How to Comply with the DORA Register of Information: A Step-by-Step Guide

Nov 26, 2024

The Digital Operational Resilience Act (DORA) aims to ensure the financial sector's resilience against ICT-related risks. While there a many components of the act that need to be followed, and we have done a number of guides on this, in this article we are going to focus on the Register of Information aka Vendor Register.

This guide will help you comply with the requirements by maintaining a register of information for all contractual arrangements with ICT third-party service providers.

Step 1: Understand the Scope

  • Identify all ICT services provided by third-party service providers.

  • Include all contractual arrangements related to these services, regardless of whether they support critical or important functions.

    • Reference: Article 28(3) of Regulation (EU) 2022/2554

Step 2: Gather Necessary Information

  • Legal Entity Identifier (LEI): Ensure all ICT third-party service providers that are legal persons have a valid LEI.

  • Contractual Arrangement Details: Collect information on all contractual arrangements, including:

    • Contractual arrangement reference number

    • Type of contractual arrangement (standalone, overarching, or subsequent)

    • Annual expense or estimated cost for the past year

    • Reference: Article 4(5) and Annex I

    • Template RT.02.01, Rows 10-50.

 Step 3: Maintain the Register of Information

  • General Information: Include details about the financial entity maintaining the register, such as:

    • LEI

    • Legal name

    • Country of registration

    • Type of entity (e.g., credit institution, investment firm)

  • Entities within the Scope: List all entities within the group, including branches and subsidiaries.

  • Contractual Arrangements: Provide general and specific information about each contractual arrangement, including:

    • Start and end dates

    • Notice periods for termination

    • Governing law and country of provision of ICT services

    • Sensitiveness of the data stored or processed

    • Reference: Annex I, Templates RT.01.01, RT.01.02, RT.02.01, RT.02.02

    • Templates RT.01.01, Rows 10-60, RT.01.02, Rows 10-110, RT.02.01, Rows 10-50, RT.02.02, Rows 10-180.

 Step 4: Document the ICT Service Supply Chain

  • Identify Subcontractors: Document all subcontractors that underpin ICT services supporting critical or important functions.

  • Rank Subcontractors: Assign a rank to each subcontractor based on their position in the ICT service supply chain.

    • Reference: Annex I, Template RT.05.02

    • Template RT.05.02, Rows 10-90.

 Step 5: Assess the ICT Services

  • Risk Assessment: Perform a risk assessment for ICT services supporting critical or important functions, including:

    • Substitutability of the ICT third-party service provider

    • Date of the last audit

    • Existence of an exit plan

    • Impact of discontinuing the ICT services

    • Reference: Annex I, Template RT.07.01

    • Template RT.07.01, Rows 10-120.

Step 6: Regularly Update the Register

  • Review and Update: Regularly review and update the information in the register to ensure accuracy and consistency.

  • Maintain Records: Keep information on terminated contractual arrangements for at least five years after termination.

    • Reference: Article 3(2) and Article 4(3)

Step 7: Report to Competent Authorities

  • Reporting: Ensure the register of information is available to competent authorities for supervision and oversight purposes.

    • Reference: Article 28(3) of Regulation (EU) 2022/2554


By following these steps, you can ensure compliance with the DORA regulation and maintain a robust ICT risk management framework. If you have any questions or need further assistance, feel free to reach out!