (ESMA) and European Banking Authority (EBA) report on technical standards for ICT services.