Template GuideEU

EU DORA RoI Template Guide

Implement the ITS annex templates as a relational schema with stable identifiers and fast exports.

Grounded in Implementing Regulation (EU) 2024/2956 (standard templates for the register of information).

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 23, 2026
Updated
Feb 23, 2026
Sections
6

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 23, 2026
Updated Feb 23, 2026
Overview

Implementing Regulation (EU) 2024/2956 defines standard templates for the DORA register of information and describes a relational structure that links open tables via specific keys (contract reference numbers, function identifiers, LEIs, provider identifiers). The fastest path to compliance is to treat the annex templates as a schema contract: define your identifiers, enforce referential integrity, and generate exports automatically - so you can produce supervisor-ready templates on demand.

Section 1

What the ITS templates are for (and why they're relational)

The ITS templates enable consistent understanding of ICT dependencies across firms and groups, and they support effective supervision and oversight of critical ICT third-party providers.

The ITS uses open tables (fixed columns, unlimited rows) and explicit relational keys to avoid ambiguous, non-comparable narrative registers.

  • Build once, export many: a governed dataset + exporter beats manual spreadsheet updates.
  • Identifier discipline is non-negotiable: contract reference numbers and function IDs must be stable and consistent.
  • Data quality is part of compliance: accuracy, consistency, regular review, and prompt error correction are explicit expectations.
Recommended next step

Keep EU DORA RoI Template Guide in one governed evidence system

SSOT can take EU DORA RoI Template Guide from reusing this material inside a governed evidence system to a reusable workflow inside Sorena. Teams working on EU DORA can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Evidence system
Open SSOT for EU DORA RoI Template Guide

Start from EU DORA RoI Template Guide and keep documents, evidence, and control records in one governed system.

Explore next step
Talk to Sorena
Talk through EU DORA

Review your current process, evidence gaps, and next steps for EU DORA RoI Template Guide.

Explore next step
Section 2

Template map (B_01-B_07) - a workable mental model

The annex templates cover: reporting perimeter, contractual arrangements, signatories, providers, usage, supply chain, functions, and criticality assessment.

Treat templates as views over one normalized model; avoid duplicating the same facts across multiple tables.

  • B_01.*: reporting perimeter (entity, consolidation, branches outside home country).
  • B_02.*: contractual arrangements (general + specific details + intra-group reconciliation where applicable).
  • B_03.*: parties who sign (contracting entities, direct ICT provider signatories, intra-group signatories).
  • B_04.*: entities using ICT services (consumption mapping).
  • B_05.*: providers + subcontractors and ICT service supply chain links.
  • B_06.*: function identification catalog (function IDs and descriptions).
  • B_07.*: assessment of ICT services supporting critical/important functions (or material parts thereof).
Section 3

Relational keys (define these first or exports will never reconcile)

The ITS stresses identifier consistency (contract reference numbers, function identifiers, LEIs/provider identifiers) to ensure operability and comparability.

Define these centrally, make them immutable, and validate them before every export.

  • Contractual arrangement reference number: immutable primary key for contractual arrangements (join backbone).
  • Function identifier: stable function catalog used for critical/important mapping and cross-template joins.
  • LEI/EUID: use valid and active LEIs where required; capture EUID where applicable and normalize provider identities.
  • Supply chain linkage keys: represent direct providers, intra-group providers, and external subcontractors consistently.
Section 4

Data quality rules (make "export-ready" a measurable state)

Export readiness is not a feeling - it's a set of checks. Build a validation layer that blocks exports when joins or required fields fail.

This turns RoI maintenance into a continuous-control process rather than a yearly scramble.

  • Completeness: required fields present for all contracts supporting critical/important functions and their underpinning supply chain.
  • Referential integrity: every foreign key resolves (contract->provider, contract->users, service->function, service->subcontractors).
  • Uniqueness: no duplicated/reused contract reference numbers, function IDs, or provider IDs across the reporting perimeter.
  • Consistency across levels: entity vs consolidated exports reconcile without conflicting identifiers.
  • Review cadence: evidence of regular review and prompt correction of discrepancies (audit trail).
Section 5

Why RoI data quality now has direct supervisory consequences

The register of information is not just an internal inventory. The ESAs used RoI data from financial entities as part of the process that led to the first DORA critical ICT third-party provider designations.

That means inconsistent identifiers, missing subcontractors, or weak critical-function mapping do not just create an internal cleanup problem. They affect how supervisors understand concentration and systemic dependency.

  • The first designated critical ICT third-party provider list was published on 18 November 2025.
  • Use that milestone as a quality threshold: your RoI should support provider concentration analysis, critical-function mapping, and group-level consistency without manual repair.
  • If a key provider becomes designated as critical, make sure your RoI, contract posture, monitoring, and exit planning all reconcile to the same provider and contract identifiers.
Section 6

Implementation checklist (fast path)

Use this to implement quickly without building a brittle solution.

Aim for a minimal viable RoI in 2-6 weeks, then iterate for coverage and automation.

  • Define identifier policy (contract reference numbers, function IDs, provider identity normalization).
  • Map service catalog -> functions and tag critical/important services (with approvals).
  • Integrate contract repository + procurement + vendor risk + CMDB/cloud inventory into one model.
  • Generate B_01-B_07 exports and run validation checks; fix root causes, not export outputs.
  • Run quarterly RoI drills: produce exports and answer supervisor-style questions from the dataset.
Primary sources

References and citations

Related guides

Explore more topics

DORA Applicability Test | Is EU DORA Applicable to Your Entity?
A step-by-step EU DORA applicability test (Regulation (EU) 2022/2554): determine if you are a covered financial entity under Article 2.
DORA FAQ (EU) - Scope, Deadlines, Reporting, TLPT, RoI, and Third-Party Risk
High-signal answers to the most searched DORA questions: who is in scope, when DORA applies (17 Jan 2025), what "critical or important functions" means.
DORA ICT Risk Management Control Baseline | Chapter II + RTS 2024/1774
A deep DORA ICT risk management baseline: how to implement Chapter II of Regulation (EU) 2022/2554 as controls with acceptance criteria and evidence.
DORA ICT Third-Party Risk Management + Contract Clauses | Article 28-30 + RTS 2024/1773 + RTS 2025/532
A deep guide to DORA ICT third-party risk: build the third-party risk strategy (Article 28), implement due diligence + ongoing monitoring.
DORA Major ICT Incident Reporting | Articles 17-20 + RTS 2024/1772 + 2025/301
A practical DORA major incident reporting guide: build the Article 17 and 19 workflow, apply RTS 2024/1772 classification and RTS 2025/301 timing rules.
DORA Penalties, Fines, and Enforcement | Articles 50-55 + Oversight Penalty Payments
A practical DORA enforcement guide: how competent authorities' supervisory/investigatory/sanctioning powers work (Article 50).
DORA Register of Information (RoI) - How to Build It | Article 28 + ITS 2024/2956
Build an audit-ready DORA Register of Information (RoI): define scope and relational keys.
DORA Testing & TLPT Readiness | Chapter IV + TIBER-EU Execution Guide
A deep DORA testing and TLPT readiness guide: build the Chapter IV testing program, prepare remediation and validation.
DORA vs ISO/IEC 27001:2022 | Mapping Controls, Evidence, and Audit Readiness
A deep DORA vs ISO 27001 comparison: where ISO/IEC 27001:2022 helps satisfy DORA ICT risk management and evidence expectations.
DORA vs NIS2 (EU) | Scope, Reporting, Controls, and Overlap for Financial Entities
A deep comparison of DORA and NIS2: who is in scope, what "security measures" mean, incident reporting differences, governance and enforcement posture.
EU DORA Checklist | DORA Compliance Checklist (Audit-Ready)
An audit-ready EU DORA checklist (Regulation (EU) 2022/2554): scope memo and proportionality, ICT risk management control baseline.
EU DORA Compliance Guide | DORA Implementation Playbook
A practical EU DORA compliance guide (Regulation (EU) 2022/2554): how to set up a DORA program, build an ICT risk management control baseline.
EU DORA Deadlines & Compliance Calendar | Key Dates, RTS/ITS and Cadence
A DORA compliance calendar for Regulation (EU) 2022/2554: publication, entry into force, application date, key RTS and ITS including 2024/2956, 2025/301.
EU DORA Requirements | Obligations by Workstream (ICT Risk, Incidents, TLPT, Third Parties)
A practical breakdown of EU DORA (Regulation (EU) 2022/2554) requirements: ICT risk management framework (Chapter II).
EU DORA Scope & Covered Entities | Who Is In Scope (Article 2)
A practical scoping guide for EU DORA (Regulation (EU) 2022/2554): covered financial entities (Article 2), proportionality and simplified frameworks.