Auditor

DORA Register of Information: Requirements, Fields & Compliance Guide

The DORA register of information is a mandatory requirement under Article 28(3) of the Digital Operational Resilience Act. Financial entities must maintain a comprehensive register of all contractual arrangements with ICT third-party service providers — at both entity and group level.

What is the DORA Register of Information?

The register of information is the central documentation requirement under DORA's third-party risk management pillar. It requires every financial entity in scope to maintain a detailed record of all contractual arrangements with ICT third-party service providers.

The register serves two purposes: it gives the financial entity visibility over its own ICT dependency landscape, and it provides supervisory authorities with the data they need to assess systemic concentration risk across the financial sector.

The register must be maintained at both entity level (for each individual regulated entity) and group level (consolidating all ICT arrangements across a financial group). For large groups with hundreds of ICT service arrangements, building and maintaining this register is a substantial operational undertaking.

Register of Information Required Fields

The DORA register of information must contain detailed data across several categories. The following fields are based on the Regulatory Technical Standards (RTS) published by the European Supervisory Authorities.

Entity & Provider Identification

  • LEI (Legal Entity Identifier) of the financial entity
  • Name and LEI of the ICT service provider
  • Country of registration and headquarters of the provider
  • Parent company identification (if applicable)

Contract Details

  • Contract reference number
  • Contract type (e.g. outsourcing, procurement, other)
  • Contract start date and end date or renewal terms
  • Notice period and termination provisions
  • Governing law of the contractual arrangement

Service Description

  • Nature and description of ICT services provided
  • Functions supported by the ICT service
  • Whether the service supports critical or important functions
  • Criticality assessment and rationale

Data & Location

  • Data processing locations (countries and regions)
  • Data storage locations
  • Whether personal data is processed
  • Applicable data protection provisions

Subcontracting Chain

  • Whether the provider uses subcontractors
  • Identification of subcontractors in the chain
  • Services provided by each subcontractor
  • Data processing locations of subcontractors
  • Contractual arrangements between provider and subcontractors

Oversight & Exit

  • Audit rights and access provisions
  • Exit strategy and transition planning provisions
  • Substitutability assessment
  • Last audit date and findings summary

Register of Information Deadline & Reporting

Financial entities were required to have their register of information established and maintained from 17 January 2025, when DORA became applicable. The first reporting submission to national competent authorities was due by 30 April 2025.

Going forward, the register must be reported to competent authorities at least annually. Significant institutions may also report directly to the ECB. Supervisory authorities can request the register at any time during examinations or ongoing supervisory activities.

The register is not a static document. It must be maintained on a continuous basis, with updates reflecting new contracts, amendments, terminations, changes to subcontracting chains, and updated criticality assessments. Entities must have processes in place to ensure the register remains accurate and complete at all times.

How to Build and Maintain the Register

Building the register from scratch is one of the most operationally demanding aspects of DORA compliance. Common challenges include:

Identifying All ICT Arrangements

Many organisations discover they have far more ICT service arrangements than initially estimated. Contracts may be held by different business units, procurement teams, or IT departments. A comprehensive discovery exercise is essential before the register can be populated.

Extracting Required Data from Contracts

The register requires specific data fields that may not be readily available in existing contract management systems. Extracting service descriptions, data locations, subcontracting chains, and exit provisions from hundreds of contracts is time-consuming and error-prone when done manually.

Mapping Subcontracting Chains

DORA requires visibility into the full subcontracting chain, particularly for services supporting critical functions. Many providers have multi-layered subcontracting arrangements that are not always transparent. Obtaining this information requires active engagement with service providers.

Ongoing Maintenance

The register is not a one-off exercise. New contracts, amendments, provider changes, and evolving criticality assessments must be reflected promptly. Organisations need clear processes for who updates the register, how changes are captured, and how accuracy is verified.

Register of Information by Regulator

While DORA is a directly applicable EU regulation, national competent authorities may provide additional guidance on reporting formats and submission processes.

ECB / SSM

Significant institutions under the Single Supervisory Mechanism report directly to the ECB. The ECB has issued specific guidance on data quality expectations and reporting formats for the register.

Central Bank of Ireland

Irish-regulated entities submit their register through the Central Bank's reporting framework. The CBI has aligned its requirements with the ESA templates and published guidance on the submission process.

BaFin (Germany)

BaFin oversees DORA compliance for German financial entities. Specific guidance has been published on integration with existing outsourcing notification requirements.

ACPR (France)

The ACPR has published guidance on register submission timelines and expects alignment with existing outsourcing registers maintained under French regulatory requirements.

FCA / PRA (UK)

While DORA does not directly apply in the UK, the FCA and PRA have their own third-party risk requirements. UK firms with EU operations must maintain the DORA register for those entities.

How ComplyLoft Auditor Supports Register Maintenance

The ComplyLoft Auditor can assist with the most labour-intensive aspects of building and maintaining the DORA register of information:

  • Review ICT contracts to identify and extract required register fields — service descriptions, data locations, subcontracting provisions, exit clauses
  • Flag contracts that are missing DORA-mandated provisions or required data fields
  • Assess completeness of the register against RTS field requirements
  • Identify gaps in subcontracting chain documentation
  • Support ongoing monitoring by flagging changes that should trigger register updates

ComplyLoft Auditor identifies potential gaps and provides a structured starting point for review. All outputs require human review and sign-off. ComplyLoft does not guarantee compliance.

Explore the Auditor ToolRequest a Demo

Frequently Asked Questions

What is the DORA register of information?
The DORA register of information is a mandatory register that financial entities must maintain under Article 28(3) of the Digital Operational Resilience Act. It documents all contractual arrangements with ICT third-party service providers, including service descriptions, criticality assessments, subcontractor chains, and data location information.
What fields must the DORA register of information contain?
The register must include: identification details of the financial entity and service provider, contract reference and type, start and end dates, nature of ICT services provided, whether services support critical or important functions, data processing locations, subcontracting arrangements and the full chain, criticality assessment of services, and whether the provider has been designated as critical by ESAs.
When is the DORA register of information deadline?
The register of information must have been established and maintained from 17 January 2025 when DORA became applicable. The first reporting submission to national competent authorities was due by 30 April 2025. The register must be kept up to date on an ongoing basis and reported annually or upon request by supervisory authorities.
Do subcontractors need to be included in the DORA register of information?
Yes. The register must capture the full subcontracting chain for ICT services, particularly those supporting critical or important functions. Financial entities must document which subcontractors are involved, what services they provide, where data is processed, and the contractual arrangements in place between the primary provider and its subcontractors.
How often must the register of information be updated?
The register must be maintained on a continuous basis. Any changes to ICT third-party arrangements — new contracts, amendments, terminations, changes to subcontracting chains, or changes to criticality assessments — must be reflected promptly. The register is reported to national competent authorities at least annually and may be requested at any time during supervisory activities.
What is the scope of the DORA register of information?
The register covers all contractual arrangements with ICT third-party service providers, not just those supporting critical or important functions. However, additional detail is required for arrangements supporting critical or important functions, including more granular data on subcontracting, data locations, and exit strategies. The register must be maintained at both entity and group level.

Simplify Your DORA Register of Information

Request a demo to see how ComplyLoft Auditor helps financial entities build and maintain their register of information.

Request a Demo