Register of Information
The register of information is a structured record, required by DORA Article 28, of all contractual arrangements a financial entity has with ICT third-party providers. It must distinguish arrangements that support critical or important functions and be reportable to competent authorities.
Detailed explanation
The register acts as the single source of truth for a financial entity's ICT outsourcing landscape. It captures details of each provider, the services supplied, whether the arrangement supports a critical or important function, contract dates, and related risk information. Competent authorities can request the register at any time, and the European Supervisory Authorities have published implementing technical standards specifying its exact templates and data fields. Maintaining an accurate register is often the first practical step in a DORA third-party-risk programme, and tools exist to help build one in the prescribed format.
In context
This term relates to the ICT Third-Party Risk pillar and is grounded in DORA Article 28.