According to DORA, every financial entity in the European Union is required to maintain an ICT supplier register, which serves as a crucial tool for managing ICT supplier risks and ensuring regulatory compliance. This register is designed to collect and document detailed information about ICT service providers, their services, and their dependencies on critical or essential functions within financial organizations. By accurately classifying suppliers and assessing risks, financial entities can ensure operational continuity in the face of potential ICT-related threats, such as cyberattacks, system failures, or disruptions in supply chains.
The original deadline to submit the ICT supplier register to European Supervisory Authorities (ESAs) was April 30, 2025, and that deadline has now passed. However, local supervisory authorities can request updated reports from the register at any time. Moreover, every time a financial entity signs a new contractual agreement with an ICT service provider, this must be reported to the relevant competent authority. The register should be maintained and updated as it forms the foundation for DORA compliance, enabling effective ICT management within the organization.
What is the structure of the information register according to DORA?
The ICT service provider register must contain detailed information about the providers, the services they offer and their connections to the critical or essential functions of the financial entities. It is important that each provider is appropriately classified based on their role in the organization and that services are assigned to functions critical for operational continuity. The register should also include contract information, including the terms of the ICT provider agreement and the rules for monitoring its execution.
DORA places significant emphasis on documenting the location of data and its level of sensitivity. Both the physical storage locations of the data and their degree of confidentiality, integrity, and availability must be considered. This approach allows for the identification of potential risks related to data storage and cybersecurity threats, which is crucial in the context of risk management.
Additionally, the DORA supplier registry should include data about subcontractors and ICT providers operating within the group. This enables comprehensive management of outsourcing-related risks and monitoring of dependencies between providers and critical or essential functions. Proper organization of this information is essential for ensuring compliance with DORA requirements and enables effective operational risk management.
What is XBRL format?
The risk assessment process must align with DORA reporting requirements and utilize the XBRL reporting format, which enables automated and consistent data submission to competent authorities. XBRL (eXtensible Business Reporting Language) is a standardized format that enhances the accuracy and efficiency of financial and risk reporting by organizing data in a structured, machine-readable format. DORA specifically mandates XBRL-CSV reporting, meaning that supplier risk data such as risk assessments, operational dependencies, and critical or essential functions must be mapped to the appropriate XBRL taxonomy elements. This ensures that the data is consistently interpreted and processed by regulatory bodies across different jurisdictions. By integrating these reporting processes with risk management systems and the register of information, organizations can achieve more efficient risk management, improve the precision of their reports, and ensure ongoing compliance with DORA’s regulatory requirements. This integration also facilitates real-time monitoring and reporting, reducing the risk of non-compliance and operational disruptions.
1. ICT supplier classification according to RTS 85
The classification of ICT third-party service providers involves assigning services to appropriate categories depending on whether they support critical or essential functions and which specific ones they support. DORA precisely specifies that the ICT supplier classification depends on the functions they support, not the status of the organization. Functions are considered critical if their disruption would have a serious impact on the financial operations, operational security, or the ability to meet regulatory obligations of financial entities.
An important element is also understanding the dependencies between providers, their services, and the contracts they hold, which allows for mapping relationships and accurately assigning services to the appropriate categories. For internal ICT service providers within financial groups, the classification rules differ from those applied to external ICT service providers. Internal ICT service providers operating within a single financial group mainly deliver ICT services to other entities within the same group, such as parent companies or subsidiaries. Although they must also meet DORA compliance requirements, their ICT supplier classification requires specific documentation of internal services and agreements. An example might be using templates such as RT.02.03 for mapping internal dependencies. Unlike external providers, who must provide specific information on security, exit plans, and incident reporting, internal providers focus on ensuring consistency and digital resilience within the group, in line with internal risk management rules.
2. Third-party risk management in the register
Risk management related to ICT third-party service providers is a key element in the process of creating and maintaining a Register of Information in compliance with DORA requirements. As part of this process, conducting thorough due diligence is essential. The supplier risk assessment should cover several important aspects to effectively identify potential threats.
DORA requires financial entities to be transparent about where data is stored and processed, particularly data that supports critical or essential functions. All categories of data (e.g., customer personal data, transaction records) and their locations must be identified as part of robust information management practices. Another element of risk assessment is analyzing the incident history associated with a given provider. Documenting past operational issues, such as cyberattacks, system failures, cloud computing outages or network infrastructure disruptions, helps in assessing the risk of similar events occurring in the future. DORA imposes the obligation to record detailed incident data, including causes, consequences, and corrective actions, which is essential for maintaining ICT security and ensuring business continuity across critical functions. This documentation should include incident identifiers, detection dates, and details on remediation.
An important aspect of the third-party risk management is also the substitutability of the provider. This means developing an exit strategy that enables the smooth migration of data and services to an alternative provider in case of failure or termination of the collaboration. A detailed plan must be developed, covering time, costs, and risks associated with data transfer, as well as identifying alternative solutions that will ensure the continuity of critical services. For key providers, this process should be supported by a thorough business impact analysis, helping financial entities assess the operational consequences of provider disruptions and define adequate contingency measures.
3. How to link the register with operations and business processes?
The first step is to map the dependencies between each provider and the services they offer, such as data storage, cybersecurity, or software tools. Regular audits and verifications help ensure that providers continue to support these functions and that their services meet DORA requirements. It is also crucial to review and document contractual arrangements associated with each service, ensuring that agreements reflect current responsibilities and compliance expectations. If business processes change or a provider fails to support them, the register should be updated immediately to reflect the organization’s actual needs.
The involvement of operational departments is crucial for maintaining an accurate and up-to-date register. These teams are best equipped to understand how providers are used in daily operations and can identify discrepancies between the provider’s offerings and the organization’s evolving business needs. Clear communication channels should be established to ensure that any changes in service levels, performance, or dependencies are reflected in the register. Through cross-departmental collaboration, organizations can ensure that the register remains aligned with operational reality, helping meet DORA requirements and effectively manage risk.
4. Which systems ICT information register should be integrated?
To ensure compliance with DORA and effective management of ICT-related risks, the ICT supplier information register should be integrated with several systems within the organization. The most important of these are risk management systems and incident registers, which enable continuous monitoring of supplier risks, incidents, and overall performance. Integrating the register with risk management systems allows the organization to monitor and respond to supplier risks in real-time. Additionally, connecting the register with incident management systems enables documentation of past incidents, helping assess the provider’s historical performance and risk profile, and providing a comprehensive view of potential threats.
One of the main challenges organizations face when integrating the ICT supplier information register with other systems is data architecture incompatibility. Different systems often use different data formats, which can hinder consistency and accuracy across platforms. To overcome this issue, organizations should standardize the data model, ensuring uniformity across all systems by defining common data fields, formats, and protocols. This foundation also enables more effective data analytics, allowing for better insight into supplier performance, risk exposure, and compliance status across the entire ICT ecosystem.
5. How to manage ICT providers dependencies?
Many organizations rely on Excel spreadsheets to collect, store, and update information about suppliers, which becomes less efficient and more error-prone as the number of suppliers increases. Excel is limited when it comes to large-scale operations because it is difficult to maintain consistent documentation related to dependencies between suppliers and business functions. On the other hand, Governance, Risk, and Compliance (GRC) tools allow for process automation, minimizing errors and enabling real-time updates. With tools like RED INTO GREEN, organizations can effectively manage ICT third-party service providers’ dependencies, monitor changes in contracts, and provide risk notifications. Additionally, these tools offer data visualization, making it easier for teams to quickly understand and analyze the relationships and dependencies between suppliers and critical business functions. One could say that RED INTO GREEN is software for DORA automating the DORA registry.
Since the April 30, 2025 deadline for submitting the ICT supplier register has passed, financial entities must now be prepared to provide updated reports upon request from local supervisory authorities. If you’re still managing the register manually, for example, in Excel using drop-down fields for classification, it’s time to consider how you will handle upcoming updates and reporting obligations.Manual management becomes increasingly time-consuming and error-prone, potentially leading to audit issues, delayed reporting to authorities, and the need for corrections. Automating the process with specialized tools allows for compliance checks, ensuring regulatory alignment, long-term reporting, and adherence to standards such as DORA. This ensures that the ICT supplier register will always be ready for submission. Additionally, the RED INTO GREEN platform is fully compliant with the new reporting format published by the European Central Bank (EBA), making it easy to maintain compliance with regulations even as entity framework update or format changes occur.
By leveraging automation and data visualization, financial entities can streamline their processes, reduce risks associated with manual errors, and improve operational efficiency. This shift to automated systems not only guarantees timely and accurate reports but also strengthens compliance and enhances overall risk management practices.
6. How to manage Register of Information
Financial entities must not only maintain the ICT supplier register but also ensure that the data can be easily exported and formatted according to various reporting standards required by competent authorities. Common reporting formats include RTS, CSV, JSON, and ZIP, each offering different advantages depending on data volume and institutional needs. One of the key formats under DORA is XBRL (eXtensible Business Reporting Language), which requires careful preparation and adherence to technical standards. To ensure data readiness for XBRL reporting, information must be accurately mapped to the required taxonomy. This includes correctly categorizing ICT services, data locations, and risk assessments, ensuring that all required elements are captured in the appropriate format. The use of specialized tools can improve scalability, allowing organizations to manage increasingly large datasets efficiently.
Preparing for audits and operational resilience tests is a crucial step in managing the Register of Information. These steps are not possible without completing the previous tasks, and their importance is enormous. Financial entities must ensure that their data is not only complete and accurate but also easily accessible for audits. This includes documenting any changes, risks, and the compliance status with DORA requirements. Data integrity is vital in this process to ensure that the information provided is reliable and precise. Automation tools can play a vital role in maintaining an up-to-date and auditable register, enabling quick and accurate generation of required reports. Furthermore, establishing clear reporting channels allows for efficient communication between departments and competent authorities, ensuring smooth data submission and compliance management. By utilizing automation and integrating advanced tools, financial entities can streamline the management of their ICT supplier register. This ensures regulatory compliance, improves operational efficiency, and enhances overall risk management practices.
7. Cyclical updates and maintenance of the register
To ensure effective management of cyclical updates to the Register of Information in accordance with DORA requirements, financial entities must establish consistent operational processes and clearly assign responsibilities among IT, operational, and compliance teams. A key tool is the three-level update model, which includes individual, sub-consolidated, and consolidated levels. Each of these levels has specific update requirements and processes, including regular review and adjustment of contractual arrangements with ICT service providers to reflect any changes in services delivered, supplier status, or regulatory obligations.
- Individual Entity Level: At this level, the register is updated based on individual ICT suppliers, including changes in contracts, risk assessments, incidents, or supplier categorization. These changes must be regularly monitored and updated to ensure that the documentation remains comprehensive and aligned with operational reality.
- Sub-Consolidated Level: For financial groups, data from individual financial entities must be aggregated at the group level, considering the dependencies between suppliers within these groups. This approach helps track and document the relationships between suppliers and business operations within medium-sized units.
- Consolidated Level: At the highest level, data from the entire group must be consolidated to provide a comprehensive view of ICT dependencies across the organization. This level is essential for assessing risks and ensuring compliance with DORA regulations at the organizational level.
To effectively implement cyclical update processes, it is crucial to assign responsibilities across IT, operational, and compliance teams. The IT team will be responsible for integrating the register with other systems and managing data architecture to ensure technical updates. The operational team will focus on monitoring dependencies between suppliers and critical functions to ensure that changes align with operational needs. The compliance team will be responsible for ensuring that all updates comply with DORA regulations.
Common mistakes in information register management and how to avoid them
Managing the Information Register in line with DORA requirements is a fundamental aspect of ensuring regulatory compliance and operational continuity. However, organizations often make mistakes that can lead to non-compliance, increased operational risk and inefficiency in managing ICT suppliers.
Treating the Register as a One-Time Task Instead of a Continuous Process
The ICT supplier register is often treated as a one-time task, which results in it becoming outdated and no longer relevant. To avoid this mistake, it should be treated as a living document that requires regular updates and integration into daily operational processes.
Underestimating the Number and Importance of ICT Suppliers
Organizations often fail to appreciate the number and significance of smaller external ICT service providers, and subcontractors who can have a significant impact on the company’s operations. It is crucial to assess and monitor all suppliers, including indirect ones, to ensure comprehensive risk management.
Lack of Control Over the Supplier Chain and Their Dependencies
A lack of full control over the supplier chain and their dependencies can lead to missed risks that could affect operational stability over time. It is essential to require full transparency from suppliers regarding their subcontractors and regularly monitor these dependencies to prevent potential issues. Strengthening visibility in the ICT supply chain is a key step toward achieving digital operational resilience, ensuring that organizations can anticipate disruptions and maintain continuity in critical functions.
Neglecting Risk Analysis Related to ICT Outsourcing
Failing to conduct a thorough risk analysis related to ICT outsourcing can lead to reliance on a provider who does not ensure adequate security measures. Regular risk assessments and testing of contingency plans allow for quicker detection of potential risks associated with outsourcing.
Lack of Integration of the Register with the Operational Risk Management System
The ICT supplier register is not always integrated with the operational risk management system, which can lead to data fragmentation and difficulty in monitoring risks. It is important for the register to be linked with risk and incident management platforms, enabling effective real-time threat monitoring.
Failure and Lack of Understanding in Generating Separate Reports for a Financial Entities Within a Larger Non-Financial Group
In organizations that belong to a larger financial or non-financial group, there is often a challenge in generating separate reports that comply with DORA requirements. A misunderstanding of the reporting rules at different levels (individual, sub-consolidated, consolidated) can result in incorrect data consolidation and risks associated with incomplete information sharing.
European Supervisory Authorities (ESAs) RoI improvement process
From dry validation to ESAs decision on reinforcement of data point model reflecting dependencies of ICT services. As part of the ongoing process to enhance the quality and usability of ICT supplier registers, the European Supervisory Authorities (ESAs) have initiated a structured feedback loop aimed at improving the data point model (DPM) used for DORA reporting. This initiative builds upon insights gathered during the dry run phase and focuses on better reflecting operational dependencies between ICT services and financial entities, including their contractual arrangements. The goal is to increase consistency, accuracy, and interoperability of the reported data across institutions. This continuous data quality feedback process is essential for refining the Register of Information structure, enabling more reliable supervisory analysis, more effective risk oversight, and stronger DORA compliance across the financial sector.
