Skip to main content
DORA Auditor

Register of Information

Last updated: 1 authoritative sourceDORA Auditor Editorial Team

The register of information is a structured record, required by DORA Article 28, of all contractual arrangements a financial entity has with ICT third-party providers. It must distinguish arrangements that support critical or important functions and be reportable to competent authorities.

Detailed explanation

The register acts as the single source of truth for a financial entity's ICT outsourcing landscape. It captures details of each provider, the services supplied, whether the arrangement supports a critical or important function, contract dates, and related risk information. Competent authorities can request the register at any time, and the European Supervisory Authorities have published implementing technical standards specifying its exact templates and data fields. Maintaining an accurate register is often the first practical step in a DORA third-party-risk programme, and tools exist to help build one in the prescribed format.

In context

This term relates to the ICT Third-Party Risk pillar and is grounded in DORA Article 28.

Related terms

Sources

  1. DORA Article 28, EUR-Lex