EU Regulatory Intelligence — by YRproject

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NL·EN
Explainer

DORA register of information: what must it contain?

Adopted 2026-06-28 · ≈ 1 min read · Dirk Baaijen

DORA requires financial entities to maintain a register of information on all contractual arrangements for ICT services, at entity, sub-consolidated and consolidated level. Supervisors request it annually; it also feeds the designation of critical ICT providers.

Short answer: The register of information is your mandatory, standardised overview of all contractual arrangements for ICT services with third-party providers. You maintain it at entity, sub-consolidated and consolidated level, and the supervisor can request it (annually). It is not a formality — it feeds the EU oversight of critical ICT providers.

What goes in it

Per contractual arrangement: the provider and its identification, the type of ICT service, whether the service supports a critical or important function, the chain of subcontractors/sub-processors, locations of service provision and data processing, and the term/exit conditions. The ESAs have set standardised templates (ITS) so registers are comparable.

Why it matters

The register is also your own steering instrument: it makes dependencies and concentration risk visible (e.g. too many critical services with one cloud provider). And it is the basis on which the ESAs determine which ICT providers are designated critical for direct EU oversight. See Third-party ICT risk and oversight.

Practical

Start with a full inventory of your ICT outsourcing, classify per function (critical/important or not), fill the ITS templates, and set up a process to keep the register current on every new or changed arrangement.

Lees ook: DORA guide and DORA readiness roadmap.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2022/2554/oj
    Regulation (EU) 2022/2554 (DORA), Article 28 — register of contractual arrangements with ICT third-party providers.
  2. https://www.eba.europa.eu/regulation-and-policy/digital-operational-resilience-dora
    ESAs — implementing standards (ITS) for the standardised register templates.

Share on LinkedIn

Read next

U

Third-party ICT risk under DORA: contracts, register and oversight

DORA sets requirements for ICT outsourcing: mandatory contract clauses, a register of information on all ICT providers, and an EU oversight framework for ICT providers designated as critical.

W

AI and digital rules for the financial sector — overview

One entry point for banks, insurers and fintech: which AI and digital rules affect your institution — from DORA and the AI Act to credit scoring, AML and insurance — each with a source-traceable file and the financial scan.

W

DORA readiness: a roadmap to prepare

DORA has applied since 17 January 2025. A practical roadmap to get a grip: determine scope, map ICT dependencies and the register, set up risk management and incident reporting, plan resilience testing, and review your vendor contracts.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject — programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method →

A project or programme? Work with YRproject →

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.