--- title: "DORA Register of Information (RoI) - How to Build It" canonical_url: "https://www.sorena.io/artifacts/eu/dora/register-of-information-how-to-build" source_url: "https://www.sorena.io/artifacts/eu/dora/register-of-information-how-to-build" author: "Sorena AI" description: "Build an audit-ready DORA Register of Information (RoI): define scope and relational keys." keywords: - "DORA register of information" - "DORA RoI" - "DORA RoI how to build" - "DORA Article 28 register" - "DORA ICT third party register" - "outsourcing register DORA" - "ITS 2024/2956 register templates" - "DORA register of information template" - "register of information" - "RoI" - "Article 28" - "ITS 2024/2956" - "ICT third-party register" - "outsourcing register" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # DORA Register of Information (RoI) - How to Build It Build an audit-ready DORA Register of Information (RoI): define scope and relational keys. *Implementation Guide* *EU* ## EU DORA Register of Information (RoI) Build the RoI as a relational dataset you can export on demand - not a spreadsheet nobody trusts. Grounded in Article 28 and ITS 2024/2956 (standard templates for the register of information). DORA requires financial entities to maintain and update a register of information covering contractual arrangements for ICT services from ICT third-party providers, and to provide the full register or specified sections to competent authorities on request. The simplest way to comply (and stay consistent across entity/sub-consolidated/consolidated levels) is to treat the RoI as a data product: a relational model, governed identifiers, and an automated extraction + validation pipeline that can export ITS templates quickly and accurately. ## What the RoI is (and what it is not) The RoI is a supervisory artifact and an internal risk management instrument: a structured view of ICT third-party dependencies, linked to contracts and services. It's not a procurement vendor list. It's not a one-time spreadsheet. If you can't export it reliably and explain the joins, it won't survive supervision. - Scope: contractual arrangements on the use of ICT services provided by ICT third-party providers (Article 28). - Levels: maintain and update at entity level, and at sub-consolidated and consolidated levels where applicable (Article 28). - On request: be able to provide the full register or specified sections, plus supporting information for effective supervision (Article 28). ## RoI data model blueprint (contract -> service -> function -> provider -> supply chain) Implement the RoI as a normalized relational model with stable identifiers and explicit links between contracting entities, ICT services, functions, providers, and subcontractors. This aligns with the ITS approach: open tables linked by specific keys (contract reference numbers, function identifiers, LEIs/provider identifiers). - Contractual arrangement reference number: define one unique key per contract and never reuse it (your primary join key). - ICT service taxonomy: normalize service names and map each service to business functions and technical dependencies. - Function identifier catalog: define a stable function ID set for critical/important mapping and cross-template joins. - Provider identity normalization: use LEI/EUID where available; standardize naming, group relationships, and service ownership models. - Supply chain representation: model direct providers and relevant subcontractors that effectively underpin ICT services supporting critical/important functions. *Recommended next step* *Placement: after the template, evidence, or documentation block* ## Keep EU DORA Register of Information (RoI) in one governed evidence system SSOT can take EU DORA Register of Information (RoI) from reusing this material inside a governed evidence system to a reusable workflow inside Sorena. Teams working on EU DORA can keep owners, evidence, and next steps aligned without copying this guide into separate documents. - [Open SSOT for EU DORA Register of Information (RoI)](/solutions/ssot.md): Start from EU DORA Register of Information (RoI) and keep documents, evidence, and control records in one governed system. - [Talk through EU DORA](/contact.md): Review your current process, evidence gaps, and next steps for EU DORA Register of Information (RoI). ## Extraction pipeline (systems-of-record -> RoI dataset -> ITS export) The RoI is an integration problem: procurement, vendor risk, CMDB/service catalog, IAM, cloud inventory, and contract repositories each contain part of the truth. Your target state is export-ready data - not hand-assembled files. - Ingest: contract metadata (legal), vendor + spend (procurement), due diligence (security/vendor risk), service mapping (CMDB/service catalog), locations + hosting (cloud inventory). - Transform: resolve entity/provider identities, enforce stable identifiers, and create relational links (contract->provider, contract->users, service->function, service->subcontractors). - Validate: completeness, uniqueness, and referential integrity checks block exports when critical joins fail. - Export: generate the ITS annex templates (B_01-B_07) from the same dataset so entity vs consolidated views reconcile. ## Governance + operating cadence (how to keep the RoI accurate) RoI compliance is a governance discipline: without clear ownership and change controls, it drifts immediately after launch. Define an operating cadence that makes updates automatic whenever contracts or service dependencies change. - RACI: procurement (vendor onboarding), legal (contract metadata), security (due diligence + monitoring), engineering (service/function mapping), compliance (export readiness). - Change control: provider changes (subcontractors, hosting locations, scope expansions) are treated as material changes and trigger RoI updates. - Quarterly RoI QA: sample critical/important services and verify the full supply chain + exit dependencies are current. - Supervisor readiness drill: timebox an RoI export request and measure speed + consistency across entity and consolidated exports. ## Common pitfalls (use these as acceptance criteria) Most RoI failures are predictable: missing keys, inconsistent naming, and invisible subcontracting chains for critical services. Fix the root causes in your model and pipeline - not in the export file. - No global contract reference key -> joins break across templates and entities. - No service/function mapping -> you can't prove which ICT services support which critical/important functions. - Subcontractors ignored -> supply chain risk and concentration risk are invisible. - Manual exports -> every request becomes a fire drill and produces inconsistent outputs. - Weak validation -> supervisors get different answers depending on who exports the register. ## Build for actual supervisory use, not just annual maintenance Supervisors use RoI data to understand concentration risk, critical-function support chains, and reliance on major providers across the sector. That is why RoI engineering should be treated as production data management, not as a once-a-year compliance exercise. - The first critical ICT third-party provider designation list published on 18 November 2025 shows the RoI now feeds real oversight decisions. - Make provider identity normalization and subcontractor coverage mandatory controls, because those are the records that determine whether systemic dependency is visible. - Run export drills against the ITS structure so entity and consolidated views produce the same provider, contract, and function relationships. ## Primary sources - [Regulation (EU) 2022/2554 (DORA) - Official Journal](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Article 28 establishes the register of information obligation at entity/sub-consolidated/consolidated levels and requires making it available to competent authorities on request. - [Commission Implementing Regulation (EU) 2024/2956 - Standard templates for the register of information (ITS)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R2956&ref=sorena.io) - Defines the RoI template structure (Annex templates B_01-B_07), relational keys, and data quality expectations for consistent reporting. - [Commission Delegated Regulation (EU) 2024/1773 - Contractual arrangements RTS](https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj/eng?ref=sorena.io) - Due diligence, monitoring, audit/access, and exit planning expectations that should be reflected in RoI fields and evidence links. - [EBA press release - ESAs consult on first batch of DORA policy products](https://www.eba.europa.eu/publications-and-media/press-releases/esas-consult-first-batch-dora-policy-products?ref=sorena.io) - Regulatory activity context for DORA policy products, including register-of-information templates. - [ESMA news - ESAs designate critical ICT third-party providers under DORA](https://www.esma.europa.eu/press-news/esma-news/european-supervisory-authorities-designate-critical-ict-third-party-providers?ref=sorena.io) - Confirms that RoI submissions feed real criticality assessments at EU level. ## Related Topic Guides - [DORA Applicability Test | Is EU DORA Applicable to Your Entity?](/artifacts/eu/dora/applicability-test.md): A step-by-step EU DORA applicability test (Regulation (EU) 2022/2554): determine if you are a covered financial entity under Article 2. - [DORA FAQ (EU) - Scope, Deadlines, Reporting, TLPT, RoI, and Third-Party Risk](/artifacts/eu/dora/faq.md): High-signal answers to the most searched DORA questions: who is in scope, when DORA applies (17 Jan 2025), what "critical or important functions" means. - [DORA ICT Risk Management Control Baseline | Chapter II + RTS 2024/1774](/artifacts/eu/dora/ict-risk-management-control-baseline.md): A deep DORA ICT risk management baseline: how to implement Chapter II of Regulation (EU) 2022/2554 as controls with acceptance criteria and evidence. - [DORA ICT Third-Party Risk Management + Contract Clauses | Article 28-30 + RTS 2024/1773 + RTS 2025/532](/artifacts/eu/dora/third-party-risk-and-contract-clauses.md): A deep guide to DORA ICT third-party risk: build the third-party risk strategy (Article 28), implement due diligence + ongoing monitoring. - [DORA Major ICT Incident Reporting | Articles 17-20 + RTS 2024/1772 + 2025/301](/artifacts/eu/dora/major-incident-reporting.md): A practical DORA major incident reporting guide: build the Article 17 and 19 workflow, apply RTS 2024/1772 classification and RTS 2025/301 timing rules. - [DORA Penalties, Fines, and Enforcement | Articles 50-55 + Oversight Penalty Payments](/artifacts/eu/dora/penalties-and-fines.md): A practical DORA enforcement guide: how competent authorities' supervisory/investigatory/sanctioning powers work (Article 50). - [DORA Register of Information (RoI) Template Guide | ITS 2024/2956 Annex Templates (B_01-B_07)](/artifacts/eu/dora/dora-register-of-information-template.md): A practical guide to the DORA Register of Information templates: understand the ITS schema (Implementing Regulation (EU) 2024/2956). - [DORA Testing & TLPT Readiness | Chapter IV + TIBER-EU Execution Guide](/artifacts/eu/dora/testing-and-tlpt-readiness.md): A deep DORA testing and TLPT readiness guide: build the Chapter IV testing program, prepare remediation and validation. - [DORA vs ISO/IEC 27001:2022 | Mapping Controls, Evidence, and Audit Readiness](/artifacts/eu/dora/dora-vs-iso-27001.md): A deep DORA vs ISO 27001 comparison: where ISO/IEC 27001:2022 helps satisfy DORA ICT risk management and evidence expectations. - [DORA vs NIS2 (EU) | Scope, Reporting, Controls, and Overlap for Financial Entities](/artifacts/eu/dora/dora-vs-nis2.md): A deep comparison of DORA and NIS2: who is in scope, what "security measures" mean, incident reporting differences, governance and enforcement posture. - [EU DORA Checklist | DORA Compliance Checklist (Audit-Ready)](/artifacts/eu/dora/checklist.md): An audit-ready EU DORA checklist (Regulation (EU) 2022/2554): scope memo and proportionality, ICT risk management control baseline. - [EU DORA Compliance Guide | DORA Implementation Playbook](/artifacts/eu/dora/compliance.md): A practical EU DORA compliance guide (Regulation (EU) 2022/2554): how to set up a DORA program, build an ICT risk management control baseline. - [EU DORA Deadlines & Compliance Calendar | Key Dates, RTS/ITS and Cadence](/artifacts/eu/dora/deadlines-and-compliance-calendar.md): A DORA compliance calendar for Regulation (EU) 2022/2554: publication, entry into force, application date, key RTS and ITS including 2024/2956, 2025/301. - [EU DORA Requirements | Obligations by Workstream (ICT Risk, Incidents, TLPT, Third Parties)](/artifacts/eu/dora/requirements.md): A practical breakdown of EU DORA (Regulation (EU) 2022/2554) requirements: ICT risk management framework (Chapter II). - [EU DORA Scope & Covered Entities | Who Is In Scope (Article 2)](/artifacts/eu/dora/scope-and-covered-entities.md): A practical scoping guide for EU DORA (Regulation (EU) 2022/2554): covered financial entities (Article 2), proportionality and simplified frameworks. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/dora/register-of-information-how-to-build