How to Comply with the DORA Register of Information: A Step-by-Step Guide
Nov 26, 2024
The Digital Operational Resilience Act (DORA) aims to ensure the financial sector's resilience against ICT-related risks. While there a many components of the act that need to be followed, and we have done a number of guides on this, in this article we are going to focus on the Register of Information aka Vendor Register.
This guide will help you comply with the requirements by maintaining a register of information for all contractual arrangements with ICT third-party service providers.
Step 1: Understand the Scope
Identify all ICT services provided by third-party service providers.
Include all contractual arrangements related to these services, regardless of whether they support critical or important functions.
Reference: Article 28(3) of Regulation (EU) 2022/2554
Step 2: Gather Necessary Information
Legal Entity Identifier (LEI): Ensure all ICT third-party service providers that are legal persons have a valid LEI.
Contractual Arrangement Details: Collect information on all contractual arrangements, including:
Contractual arrangement reference number
Type of contractual arrangement (standalone, overarching, or subsequent)
Annual expense or estimated cost for the past year
Reference: Article 4(5) and Annex I
Template RT.02.01, Rows 10-50.
Step 3: Maintain the Register of Information
General Information: Include details about the financial entity maintaining the register, such as:
LEI
Legal name
Country of registration
Type of entity (e.g., credit institution, investment firm)
Entities within the Scope: List all entities within the group, including branches and subsidiaries.
Contractual Arrangements: Provide general and specific information about each contractual arrangement, including:
Start and end dates
Notice periods for termination
Governing law and country of provision of ICT services
Sensitiveness of the data stored or processed
Reference: Annex I, Templates RT.01.01, RT.01.02, RT.02.01, RT.02.02
Templates RT.01.01, Rows 10-60, RT.01.02, Rows 10-110, RT.02.01, Rows 10-50, RT.02.02, Rows 10-180.
Step 4: Document the ICT Service Supply Chain
Identify Subcontractors: Document all subcontractors that underpin ICT services supporting critical or important functions.
Rank Subcontractors: Assign a rank to each subcontractor based on their position in the ICT service supply chain.
Reference: Annex I, Template RT.05.02
Template RT.05.02, Rows 10-90.
Step 5: Assess the ICT Services
Risk Assessment: Perform a risk assessment for ICT services supporting critical or important functions, including:
Substitutability of the ICT third-party service provider
Date of the last audit
Existence of an exit plan
Impact of discontinuing the ICT services
Reference: Annex I, Template RT.07.01
Template RT.07.01, Rows 10-120.
Step 6: Regularly Update the Register
Review and Update: Regularly review and update the information in the register to ensure accuracy and consistency.
Maintain Records: Keep information on terminated contractual arrangements for at least five years after termination.
Reference: Article 3(2) and Article 4(3)
Step 7: Report to Competent Authorities
Reporting: Ensure the register of information is available to competent authorities for supervision and oversight purposes.
Reference: Article 28(3) of Regulation (EU) 2022/2554
By following these steps, you can ensure compliance with the DORA regulation and maintain a robust ICT risk management framework. If you have any questions or need further assistance, feel free to reach out!