What is the Register of Information under DORA?

The **Register of Information** must be maintained and kept up to date by every financial entity under **Art. 28(3) DORA (Regulation (EU) 2022/2554)**: a complete inventory of **all contractual arrangements for the use of ICT services** provided by ICT third-party service providers — at **entity level and at sub-consolidated and consolidated level**. It is the central inventory instrument of DORA's third-party risk management ^[1].

The register is more than a contract list: it links each provider, function and arrangement to whether a **critical or important function** is supported. It is therefore the dataset on which supervisors and firms assess concentration risk and dependence on individual providers — and it feeds the EU-wide designation of **critical ICT third-party providers (CTPPs)**.

The format is not optional. **Art. 28(9) DORA** empowers the European Supervisory Authorities (ESAs) to draft implementing technical standards for the standard templates. The result is **Implementing Regulation (EU) 2024/2956 of 29 November 2024**, whose Annexes I–IV prescribe the exact structure of the register — from contract master data through the chain of subcontractors to the mapping onto critical functions ^[2].

Important for research: these ITS are **not** to be confused with the incident-reporting standards (the RTS/ITS of the 2025/301 and 2025/302 family). The Register of Information and the reporting of major ICT-related incidents are separate DORA obligations with their own legal acts.

DORA has applied since **17 January 2025**. In **spring 2025 (around April)**, competent authorities ran a first collection: financial entities submitted their registers to their national supervisor, which forwarded them to the ESAs — used, among other things, as the basis for designating critical third-party providers. That exercise was not a one-off but the start of a recurring, reportable routine ^[1][2].

In practice the register demands an **auditable, always-current dataset** across all ICT contracts — including changes among subcontractors. This is exactly where continuous monitoring pays off: new ESA Q&As, updated templates or national collection windows must not get lost in an inbox.