What Is the Register of Information?
Article 28(3) of DORA requires every financial entity in scope to maintain a register of information on all contractual arrangements with ICT third-party service providers. This is not a policy document or a risk assessment. It is a structured dataset that records every ICT service arrangement your organisation has in place, who provides it, what business functions it supports, and whether those functions are critical or important.
The purpose of the register is twofold. First, it gives the financial entity itself a complete view of its ICT dependency landscape, which is essential for concentration risk analysis under Art. 29 and for the broader third-party risk management framework under Art. 28-44. Second, it provides national competent authorities (NCAs) with a standardised way to assess ICT third-party risk across the financial sector.
The register must be maintained at all times, not assembled on an ad hoc basis when a supervisor asks for it. Art. 28(3) explicitly states that the register shall be kept up to date. This means it must reflect current contractual arrangements, current provider details, and current sub-outsourcing chains. Changes to any of these must be reflected in the register promptly.
The format and content of the register are defined by Implementing Technical Standards published by the EBA, specifically ITS 2024/2956. This standard defines the exact data fields, entity types, and relationships that the register must contain. Submissions to NCAs must follow this schema.
What Data the RoI Must Contain
The ITS 2024/2956 schema defines the Register of Information as a set of linked tables covering entities, contractual arrangements, ICT services, functions, and sub-outsourcing relationships. The data requirements are extensive and specific. Here are the main categories.
Every entity referenced in the register must be identified using a Legal Entity Identifier (LEI) where available, along with the entity name, country of registration, and entity type. This applies to the reporting financial entity itself, all ICT service providers, and all sub-contractors in the chain. The LEI is the primary key used by NCAs to link data across entities and jurisdictions.
Each ICT third-party arrangement must be recorded with its contract reference, start date, end date (or whether it is open-ended), renewal terms, notice period, and governing law. The register must identify which arrangements relate to critical or important functions (CIFs) and flag whether the arrangement is substitutable. This data feeds directly into concentration risk assessments and exit planning under Art. 28(8).
For each contractual arrangement, the register must describe the ICT services provided and map them to the business functions they support. Where the supported function is a critical or important function, this must be explicitly flagged. The register must also record where data is processed and stored, including the specific countries and whether personal data is involved. This is essential for assessing data residency compliance and cross-border risk.
Where an ICT service provider sub-contracts part of the service, the register must capture the full sub-outsourcing chain. Each sub-contractor must be identified (LEI, name, jurisdiction), and the register must record which parts of the service are sub-contracted and whether the sub-contracted service supports a critical or important function. Art. 29(2) requires entities to assess the risks arising from these chains, and the register provides the data needed to do so.
Submission Timeline and NCA Requirements
The Register of Information has a defined submission history and ongoing obligations that financial entities must be aware of.
Common Challenges
Building and maintaining the Register of Information is one of the more operationally challenging DORA requirements. Based on the experience of the first submission cycle, these are the issues that most commonly arise.
How to Build and Maintain Your RoI
The Register of Information is not a one-off deliverable. It is a continuously maintained dataset that must be accurate, complete, and submission-ready at all times. The most effective approach is to use a purpose-built tool that structures the data according to the ITS schema from the start.
ITS 2024/2956 Schema Built In
DORA GRC structures the Register of Information according to the EBA ITS 2024/2956 schema natively. Entity types, relationship types, and data fields match the standard exactly. You enter data once and it populates the register automatically. No spreadsheet mapping required.
85-Rule Validation Engine
Before you submit to your NCA, run the built-in validation engine. It checks all 85+ EBA rules covering completeness, format, cross-references, and logical consistency. Errors are flagged with the specific rule reference and a clear description of what needs to be fixed. This prevents rejection or rework after submission.
Provider and Sub-Contractor Management
The provider register feeds directly into the RoI. When you add a provider, update a contract, or record a sub-outsourcing chain, the register is updated automatically. Concentration risk analysis (Art. 29) uses the same data, so there is no duplication. Learn more about DORA third-party risk management.
Export in NCA Submission Format
Export the complete Register of Information as an EBA-format file ready for NCA submission. The export includes all linked tables, entity identifiers, and relationship references in the structure your supervisor expects. For a broader view of DORA compliance requirements, see our complete guide.
For a full list of features across all five pillars, see the features page.