For the completion of template “FC.06 Risk Concentration - Exposure by counterparties”, could you clarify which methodology shall be used for determining the value of exposure to be reported, in particular for repo / reverse repo and derivatives?

Could you clarify in which case it shall be considered that a transaction is shifting risk exposures between entities outside the financial conglomerate (but where ultimately the risk exposure is brought back or stays within the financial conglomerate)? Shall transactions with non-consolidated SPV be considered as such indirect intragroup transactions to be reported or be considered as shifting risk outside the financial conglomerate and therefore are not required to be reported?

Following the changes to the ITS, we have identified a potential issue with the taxonomy validations between S17 and S19. In the new ITS it states that for the Undiscounted Best Estimate Triangles, the values should be reported "net of salvage and subrogation and excluding any expenses, as well as any future premiums."

According to "EIOPA_FICOD_DPM_Annotated_Templates_2.8.1_Hotfix.xlsx" in the template FC.07.01.36.02 in FC0040 the sector has to be filled with the hierarchy "NC – 1 from s2c_dim:NC". In this hierarchy several entries starting with “K” are marked as “false” in the column "Usable" in "EIOPA_DPM_Dictionary_2.8.1_Hotfix.xlsx". In “EIOPA_FinancialConglomerates_Technical_Logs_2.8.1_Hotfix.pdf” it is stated in section "8. FC.07.01 - RISK CONCENTRATION - EXPOSURE BY CURRENCY, SECTOR, COUNTRY": The ‘sector’ should present the split between the following sectors: a) public sector b) financial sector c) corporate sector divided by the NACE code

We have a question regarding S.37.01 Cell C0320 – Exemptions (included in the Implementing Regulation 2023/894), where we seek clarification of what information is asked for specifically. The cell C0320 makes reference to Article 187 in the delegated regulation, and in its reporting events, EIOPA has also referred to the banking regulation (Article 400 in the Regulation (EU) No 575/2013); We understand this is because both articles/legislations are referred to in the FICOD reporting requirements (Implementing Regulation 2022/2454, template FC.06, cell FC0270).

Regarding art. 11 (5) Business Impact Analysis (BIA). We would like to know if the Joint Committee are planning on publishing a BIA template?

If a firm is referring its staff to an online third-party ID verification provider and the third-party immediately passes its ratings to the firm via an API, but only stores the data for 30 days, could this be viewed as an outsourcing arrangement or not?

Article 6 of DORA and Article 2 of the RTS on ICT risk management clearly assign to control function specific tasks in ICT risk management and monitoring. my understanding of the Article 2 of the RTS is that control function will be appointed to: 1) Define clear and measurable objectives in terms of ICT & Cyber Resilience in order to keep ICT risk within Risk Appetite limit 2) because of the mandate above, control function defines principles and provisions (what to do to be resilient) in the following areas of the RTS in order to be able to measure the defined objectives:

Is our understanding correct that this provision allows to include an obligation on the financial entity to provide details on the scope, procedures to be followed and the frequency of such inspections and audits, but that it does not constitute a requirement to include such an obligation?