According to "EIOPA_FICOD_DPM_Annotated_Templates_2.8.1_Hotfix.xlsx" in the template FC.07.01.36.02 in FC0040 the sector has to be filled with the hierarchy "NC – 1 from s2c_dim:NC". In this hierarchy several entries starting with “K” are marked as “false” in the column "Usable" in "EIOPA_DPM_Dictionary_2.8.1_Hotfix.xlsx". In “EIOPA_FinancialConglomerates_Technical_Logs_2.8.1_Hotfix.pdf” it is stated in section "8. FC.07.01 - RISK CONCENTRATION - EXPOSURE BY CURRENCY, SECTOR, COUNTRY": The ‘sector’ should present the split between the following sectors: a) public sector b) financial sector c) corporate sector divided by the NACE code

We have a question regarding S.37.01 Cell C0320 – Exemptions (included in the Implementing Regulation 2023/894), where we seek clarification of what information is asked for specifically. The cell C0320 makes reference to Article 187 in the delegated regulation, and in its reporting events, EIOPA has also referred to the banking regulation (Article 400 in the Regulation (EU) No 575/2013); We understand this is because both articles/legislations are referred to in the FICOD reporting requirements (Implementing Regulation 2022/2454, template FC.06, cell FC0270).

Regarding art. 11 (5) Business Impact Analysis (BIA). We would like to know if the Joint Committee are planning on publishing a BIA template?

If a firm is referring its staff to an online third-party ID verification provider and the third-party immediately passes its ratings to the firm via an API, but only stores the data for 30 days, could this be viewed as an outsourcing arrangement or not?

Article 6 of DORA and Article 2 of the RTS on ICT risk management clearly assign to control function specific tasks in ICT risk management and monitoring. my understanding of the Article 2 of the RTS is that control function will be appointed to: 1) Define clear and measurable objectives in terms of ICT & Cyber Resilience in order to keep ICT risk within Risk Appetite limit 2) because of the mandate above, control function defines principles and provisions (what to do to be resilient) in the following areas of the RTS in order to be able to measure the defined objectives:

Is our understanding correct that this provision allows to include an obligation on the financial entity to provide details on the scope, procedures to be followed and the frequency of such inspections and audits, but that it does not constitute a requirement to include such an obligation?

Is our understanding correct that the requirement to have the right to agree on alternative assurance levels if other clients’ rights are affected is only required if the unrestricted rights of access, inspection and audit are limited where the unrestricted access would affect ICT third-party service provider’s other clients? In other words, Art. 30 para 3(e)(ii) is not an additional requirement that needs to be fulfilled if Art. 30 para 3(e)(i) is already agreed without such restriction?

The PEPP regulation does not regulate the case if the PEPP saver moves outside the European Union. Can the client continue to contribute to such an PEPP account and can the PEPP provider provide the PEPP to that client outside the EU? And if he had more sub-accounts, to which sub-account can he continue to contribute to the last one?

BV1026-2 states {t: S.08.01.01.01, c: C0180, z: Z0001} > 0, but when I look at the actual guidance, it says: "Number of underlying assets in the contract (e.g. for equity futures it is the number of equities to be delivered per derivative contract at maturity, for bond futures it is the reference amount underlying each contract). The way the contract size is defined varies according with the type of instrument. For futures on equities it is common to find the contract size defined as a function of the number of shares underlying the contract. For futures on bonds, it is the bond nominal amount underlying the contract. Only applicable for futures and options" The validation rule does not have any filter that would indicate that this should only be for CIC A, B, or C. The guidance indicates this rule should only be applicable to A, B, and C. Is validation rule BV1026-2 correct?