Implementation GuideEU

EU DORA Register of Information (RoI)

Build the RoI as a relational dataset you can export on demand - not a spreadsheet nobody trusts.

Grounded in Article 28 and ITS 2024/2956 (standard templates for the register of information).

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 23, 2026
Updated
Feb 23, 2026
Sections
6

Structured answer sets in this page tree.

Primary sources
5

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 23, 2026
Updated Feb 23, 2026
Overview

DORA requires financial entities to maintain and update a register of information covering contractual arrangements for ICT services from ICT third-party providers, and to provide the full register or specified sections to competent authorities on request. The simplest way to comply (and stay consistent across entity/sub-consolidated/consolidated levels) is to treat the RoI as a data product: a relational model, governed identifiers, and an automated extraction + validation pipeline that can export ITS templates quickly and accurately.

Section 1

What the RoI is (and what it is not)

The RoI is a supervisory artifact and an internal risk management instrument: a structured view of ICT third-party dependencies, linked to contracts and services.

It's not a procurement vendor list. It's not a one-time spreadsheet. If you can't export it reliably and explain the joins, it won't survive supervision.

  • Scope: contractual arrangements on the use of ICT services provided by ICT third-party providers (Article 28).
  • Levels: maintain and update at entity level, and at sub-consolidated and consolidated levels where applicable (Article 28).
  • On request: be able to provide the full register or specified sections, plus supporting information for effective supervision (Article 28).
Section 2

RoI data model blueprint (contract -> service -> function -> provider -> supply chain)

Implement the RoI as a normalized relational model with stable identifiers and explicit links between contracting entities, ICT services, functions, providers, and subcontractors.

This aligns with the ITS approach: open tables linked by specific keys (contract reference numbers, function identifiers, LEIs/provider identifiers).

  • Contractual arrangement reference number: define one unique key per contract and never reuse it (your primary join key).
  • ICT service taxonomy: normalize service names and map each service to business functions and technical dependencies.
  • Function identifier catalog: define a stable function ID set for critical/important mapping and cross-template joins.
  • Provider identity normalization: use LEI/EUID where available; standardize naming, group relationships, and service ownership models.
  • Supply chain representation: model direct providers and relevant subcontractors that effectively underpin ICT services supporting critical/important functions.
Recommended next step

Keep EU DORA Register of Information (RoI) in one governed evidence system

SSOT can take EU DORA Register of Information (RoI) from reusing this material inside a governed evidence system to a reusable workflow inside Sorena. Teams working on EU DORA can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Evidence system
Open SSOT for EU DORA Register of Information (RoI)

Start from EU DORA Register of Information (RoI) and keep documents, evidence, and control records in one governed system.

Explore next step
Talk to Sorena
Talk through EU DORA

Review your current process, evidence gaps, and next steps for EU DORA Register of Information (RoI).

Explore next step
Section 3

Extraction pipeline (systems-of-record -> RoI dataset -> ITS export)

The RoI is an integration problem: procurement, vendor risk, CMDB/service catalog, IAM, cloud inventory, and contract repositories each contain part of the truth.

Your target state is export-ready data - not hand-assembled files.

  • Ingest: contract metadata (legal), vendor + spend (procurement), due diligence (security/vendor risk), service mapping (CMDB/service catalog), locations + hosting (cloud inventory).
  • Transform: resolve entity/provider identities, enforce stable identifiers, and create relational links (contract->provider, contract->users, service->function, service->subcontractors).
  • Validate: completeness, uniqueness, and referential integrity checks block exports when critical joins fail.
  • Export: generate the ITS annex templates (B_01-B_07) from the same dataset so entity vs consolidated views reconcile.
Section 4

Governance + operating cadence (how to keep the RoI accurate)

RoI compliance is a governance discipline: without clear ownership and change controls, it drifts immediately after launch.

Define an operating cadence that makes updates automatic whenever contracts or service dependencies change.

  • RACI: procurement (vendor onboarding), legal (contract metadata), security (due diligence + monitoring), engineering (service/function mapping), compliance (export readiness).
  • Change control: provider changes (subcontractors, hosting locations, scope expansions) are treated as material changes and trigger RoI updates.
  • Quarterly RoI QA: sample critical/important services and verify the full supply chain + exit dependencies are current.
  • Supervisor readiness drill: timebox an RoI export request and measure speed + consistency across entity and consolidated exports.
Section 5

Common pitfalls (use these as acceptance criteria)

Most RoI failures are predictable: missing keys, inconsistent naming, and invisible subcontracting chains for critical services.

Fix the root causes in your model and pipeline - not in the export file.

  • No global contract reference key -> joins break across templates and entities.
  • No service/function mapping -> you can't prove which ICT services support which critical/important functions.
  • Subcontractors ignored -> supply chain risk and concentration risk are invisible.
  • Manual exports -> every request becomes a fire drill and produces inconsistent outputs.
  • Weak validation -> supervisors get different answers depending on who exports the register.
Section 6

Build for actual supervisory use, not just annual maintenance

Supervisors use RoI data to understand concentration risk, critical-function support chains, and reliance on major providers across the sector.

That is why RoI engineering should be treated as production data management, not as a once-a-year compliance exercise.

  • The first critical ICT third-party provider designation list published on 18 November 2025 shows the RoI now feeds real oversight decisions.
  • Make provider identity normalization and subcontractor coverage mandatory controls, because those are the records that determine whether systemic dependency is visible.
  • Run export drills against the ITS structure so entity and consolidated views produce the same provider, contract, and function relationships.
Primary sources

References and citations

Regulation (EU) 2022/2554 (DORA) - Official Journal
eur-lex.europa.eu
Referenced sections
  • Article 28 establishes the register of information obligation at entity/sub-consolidated/consolidated levels and requires making it available to competent authorities on request.
Related guides

Explore more topics

DORA Applicability Test | Is EU DORA Applicable to Your Entity?
A step-by-step EU DORA applicability test (Regulation (EU) 2022/2554): determine if you are a covered financial entity under Article 2.
DORA FAQ (EU) - Scope, Deadlines, Reporting, TLPT, RoI, and Third-Party Risk
High-signal answers to the most searched DORA questions: who is in scope, when DORA applies (17 Jan 2025), what "critical or important functions" means.
DORA ICT Risk Management Control Baseline | Chapter II + RTS 2024/1774
A deep DORA ICT risk management baseline: how to implement Chapter II of Regulation (EU) 2022/2554 as controls with acceptance criteria and evidence.
DORA ICT Third-Party Risk Management + Contract Clauses | Article 28-30 + RTS 2024/1773 + RTS 2025/532
A deep guide to DORA ICT third-party risk: build the third-party risk strategy (Article 28), implement due diligence + ongoing monitoring.
DORA Major ICT Incident Reporting | Articles 17-20 + RTS 2024/1772 + 2025/301
A practical DORA major incident reporting guide: build the Article 17 and 19 workflow, apply RTS 2024/1772 classification and RTS 2025/301 timing rules.
DORA Penalties, Fines, and Enforcement | Articles 50-55 + Oversight Penalty Payments
A practical DORA enforcement guide: how competent authorities' supervisory/investigatory/sanctioning powers work (Article 50).
DORA Register of Information (RoI) Template Guide | ITS 2024/2956 Annex Templates (B_01-B_07)
A practical guide to the DORA Register of Information templates: understand the ITS schema (Implementing Regulation (EU) 2024/2956).
DORA Testing & TLPT Readiness | Chapter IV + TIBER-EU Execution Guide
A deep DORA testing and TLPT readiness guide: build the Chapter IV testing program, prepare remediation and validation.
DORA vs ISO/IEC 27001:2022 | Mapping Controls, Evidence, and Audit Readiness
A deep DORA vs ISO 27001 comparison: where ISO/IEC 27001:2022 helps satisfy DORA ICT risk management and evidence expectations.
DORA vs NIS2 (EU) | Scope, Reporting, Controls, and Overlap for Financial Entities
A deep comparison of DORA and NIS2: who is in scope, what "security measures" mean, incident reporting differences, governance and enforcement posture.
EU DORA Checklist | DORA Compliance Checklist (Audit-Ready)
An audit-ready EU DORA checklist (Regulation (EU) 2022/2554): scope memo and proportionality, ICT risk management control baseline.
EU DORA Compliance Guide | DORA Implementation Playbook
A practical EU DORA compliance guide (Regulation (EU) 2022/2554): how to set up a DORA program, build an ICT risk management control baseline.
EU DORA Deadlines & Compliance Calendar | Key Dates, RTS/ITS and Cadence
A DORA compliance calendar for Regulation (EU) 2022/2554: publication, entry into force, application date, key RTS and ITS including 2024/2956, 2025/301.
EU DORA Requirements | Obligations by Workstream (ICT Risk, Incidents, TLPT, Third Parties)
A practical breakdown of EU DORA (Regulation (EU) 2022/2554) requirements: ICT risk management framework (Chapter II).
EU DORA Scope & Covered Entities | Who Is In Scope (Article 2)
A practical scoping guide for EU DORA (Regulation (EU) 2022/2554): covered financial entities (Article 2), proportionality and simplified frameworks.