--- title: "DORA Register of Information FAQ: ICT Third-Party Arrangements" canonical_url: "https://www.sorena.io/artifacts/eu/digital-operational-resilience-act/faq/register-of-information" source_url: "https://www.sorena.io/artifacts/eu/digital-operational-resilience-act/faq/register-of-information" author: "Sorena AI" description: "FAQ on the DORA register of information: who maintains it, which ICT third-party arrangements it covers, template fields, critical functions, reporting, data quality, and evidence." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "EU DORA" - "DORA register of information" - "ICT third-party risk" - "ICT contractual arrangements" - "critical or important functions" - "ICT service supply chain" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # DORA Register of Information FAQ: ICT Third-Party Arrangements FAQ on the DORA register of information: who maintains it, which ICT third-party arrangements it covers, template fields, critical functions, reporting, data quality, and evidence. *FAQ* *EU DORA* ## DORA Register of Information FAQ A practical FAQ for building and maintaining DORA's register of information for ICT third-party service arrangements. Covers the register owner, ICT service arrangements, standard templates, critical or important functions, subcontractors, reporting to competent authorities, data quality, and evidence records. Under DORA, the register of information is the structured record of a financial entity's contractual arrangements for ICT services provided by ICT third-party service providers. It is not just a procurement list: it connects contracts, providers, ICT services, functions, data locations, subcontracting chains, assessments, and competent-authority reporting. ## What is the DORA register of information? The DORA register of information is the financial entity's maintained and updated record of all contractual arrangements on the use of ICT services provided by ICT third-party service providers. DORA Article 28 requires the register at entity level and, where relevant, at sub-consolidated and consolidated levels. The register must distinguish arrangements that support critical or important functions from arrangements that do not. That distinction matters because it drives extra contract, assessment, subcontracting, exit, audit, and reporting expectations. - Include contractual arrangements for ICT services, not only traditional outsourcing contracts. - Record all direct ICT third-party providers and the ICT services they provide. - Mark whether the service supports a critical or important function or a material part of one. - Make the register available to the competent authority on request, either in full or in requested sections. Sources for this answer: - [Regulation (EU) 2022/2554 (DORA), Article 28](https://eur-lex.europa.eu/eli/reg/2022/2554/oj?ref=sorena.io) - Article 28 requires financial entities to maintain and update the register and make it available to competent authorities. - [Implementing Regulation (EU) 2024/2956 on DORA register templates](https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj?ref=sorena.io) - Sets the standard templates and data structure for the DORA register of information. ## Who maintains it, and what arrangements must be captured? The financial entity is responsible for maintaining and updating the register. In a group, the register can be maintained at entity, sub-consolidated, and consolidated levels, but the information still needs to let each financial entity meet its own DORA obligation. The register covers all contractual arrangements for ICT services from direct ICT third-party service providers. For groups, it also needs to reflect intra-group ICT service arrangements and the link between intra-group contracts and external ICT third-party provider contracts where they sit in the same ICT service supply chain. - Use a unique and stable contractual arrangement reference number across the register templates. - Capture standalone contracts, master or framework arrangements, and subsequent or associated arrangements such as order forms. - Identify the entity signing the arrangement and the financial entity making use of the ICT service when those are different. - For group registers, include the relevant financial entities and ICT intra-group service providers in the scope of consolidation. Sources for this answer: - [Implementing Regulation (EU) 2024/2956 on DORA register templates](https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj?ref=sorena.io) - Explains entity, group, contract-reference, intra-group, and service-supply-chain template logic. - [Regulation (EU) 2022/2554 (DORA), Article 28](https://eur-lex.europa.eu/eli/reg/2022/2554/oj?ref=sorena.io) - Keeps responsibility with the financial entity even when ICT services are provided by third parties. ## Which fields matter most in the standard templates? Implementing Regulation (EU) 2024/2956 organizes the register into linked templates rather than one flat spreadsheet. The important design choice is to use the same keys consistently: contract reference number, entity and provider identifiers, function identifier, and type of ICT service. At minimum, teams should make sure their source systems can populate the templates for the maintaining entity, in-scope entities and branches, contractual arrangements, signing entities, ICT third-party providers, ICT service supply chains, functions, assessments, and internal terminology. - Provider identity: LEI or EUID for legal persons established in the Union, and LEI for legal persons not established in the Union. - Contract details: arrangement type, annual expense or estimated cost, start and end dates, termination reason when relevant, governing law, service country, and notice periods where required. - Service and data details: ICT service type, function identifier, storage and processing locations, data sensitivity, and level of reliance for critical or important functions. - Assessment details: substitutability, reason for difficult substitution, date of last audit, exit plan, reintegration possibility, discontinuation impact, and identified alternatives. Sources for this answer: - [Implementing Regulation (EU) 2024/2956 on DORA register templates](https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj?ref=sorena.io) - Provides the template list, keys, mandatory fields, closed lists, and data-format rules. ## How should critical or important functions and subcontractors be handled? Critical or important function status should be assessed before entering into an ICT service arrangement and revisited when a service, function, provider, data location, or subcontracting chain changes. DORA treats the criticality or importance of the supported function as central to ICT third-party risk. For subcontractors, the register does not require every remote supplier in every chain. The 2024/2956 templates require subcontractors that effectively underpin ICT services supporting critical or important functions or material parts of them, including subcontractors whose disruption would impair the security or continuity of the service. - Document the methodology used to decide whether an ICT service supports a critical or important function. - Map each critical or important function to the ICT services and providers that support it. - For critical or important functions, capture the service supply chain with rank 1 for the direct ICT third-party provider and higher ranks for subcontractors. - Keep subcontracting risk assessments separate from supplier assurances; reliance on provider assessments does not remove the financial entity's final responsibility. Sources for this answer: - [Regulation (EU) 2022/2554 (DORA), Articles 28 to 30](https://eur-lex.europa.eu/eli/reg/2022/2554/oj?ref=sorena.io) - Requires pre-contract assessment, concentration-risk assessment, and additional contractual provisions for ICT services supporting critical or important functions. - [Implementing Regulation (EU) 2024/2956 on DORA register templates](https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj?ref=sorena.io) - Limits register subcontractor capture to subcontractors that effectively underpin ICT services supporting critical or important functions or material parts. - [Delegated Regulation (EU) 2025/532 on subcontracting ICT services](https://eur-lex.europa.eu/eli/reg_del/2025/532/oj?ref=sorena.io) - Specifies elements to assess when subcontracting ICT services supporting critical or important functions. ## How is the register submitted or exported? DORA requires financial entities to report at least yearly to competent authorities on new ICT-service arrangements, provider categories, contract types, ICT services, and functions being provided. It also requires them to make the full register, or requested sections, available to the competent authority on request. The implementing regulation is explicit that the register is maintained through standard templates with defined columns, rows, single-value data elements, identifiers, and closed lists. The practical export should therefore preserve the template structure and keys rather than turning the register into a narrative report. - Keep a reportable version of each template, not only dashboard views. - Use ISO formats and closed-list values where the template requires them. - Maintain evidence for the last update date, reporting date when applicable, and the competent authority to which reporting is made. - When a competent authority asks for sections, export by template and key so contracts, providers, functions, services, and assessments still reconcile. Sources for this answer: - [Regulation (EU) 2022/2554 (DORA), Article 28](https://eur-lex.europa.eu/eli/reg/2022/2554/oj?ref=sorena.io) - Sets the yearly reporting and competent-authority access requirements for the register. - [Implementing Regulation (EU) 2024/2956 on DORA register templates](https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj?ref=sorena.io) - Requires table-based templates, single-value data elements, and completion at entity, sub-consolidated, and consolidated level as applicable. ## What evidence and data-quality checks should support the register? The register should be backed by evidence that each field can be traced to a contract, provider record, business-function owner, risk assessment, audit record, exit plan, or source system. Implementing Regulation (EU) 2024/2956 requires the template information to be accurate and consistent, regularly reviewed, and promptly corrected when errors or discrepancies are found. Evidence should be operational rather than decorative. A strong register package shows that contract owners, business-service owners, ICT risk, procurement, legal, and group reporting teams are using the same identifiers and that changes in services, functions, providers, subcontractors, data locations, or criticality are reflected in the templates. - Contract evidence: executed agreement, master agreement, order form, SLA, amendment, termination notice, and notice-period source. - Provider evidence: LEI or EUID check, legal name, headquarters country, direct provider status, ultimate parent, and subcontractor list where required. - Function evidence: business owner approval, function identifier, critical or important function assessment, reliance level, and impact of discontinuing the service. - Assurance evidence: due diligence, information-security standard review, audit date, substitutability analysis, exit plan, alternative-provider assessment, and data-location validation. - Quality evidence: reconciliation reports for duplicate contract references, missing mandatory fields, inconsistent identifiers, stale provider data, and unresolved template errors. Sources for this answer: - [Implementing Regulation (EU) 2024/2956 on DORA register templates](https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj?ref=sorena.io) - Requires regular review, prompt correction of errors, and data-quality principles for the register templates. - [Delegated Regulation (EU) 2024/1773 on ICT third-party contract policy](https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj?ref=sorena.io) - Connects contract governance to risk assessment, due diligence, documentation, monitoring, record-keeping, exit strategies, and critical or important functions. ## Primary sources - [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/eli/reg/2022/2554/oj?ref=sorena.io) - Primary DORA text for Article 28 register duties, ICT third-party risk, critical or important functions, competent-authority access, and yearly reporting. - Quote: "maintain and update at entity level" - [Implementing Regulation (EU) 2024/2956 on DORA register templates](https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj?ref=sorena.io) - Standard template source for register scope, template structure, identifiers, service supply chains, assessments, data format, and data-quality principles. - Quote: "standard templates for the register of information" - [Delegated Regulation (EU) 2024/1773 on ICT third-party contract policy](https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj?ref=sorena.io) - RTS source for governance, documentation, due diligence, monitoring, audit, and exit-policy expectations for ICT services supporting critical or important functions. - Quote: "policy on the use of ICT services" - [Delegated Regulation (EU) 2025/532 on subcontracting ICT services](https://eur-lex.europa.eu/eli/reg_del/2025/532/oj?ref=sorena.io) - RTS source for subcontracting assessment and monitoring where ICT services support critical or important functions or material parts. - Quote: "subcontracting ICT services supporting critical or important functions" ## Topic Guides - [DORA Critical or Important Functions: mapping ICT dependencies and evidence](/artifacts/eu/digital-operational-resilience-act/critical-and-important-functions.md): How DORA critical or important functions affect ICT service mapping, third-party contracts, register-of-information records, incidents, testing, and evidence. - [DORA deadlines and compliance calendar for financial entities](/artifacts/eu/digital-operational-resilience-act/deadlines-and-compliance-calendar.md): Calendar the grounded DORA dates and recurring evidence: 17 January 2025 application, incident reporting clocks, register updates, annual reporting, TLPT cadence, and CTPP oversight milestones. - [DORA ICT Third-Party Contract Remediation Workflow](/artifacts/eu/digital-operational-resilience-act/contract-remediation-workflow.md): A DORA workflow for remediating ICT third-party contracts covering critical or important functions, subcontracting, audit rights, exits, register updates, and evidence. - [DORA ICT Third-Party Contracts FAQ](/artifacts/eu/digital-operational-resilience-act/faq/ict-third-party-contracts.md): What DORA requires in ICT third-party contracts, including critical or important functions, audit and access rights, termination, exit, subcontracting, register updates, and evidence. - [DORA ICT third-party risk and contract clauses guide](/artifacts/eu/digital-operational-resilience-act/third-party-risk-and-contract-clauses.md): Source-grounded DORA guide for financial entities in scope, ICT third-party risk, contract clauses, subcontracting controls, register evidence, audit rights, exit planning, and oversight. - [DORA incident classification forms: criteria, fields, and reporting clocks](/artifacts/eu/digital-operational-resilience-act/incident-classification-forms.md): Grounded guide to DORA ICT incident classification forms: major-incident criteria, significant cyber-threat notifications, report fields, time limits, evidence, and reclassification records. - [DORA incident clock workflow: classification, reports, deadlines, and evidence](/artifacts/eu/digital-operational-resilience-act/incident-clock-workflow.md): Grounded DORA workflow for starting the major-incident reporting clock, classifying ICT incidents, submitting initial, intermediate, and final reports, and preserving authority evidence. - [DORA major ICT incident reporting: classification, reports, and timing](/artifacts/eu/digital-operational-resilience-act/major-incident-reporting.md): Source-grounded DORA guide to major ICT-related incident classification, initial notifications, intermediate and final reports, competent authority routing, and significant cyber threat notifications. - [DORA major ICT incident thresholds: what triggers reporting?](/artifacts/eu/digital-operational-resilience-act/faq/major-incident-thresholds.md): FAQ on DORA major ICT-related incident classification thresholds, recurring incidents, reporting triggers, and evidence inputs grounded in EU DORA RTS and ITS texts. - [DORA Register of Information Import and Build Workflow](/artifacts/eu/digital-operational-resilience-act/roi-import-and-build-workflow.md): Build a DORA register of information from procurement, vendor, contract, service, function, and subcontractor data using the official register templates and validation checks. - [DORA Register of Information Template: ICT Provider Fields and Evidence](/artifacts/eu/digital-operational-resilience-act/dora-register-of-information-template.md): A grounded DORA register of information template for ICT third-party contracts, provider hierarchy, critical functions, dates, statuses, reporting, and evidence. - [DORA TLPT selection: who can be required to test?](/artifacts/eu/digital-operational-resilience-act/faq/tlpt-selection.md): FAQ on DORA threat-led penetration testing selection: who identifies financial entities, what criteria are used, what the TLPT authority validates, and what evidence to keep. - [DORA vs EBA outsourcing guidelines: ICT third-party risk comparison](/artifacts/eu/digital-operational-resilience-act/dora-vs-eba-outsourcing-guidelines.md): Compare binding DORA ICT third-party risk duties with the EBA/ESA outsourcing baseline for registers, critical functions, contracts, subcontracting, exit, incident reporting, and evidence. - [DORA vs ISO 22301: ICT resilience and business continuity compared](/artifacts/eu/digital-operational-resilience-act/dora-vs-iso-22301.md): Compare DORA's binding ICT operational resilience duties for financial entities with ISO 22301's business continuity management system requirements. - [DORA vs ISO/IEC 27001: legal ICT resilience obligations and ISMS controls](/artifacts/eu/digital-operational-resilience-act/dora-vs-iso-27001.md): Compare EU DORA and ISO/IEC 27001 across scope, governance, incident reporting, testing, ICT third-party risk, certification, evidence, overlap, and gaps. - [DORA vs NIS2: financial-sector obligations, overlap, and evidence](/artifacts/eu/digital-operational-resilience-act/dora-vs-nis2.md): Compare DORA and NIS2 for financial entities, ICT providers, incident reporting, management accountability, third-party risk, supervisory routes, and reusable evidence. - [DORA vs PSD2 incident reporting: major ICT and payment incidents](/artifacts/eu/digital-operational-resilience-act/dora-vs-psd2-incident-reporting.md): Compare DORA major ICT-related incident reporting with PSD2 major operational or security payment incident reporting, including scope, triggers, report stages, recipients, and evidence. - [EU DORA Applicability Test for Financial Entities and ICT Providers](/artifacts/eu/digital-operational-resilience-act/applicability-test.md): A source-grounded DORA applicability test for financial-entity scope, ICT third-party services, critical or important functions, exclusions, proportionality, and evidence. - [EU DORA Compliance Checklist for Financial Entities](/artifacts/eu/digital-operational-resilience-act/checklist.md): A source-grounded DORA checklist covering ICT risk governance, major incident reporting, resilience testing, TLPT, ICT third-party contracts, register-of-information records, and audit evidence. - [EU DORA Compliance Obligations and Evidence Guide](/artifacts/eu/digital-operational-resilience-act/compliance.md): A source-grounded DORA compliance guide covering ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, registers, governance, oversight, and evidence. - [EU DORA FAQ: scope, incidents, ICT contracts, testing, and evidence](/artifacts/eu/digital-operational-resilience-act/faq.md): Concise DORA FAQ covering who is in scope, proportionality, ICT third-party contracts, register-of-information records, major ICT incident thresholds and reporting, TLPT, testing, enforcement, and evidence. - [EU DORA ICT risk management control baseline](/artifacts/eu/digital-operational-resilience-act/ict-risk-management-control-baseline.md): A source-grounded DORA control baseline for ICT risk governance, asset and dependency mapping, protection, detection, response, recovery, testing, third-party risk, and evidence. - [EU DORA ICT subcontracting chain controls for critical functions](/artifacts/eu/digital-operational-resilience-act/subcontracting-chain-controls.md): DORA guide to ICT subcontracting chains for critical or important functions: prior assessment, contract conditions, register fields, monitoring, exit rights, and evidence. - [EU DORA penalties and fines: enforcement powers and limits](/artifacts/eu/digital-operational-resilience-act/penalties-and-fines.md): Grounded guide to DORA enforcement: competent-authority powers, administrative penalties, remedial measures, publication rules, and Lead Overseer penalty payments for critical ICT third-party providers. - [EU DORA Register of Information Data Model: templates, fields, and evidence](/artifacts/eu/digital-operational-resilience-act/register-of-information-data-model.md): Field-level guide to the EU DORA register of information data model: templates B_01 to B_07, provider identifiers, contract links, subcontracting chains, critical-function assessments, dates, and export evidence. - [EU DORA Requirements Overview: ICT risk, incidents, testing, and third-party risk](/artifacts/eu/digital-operational-resilience-act/requirements.md): A grounded overview of the main EU DORA requirements for financial entities: governance, ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, register of information, oversight, proportionality, and evidence. - [EU DORA Scope and Covered Entities: financial entities and ICT providers](/artifacts/eu/digital-operational-resilience-act/scope-and-covered-entities.md): Classify whether DORA applies to a financial entity, ICT third-party provider, group arrangement, branch, or critical ICT service dependency. - [EU DORA Scope and Proportionality Workflow](/artifacts/eu/digital-operational-resilience-act/scope-and-proportionality-workflow.md): Classify DORA covered entities, simplified-framework status, critical or important functions, ICT dependencies, evidence records, and governance approvals. - [EU DORA testing and TLPT readiness guide](/artifacts/eu/digital-operational-resilience-act/testing-and-tlpt-readiness.md): A grounded DORA guide for resilience testing, TLPT eligibility, authority interaction, test evidence, remediation plans, and avoiding unsupported testing cadence. - [EU DORA TLPT eligibility workflow for financial entities](/artifacts/eu/digital-operational-resilience-act/tlpt-eligibility-workflow.md): Check how DORA TLPT authorities identify financial entities for threat-led penetration testing and what evidence supports scope, readiness, providers, and governance. - [EU DORA TLPT Runbook: scope, providers, reports, and remediation](/artifacts/eu/digital-operational-resilience-act/tlpt-runbook.md): Build a DORA threat-led penetration testing runbook around authority coordination, scope validation, provider controls, active testing, closure reports, remediation, and attestation. - [How does proportionality work under EU DORA?](/artifacts/eu/digital-operational-resilience-act/faq/proportionality.md): A grounded FAQ on DORA proportionality: what can be scaled, who may use the simplified ICT risk framework, what evidence supports the decision, and which duties cannot be waived. - [How to build a DORA register of information](/artifacts/eu/digital-operational-resilience-act/register-of-information-how-to-build.md): Build a DORA register of information from contracts, ICT services, providers, functions, subcontractors, risk assessments, audit evidence, exit plans, and export checks. *Recommended next step* *Placement: before sources* ## Turn the DORA register of information into a controlled data workflow Sorena can help map ICT third-party arrangements to DORA register templates, owners, evidence, data-quality checks, and competent-authority export requirements. - [Open Research Copilot for EU DORA](/solutions/research-copilot.md): Ask source-linked questions about DORA register fields, ICT third-party arrangements, critical functions, subcontractors, and evidence. - [Talk through implementation](/contact.md): Review your DORA register structure, source gaps, template mapping, and evidence workflow with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/digital-operational-resilience-act/faq/register-of-information