Guide Contents
DORA Register of Information: Complete Guide
Guide Contents
In Summary
The DORA Register of Information (RoI) is a mandatory, continuously maintained inventory of all contractual arrangements between a financial entity and its ICT third-party service providers, required under Article 28 of DORA (Regulation (EU) 2022/2554). Commission Implementing Regulation (EU) 2024/2956 specifies the exact data fields that must be populated for each provider, including legal entity identifiers, service classifications, critical function flags, sub-contracting chains, and contractual dates. Financial entities must submit the register to their competent authority on request and as part of annual reporting cycles. This guide explains what the register must contain, how to distinguish critical from non-critical services, how to build and maintain the register operationally, and the most common compliance gaps that supervisory reviews have identified.
- Mandatory under DORA Article 28 for all in-scope financial entities.
- Must include every ICT third-party contractual arrangement, not just critical providers.
- Data fields are prescribed by Commission Implementing Regulation (EU) 2024/2956.
- Requires continuous maintenance, not annual compilation.
- Supports supervisory reporting to competent authorities on request and during annual submissions.
- Critical provider identification and subcontracting chains are key areas of regulatory scrutiny.
- Poor governance, incomplete inventories, and outdated records are among the most common compliance findings.
Expert View
|
Matt Davies
Chief Product Officer, SureCloud |
What our experts say about the DORA register of information
"The practical challenges in building and maintaining a complete and accurate Register of Information — particularly around sub-contracting visibility and critical function classification — and what competent authorities have found in their reviews." |
Key Context
DORA Article 28 establishes the framework for ICT third-party risk management. At its core is the Register of Information: every in-scope financial entity must maintain a register recording all contractual arrangements with ICT third-party service providers, whether those services are directly provided or delivered through sub-contracting arrangements for functions classified as critical or important. The register is not a static inventory prepared once for the competent authority — it is a living document that must be updated whenever a new contractual arrangement is entered into, an existing one is modified, or a critical function classification changes.
The legal requirement for the register's format is set out in Commission Implementing Regulation (EU) 2024/2956, which was published in October 2024 and became applicable on 17 January 2025 alongside DORA itself. The Implementing Regulation specifies the exact template, including the data fields to be completed for the register at entity level and at the level of each individual contractual arrangement. The ESAs published Q&As to clarify specific requirements, and national competent authorities have incorporated RoI completeness and accuracy as a primary focus in their supervisory reviews.
The RoI serves two distinct purposes in the DORA framework. First, it is the foundation of the financial entity's ICT third-party risk management programme — you cannot conduct concentration risk analysis, assess exit feasibility, or evaluate critical function dependency without a complete picture of your ICT supply chain. Second, it enables competent authorities and the ESAs to assess sector-wide ICT concentration risk and identify which ICT providers are systemically important enough to warrant designation as Critical ICT Third-Party Providers (CTPPs) subject to direct ESA oversight.
What the Register of Information Must Contain
Commission Implementing Regulation (EU) 2024/2956 specifies the register in two parts: an entity-level section covering the financial entity itself, and a contractual arrangement section covering each ICT service provider relationship.
Entity-Level Information
For each financial entity maintaining the register, the following must be recorded:
- Legal name of the financial entity and its Legal Entity Identifier (LEI).
- Type of financial entity (credit institution, insurer, investment firm, etc.) as defined in DORA Article 2.
- Member state of authorisation or registration.
- Name of the competent authority responsible for the financial entity.
- Whether the entity is part of a group, and if so, the group identifier.
Contractual Arrangement Information
For each contractual arrangement with an ICT third-party service provider, the register must capture:
|
Data Field |
What Must Be Recorded |
|---|---|
|
ICT third-party provider identity |
Legal name; LEI or other identifier; country of headquarters; jurisdiction in which the service is provided from |
|
Nature of ICT service |
Type of ICT service as per the classification categories in Commission Implementing Regulation 2024/2956 (e.g. cloud computing, data analytics, IT infrastructure management, software development) |
|
Criticality designation |
Whether the service supports a critical or important function of the financial entity; the basis for the classification |
|
Contractual details |
Start date of contractual arrangement; end date (if applicable); notice period; applicable law governing the contract |
|
Functions supported |
Description of the specific functions, processes, or activities supported by the ICT service |
|
Data types |
Categories of data processed or accessible by the ICT provider (personal data, sensitive financial data, confidential data) |
|
Sub-contracting |
For services supporting critical/important functions: identification of material sub-contractors providing ICT services in the chain, including their LEI and jurisdiction |
|
Storage and processing location |
Countries in which data is stored; countries in which data is processed |
|
Substitutability |
Whether the ICT service is substitutable and if not, the reason |
|
Exit plan |
Whether a documented exit plan exists for the termination or replacement of the contractual arrangement |
The sub-contracting requirement is consistently the most challenging field to complete accurately. DORA does not require financial entities to map their entire ICT supply chain to infinite depth — the obligation extends to material sub-contractors supporting critical or important functions. However, determining which sub-contractors are material requires the financial entity to have asked the question of their ICT providers, and many providers are reluctant to disclose their own supply chains in detail.
Distinguishing Critical and Important Functions
The distinction between critical and important functions, and non-critical ICT services, is fundamental to the Register of Information. Not every ICT provider needs to be managed to the same standard: DORA's most stringent requirements for contractual provisions (Article 30), exit planning, and sub-contracting oversight apply specifically to services that support critical or important functions. Getting the classification wrong — either by over-classifying and creating unmanageable compliance obligations, or by under-classifying and leaving critical services outside the DORA framework — is a significant risk.
DORA Article 3(22) defines a 'critical or important function' as a function whose disruption would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the continued compliance of a financial entity with the conditions and obligations of its authorisation, or its other obligations under applicable financial services law. This definition is deliberately broad: it encompasses not just core banking or insurance activities, but also the operational infrastructure, compliance systems, and data management processes on which those activities depend.
Classification Framework
|
Classification |
Definition |
DORA Treatment |
|---|---|---|
|
Critical or important function (CIF) |
Disruption would materially impact financial performance, service continuity, regulatory compliance, or authorised activities |
Full Article 30 contractual requirements; sub-contracting transparency; exit planning; audit rights; ICT concentration risk assessment |
|
Other ICT service |
Does not support a critical or important function; disruption would not materially impact the entity |
Basic contractual standards under Article 28; included in Register of Information but simplified treatment |
|
Internal ICT service |
Provided by an entity within the financial entity's group structure |
Group-internal services are still recorded in the RoI if they are material; intra-group exceptions apply in certain circumstances |
The practical test for critical/important function classification is to ask: if this ICT service was unavailable for 24 hours, 48 hours, or one week, would it affect the firm's ability to serve clients, meet regulatory obligations, or operate core processes? Services that fail this test in any scenario should be classified as supporting critical or important functions. Borderline cases should be escalated to the TPRM function and documented with a rationale — the classification decision itself is evidence that competent authorities will review.
For detailed guidance on managing critical ICT third-party providers and the CTPP oversight regime, see /resource-hub/dora-critical-ict-third-party-providers.
Building and Maintaining the Register of Information
Completing the Register of Information for the first time requires a structured data gathering exercise that most financial entities have found more complex than anticipated. The challenge is not the template itself — the fields specified in Commission Implementing Regulation (EU) 2024/2956 are specific but not technically complex. The challenge is that the data needed to populate it is scattered across procurement records, contract management systems, shadow IT inventories, business unit records, and, in some cases, the institutional memory of individual staff.
Initial Build: Four-Stage Approach
Stage 1 — Discovery. Compile an initial inventory of all ICT providers from procurement records, accounts payable data, software licensing registers, and cloud service agreements. Add to this any ICT services identified through business unit interviews — particularly services procured directly by business units without central IT involvement.
Stage 2 — Classification. For each provider identified, determine whether the service supports a critical or important function. Document the basis for the classification. Where the classification is not clear-cut, escalate to the TPRM function for a formal decision. All CIF-supporting services must be flagged in the register.
Stage 3 — Data completion. For each contractual arrangement, gather the full set of fields specified in Commission Implementing Regulation (EU) 2024/2956. For CIF-supporting services, contact ICT providers to obtain sub-contracting information. For contracts that predate DORA, assess whether the contractual provisions meet Article 30 requirements and initiate renegotiation where they do not.
Stage 4 — Validation. Review the completed register for internal consistency (are all CIF services properly flagged? Are all LEIs correct?), and submit to the competent authority in the required format.
Ongoing Maintenance
The register must be updated in real time as the ICT supply chain changes. This requires embedding RoI update obligations into three processes: the procurement approval process (no new ICT contract without RoI update); the contract management process (renewals, amendments, and terminations must trigger an RoI review); and the critical function classification review (changes in business operations may affect which ICT services support critical functions). Annual competent authority submissions require a validated point-in-time snapshot, but the register itself should never be out of date.
Technology is essential for maintaining the register at scale. A spreadsheet-based register is adequate for initial build but degrades rapidly as the number of providers grows, as sub-contracting relationships evolve, and as multiple teams contribute updates without version control. A TPRM platform that integrates with the RoI template and provides automated change tracking is the operational foundation for a register that will pass supervisory review.
For an overview of vendor assurance automation tools that can support RoI maintenance, see /blog-hub/vendor-assurance-automation-software.
Submission and Reporting Requirements
Financial entities must submit the Register of Information to their competent authority under two circumstances: on request at any time, and as part of the annual reporting obligation under DORA Article 28(3). The annual submission must be made by 31 January of each year, covering the register as at the preceding 31 December. The ESAs have specified the submission format: the register must be submitted in the format specified in Commission Implementing Regulation (EU) 2024/2956, typically as a structured data file.
For financial groups, the group-level submission requirement means that a parent entity must co-ordinate the registers of all subsidiaries within scope. Where different subsidiaries share ICT providers — a common arrangement in integrated financial groups — the register captures the relationship at the individual entity level, not at group level. Each subsidiary's register must independently identify its ICT providers, even where those providers are shared across the group.
The ESAs use submitted registers to identify ICT concentration risk across the financial sector as a whole — identifying which ICT providers are used by significant numbers of financial entities across multiple jurisdictions, and therefore qualify for designation as Critical ICT Third-Party Providers subject to direct oversight. Accuracy in the register submission matters not only for individual entity compliance but for the integrity of the sector-wide oversight framework.
Common Register of Information Compliance Gaps
Supervisory reviews and the ESAs' published Q&As identify the following as the most frequent issues in RoI compliance.
- Incomplete sub-contracting data. Financial entities have populated their own provider rows but have not captured the sub-contracting chains for CIF-supporting services. Article 28(3) requires this information for services supporting critical or important functions.
- Incorrect critical function classification. Services are classified as non-critical without documented rationale, or without applying the Article 3(22) test systematically. Competent authorities are asking entities to justify their classification decisions.
- Missing or incorrect LEIs. Legal Entity Identifiers are required for both the financial entity and its ICT providers. Many smaller ICT providers do not have LEIs or have LEIs that differ from the entity name in the contract.
- Stale data. The register reflects the state of the supply chain at the date of initial build, not the current state. New providers added after initial completion are not captured; terminated contracts are not removed.
- Inconsistent service classifications. The service type classification categories in Commission Implementing Regulation (EU) 2024/2956 are specific. Financial entities that have used their own classification systems rather than the regulatory categories must remap their data before submission.
For guidance on the full DORA Article 28 framework and how it connects to the rest of the DORA requirements, see /resource-hub/dora-compliance-guide.
See How SureCloud Supports DORA Register of Information Compliance
Regulatory Compliance FAQ's
What is the DORA Register of Information?
The DORA Register of Information is a mandatory inventory of all contractual arrangements between a financial entity and its ICT third-party service providers, required under Article 28 of DORA (Regulation (EU) 2022/2554). It must record specific data for each provider as specified in Commission Implementing Regulation (EU) 2024/2956, including the provider's identity, the nature of the ICT services provided, whether those services support critical or important functions, sub-contracting information for CIF-supporting services, contractual dates, and data storage and processing locations. The register must be maintained continuously and submitted to the competent authority on request or as part of the annual reporting cycle.
Which ICT providers must be included in the DORA Register of Information?
All ICT third-party service providers with which the financial entity has a contractual arrangement must be included in the register — not only those providing services to critical or important functions. The distinction between critical and non-critical services determines the level of detail required for certain fields (such as sub-contracting information) and the contractual requirements that must be met, but the basic obligation to record the provider applies to all ICT contractual arrangements. Internal ICT services provided by group entities may be included or excluded based on the specific intra-group arrangements, but material intra-group ICT services should be included where they support regulated activities.
When must the Register of Information be submitted to the competent authority?
Financial entities must submit the Register of Information to their competent authority on request at any time, and as part of the annual reporting obligation under DORA Article 28(3). The annual submission deadline is 31 January of each year, covering the register as at the preceding 31 December. The submission must be in the format specified in Commission Implementing Regulation (EU) 2024/2956. Failure to submit an accurate and complete register is one of the enforcement focuses for competent authorities in 2025-2026.
What does 'critical or important function' mean under DORA?
DORA Article 3(22) defines a critical or important function as a function whose disruption would materially impair the financial performance of a financial entity, the soundness or continuity of its services and activities, the continued compliance of a financial entity with its authorisation conditions, or its other obligations under applicable financial services law. The classification must be made by the financial entity itself, based on its knowledge of its own business model and operational dependencies. Where a service supports any of these outcomes, it should be classified as supporting a critical or important function. The classification decision must be documented, as competent authorities are reviewing the basis for classification decisions in supervisory assessments.
How should financial entities handle sub-contracting in the Register of Information?
For ICT services that support critical or important functions, DORA requires financial entities to identify material sub-contractors in the Register of Information. A sub-contractor is material if it plays a significant role in the delivery of the ICT service — typically where the ICT provider has itself outsourced a core component of the service to a third party. Financial entities should ask their ICT providers for disclosure of their sub-contracting arrangements for CIF-supporting services and include this information in the register. Where providers are unwilling to disclose sub-contracting arrangements, this should be escalated as a contractual non-compliance issue, since DORA Article 30 requires ICT providers supporting critical or important functions to cooperate with DORA compliance.
Platform +
Frameworks +
Products +
Industries +
Resources +
Company +
London Office
1 Sherwood Street, London, W1F 7BL, United Kingdom
US Headquarters
6010 W. Spring Creek Pkwy., Plano, TX 75024, United States of America
© SureCloud 2026. All rights reserved.
