Skip to main content
DORA Auditor

ICT Third-Party Register (Register of Information)

Last updated: 2 authoritative sourcesDORA Auditor Editorial Team

The register of information is a structured record of every ICT third-party arrangement a financial entity relies on, required under DORA Article 28. Building and maintaining it, in the format competent authorities expect, is a core, recurring DORA obligation.

What the register must contain

Each arrangement is recorded with the provider, service, whether it supports a critical or important function, contract dates, governing law, and exit arrangements. The register must be kept current and be reportable to authorities on request. See the glossary definition for the full field set.

Build it yourself or with support

Our free TPP Register Generator produces a register in the EBA column format. For larger estates, providers offer tooling and managed maintenance, compare them in the directory.

Frequently asked questions

Who must maintain a register of information under DORA?
What format should the register use?
How often is the register submitted?

Sources

  1. Regulation (EU) 2022/2554 (DORA), EUR-Lex
  2. European Banking Authority, DORA