FAQs

With regard to the notification of the information register in accordance with Article 28(3) DORA, the FMA currently assumes that the notification requirements in the e-Service Portal for Financial Intermediaries in Liechtenstein will probably be sent at the end of January/beginning of February. The submission deadline is expected to be in the last week of February. Due to information that is not yet final with regard to specific deadlines for forwarding and possible technical adjustments on the part of the ESA, it is not yet possible for the FMA to announce final dates. As soon as the relevant parameters are known or changes to this time window are specifically foreseeable, the FMA will provide further separate information.

The scope of the European DORA Regulation (Article 2 (1) DORA):

1. CRR credit institutions,
2. Payment institutions,
3. Account information service providers,
4. Electronic money institutions,
5. Investment firms,
6. Providers of crypto services authorized under the Regulation of the European Parliament and of the Council on Markets in Crypto-Assets (MiCAR) and issuers of value-referenced tokens,
7. Central securities depositories,
8. central counterparties,
9. Trading venues,
10. Trade repositories,
11. Alternative investment fund managers,
12. Management companies
13. Data provision services,
14. Insurance and reinsurance companies,
15. Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries,
16. Institutions for occupational retirement provision,
17. Rating agencies,
18. Administrators of critical benchmarks,
19. Crowd funding service providers,
20. Securitization registers
21. ICT service providers

Exemptions apply to the following entities (Article 2(3) DORA):

1. Alternative investment fund managers as defined in Article 3(2) of Directive 2011/61/EU;
2. Insurance and reinsurance undertakings within the meaning of Article 4 of Directive 2009/138/EC;
3. Institutions for occupational retirement provision operating pension schemes with fewer than 15 members in total;
4. natural or legal persons exempted under Articles 2 and 3 of Directive 2014/65/EU;
5. Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries that are micro, small or medium-sized enterprises;
6. Post office giro institutions within the meaning of Article 2(5)(3) of Directive 2013/36/EU.

The DORA provides extensive relief for financial undertakings that meet the criteria of a "micro-entity". A microenterprise is a financial intermediary that is not a trading venue, a central counterparty, a trade repository or a central securities depository, that employs fewer than ten persons and whose annual turnover or balance sheet total does not exceed EUR 2 million (or the equivalent value in CHF).

If there are any uncertainties regarding the application of the micro-entrepreneur regulation to your own company, the FMA is available to answer questions at any time.

DORA has been applicable in the European Union since January 17, 2025. In Liechtenstein, applicability requires a decision by the EEA Joint Committee and the associated incorporation into the EEA Agreement. In Liechtenstein, DORA applies directly following its incorporation into the EEA Agreement. Some of the provisions of the Regulation require national implementation, for which the EEA DORA Implementation Act (DORA-DG) is created. The DORA-DG provides for the advance implementation of these EEA legal acts due to the not yet foreseeable legally binding adoption of Regulation (EU) 2022/2554 (DORA) and Directive (EU) 2022/2556 into the EEA Agreement. The Act of December 5, 2024 on the implementation of Regulation (EU) 2022/2554 on digital operational resilience in the financial sector (EEA-DORA-DG) entered into force on February 1, 2025.

ICT services are digital services and data services that are provided on a permanent basis to one or more internal or external users via ICT systems, including hardware as a service and hardware services. This also includes technical support by the hardware provider by means of software or firmware updates, with the exception of conventional analog telephone services (Art. 3 para. 1 no. 21 DORA).

The information register pursuant to Art. 28 para. 3 DORA is a register to be created or filled with all contractual agreements on the use of ICT services provided by ICT third-party service providers, which is seen by DORA as an important tool within the ICT risk management framework. Implementing Regulation (EU) 2024/2956 [...] with regard to standard templates for the information register contains further details on the information register.

With the applicability of DORA in Liechtenstein, those financial intermediaries that fall under the scope of DORA will be exempt from FMA Directive 2021/3 - ICT Security. FMA Directive 2021/3 remains in force for those financial intermediaries that do not fall within the scope of DORA. In view of the applicability of DORA in Liechtenstein from February 1, 2025, adjustments were made to FMA Directive 2021/3, which entered into force on the same date. Financial intermediaries for which DORA is applicable are explicitly exempt from FMA Directive 2021/3 when these amendments enter into force.

In the meantime, Implementing Regulation (EU) 2024/2956 [...] has been adopted with regard to standard templates for the information register. It stipulates that for legal entities, the LEI and the EUID are recognized international and European identifiers that ensure consistent, unique and reliable identification of entities. Consequently, one of those two identifiers should be used to identify third party ICT service providers established in the Union for the purposes of the application of that Regulation and should be considered as information common to all contractual arrangements, while the identification of third party ICT service providers established in third countries should be based on the LEI only.

The Legal Entity Identifier ("LEI code") is a twenty-digit alphanumeric company identifier that has been established as an international standard for companies in the financial market. Each LEI code is assigned once and enables a worldwide assignment to a specific company.

Standardized software licenses are usually rights of use that do not constitute an ICT service within the meaning of Art. 3 No. 21 DORA. However, there are often accompanying ICT services, e.g. via maintenance and support contracts associated with the license purchase.

ICT services that support critical or important functions of financial companies are defined in Art. 3 No. 21 and 22 DORA. The assessment of which functions are critical or important is carried out by the financial undertaking itself. This is to be distinguished from critical ICT third-party service providers, which are defined in Art. 3 No. 23 DORA. These are classified as critical in accordance with Art. 31 DORA under the provisions of the framework for the supervision of critical third-party ICT service providers by the supervisory authorities.

The template for the information register was provided by the ESAs as part of the publication of the current EBA Reporting Technical Package on December 19, 2024. The publication of the documents can be found here. Essential for this was the publication of Implementing Regulation (EU) 2024/2956 [...] with regard to standard templates for the information register, which has now taken place. Only minor adjustments were made to the templates of the ESA DORA Dry Run.

The submission period for financial intermediaries in Liechtenstein extends from April 1 to April 14, 2025 inclusive. Please note that the information register for the year 2025 must be prepared and submitted by March 31, 2025. The competent supervisory authorities should forward the information registers to the ESAs by April 30, 2025. The submission for both the notification of serious ICT-related incidents and the information register is carried out for financial intermediaries in Liechtenstein via the e-Service Portal.

The information register must be submitted in XBRL-CSV format in the FMA's e-Service Portal. The publication of the EBA Reporting Technical Package, which contains the necessary technical information for submitting the DORA Information Register, can be found here: EBA Technical Package

No, the information register is submitted in XBRL-CSV format using the specifications of the ESAs in accordance with the EBA Technical Package. As already announced as part of the ESA DORA Dry Run, no Excel template with XBRL converter tool will be made available for reporting in 2025.

Yes, the European Supervisory Authorities (ESAs) provide comprehensive answers to frequently asked questions, which are continuously updated by the ESAs: ESA Information Register FAQs

According to Art. 3 para. 8 DORA, an ICT-related incident is an event not planned by the financial undertaking or a corresponding series of related events that affects the security of the network and information systems and has a detrimental impact on the availability, authenticity, integrity or confidentiality of data or on the services provided by the financial undertaking.

Each ICT-related incident must be classifiedin accordance with Art. 18 para. 1 DORA (based on the relevant classification criteria including the Delegated Regulation (EU) 2024/1772 establishing the criteria for the classification of ICT-related incidents and cyber threats, the materiality thresholds and the details of serious incident reports).

A financial intermediary is obliged to report an ICT-related incident if it is classified as serious on the basis of the above criteria (Art. 19 para. 1).

All financial intermediaries that fall within the scope of DORA pursuant to Art. 2 para. 1 DORA are obliged to report serious ICT-related incidents to the FMA, taking into account the requirements of Delegated Regulation (EU) 2025/301.

An incident-related report for serious ICT-related incidents can be triggered in the e-Service Portal. In addition, financial intermediaries also report significant cyber threats on a voluntary basis via the e-Service Portal if the financial intermediary identifies a threat (e.g. to the financial sector, other market participants or customers).

The Excel templates of the European Supervisory Authorities (ESAs), which are available in the e-Service and on the FMA DORA website, must be used for the submission of the notification. Even if the template is provided in English, it may also be completed in German. The following procedure must be observed when submitting the various reports:

1. Initial notification: Only the "Initial Notification" tab is to be completed.
2. Intermediate notification: The two tabs "Initial Notification" and "Intermediate Report" must be completed.
3. Final report: All three tab sheets "Initial Notification", "Intermediate Report" and "Final Report" must be completed.

In the event of a change in individual notification contents between the notifications (e.g. changes between the initial notification and the intermediate notification), the data must be adjusted when entering the intermediate or final notification.

Details on the content and deadlines for reporting serious ICT-related incidents are set out in Delegated Regulation (EU) 2025/301. The following deadlines for reporting are particularly relevant:

1. Initial notification: This notification must be submitted as early as possible, but in any case within four hours of the ICT-related incident being classified as serious and no later than 24 hours after the financial undertaking became aware of the ICT-related incident.
2. Interim report: This report must be submitted no later than 72 hours after the initial report is submitted. Financial intermediaries must submit any updated interim reports without delay, but in any case as soon as regular business operations have resumed.
3. Final report: This report must be submitted no later than one month after the submission of the interim report or, if applicable, after the last updated interim report.

This content has been translated using a fully automated machine translation tool. Some content may not be accurately translated. More information.