Following the crucial April 30, 2025 deadline for submitting the DORA Register of Information on ICT third-party service providers, financial institutions must now focus on maintaining compliance and preparing for supervisory review. This article provides guidance on post-submission obligations and best practices.

Understanding the Register Requirement

What is the Register of Information?

Under DORA Article 28, financial entities must maintain a comprehensive register detailing all contractual arrangements with ICT third-party service providers. This register serves multiple purposes:

  • Supervisory Oversight: Enables authorities to identify systemic dependencies
  • Risk Management: Supports entity-level third-party risk assessment
  • CTPP Identification: Data source for ESA criticality assessments
  • Concentration Risk Analysis: Reveals sector-wide dependencies on specific providers

Required Information

The register must include for each ICT service provider:

  • Provider identification details (name, address, contact information)
  • Service description and classification
  • Data and systems covered by the arrangement
  • Locations where services are provided or data stored
  • Contract start and end dates
  • Service level agreements and performance metrics
  • Criticality assessment of the service
  • Subcontracting arrangements
  • Business continuity and exit strategies

April 2025 Submission: Industry Status

Submission Statistics

Based on early regulatory feedback, the April 2025 submissions revealed:

  • High concentration in major cloud service providers
  • Extensive use of specialized fintech providers
  • Complex subcontracting chains in many arrangements
  • Significant cross-border service delivery
  • Varying levels of detail and completeness across submissions

Common Submission Challenges

Financial institutions reported difficulties with:

  • Legacy Systems: Incomplete documentation for older arrangements
  • Decentralized Procurement: Difficulty identifying all third-party relationships
  • Subcontractor Visibility: Limited information about provider's subcontractors
  • Classification: Determining criticality levels consistently
  • Data Quality: Ensuring accuracy and completeness of information

Ongoing Maintenance Obligations

Continuous Updates Required

The register is not a one-time submission but an ongoing obligation:

  • New Arrangements: Add to register promptly upon execution
  • Material Changes: Update when services or contracts change significantly
  • Terminations: Record end dates and transition details
  • Annual Review: Comprehensive verification of accuracy
  • On-Demand Updates: Respond to supervisor requests for updated information

Update Triggers

Update the register when:

  • New ICT service provider relationships are established
  • Existing contracts are renewed or materially amended
  • Service scope or criticality changes
  • Provider changes subcontractors
  • Data locations or processing arrangements change
  • Significant incidents occur

Supervisory Use of Register Data

How Authorities Use the Information

Supervisors leverage register data for:

  • CTPP Designation: Identifying candidates for critical provider status
  • Concentration Risk Assessment: Analyzing sector-wide dependencies
  • Thematic Examinations: Focusing on specific providers or service types
  • Risk-Based Supervision: Prioritizing examination topics
  • Cross-Border Coordination: Sharing information with other jurisdictions

What Triggers Supervisory Attention

Factors that may prompt regulatory follow-up:

  • High concentration in single or few providers
  • Critical services without adequate redundancy
  • Inadequate exit strategies or business continuity
  • Gaps or inconsistencies in register data
  • Services in jurisdictions with data protection concerns
  • Complex subcontracting chains with limited visibility

Best Practices for Register Management

Technology Solutions

Implement efficient management approaches:

  • Centralized Platform: Single system of record for all third-party data
  • Automated Alerts: Notifications for contract renewals and updates
  • Integration: Links to procurement, risk, and compliance systems
  • Version Control: Track changes and maintain audit trail
  • Reporting Capability: Generate supervisor-required formats easily

Governance and Process

Establish robust management processes:

  • Clear Ownership: Designate responsible function (typically third-party risk or procurement)
  • Update Workflows: Defined processes for capturing changes
  • Quality Control: Regular reviews for accuracy and completeness
  • Cross-Functional Input: Business, IT, legal, and compliance involvement
  • Documentation: Maintain evidence of register maintenance activities

Data Quality Assurance

Ensure register reliability through:

  • Regular data validation exercises
  • Reconciliation with contract management systems
  • Provider confirmation of recorded details
  • Internal audit reviews
  • Management attestation processes

Integration with Risk Management

Using the Register for Risk Assessment

Leverage register data to:

  • Concentration Analysis: Identify over-reliance on specific providers
  • Geographic Risk: Assess data location and geopolitical exposures
  • Criticality Mapping: Understand dependencies for critical business functions
  • Subcontractor Risk: Evaluate fourth-party exposures
  • Contract Gaps: Identify arrangements needing remediation

Risk-Based Prioritization

Use register information to prioritize:

  • Which providers require enhanced due diligence
  • Where to focus ongoing monitoring efforts
  • Which contracts need updating for DORA compliance
  • Where concentration risk mitigation is needed
  • Exit strategy development and testing priorities

Common Register Deficiencies

Issues Identified by Supervisors

Early supervisory reviews have found:

  • Incomplete Coverage: Missing service providers, especially for legacy systems
  • Inadequate Classification: Inconsistent or unsupported criticality assessments
  • Limited Subcontractor Details: Insufficient visibility into provider dependencies
  • Generic Descriptions: Vague service descriptions lacking specificity
  • Missing Exit Strategies: Inadequate contingency planning documentation

Remediation Approaches

Address deficiencies through:

  1. Gap Analysis: Compare register against actual contracts and services
  2. Provider Outreach: Request missing information from service providers
  3. Enhanced Documentation: Improve detail and specificity of entries
  4. Validation Exercises: Verify accuracy with business and IT stakeholders
  5. Systematic Updates: Implement processes to prevent future gaps

Preparing for Supervisor Inquiries

Likely Supervisor Questions

Be prepared to answer:

  • "How did you identify all ICT third-party arrangements?"
  • "Explain your methodology for assessing criticality"
  • "Describe your concentration risk in [specific provider]"
  • "What are your exit strategies for critical providers?"
  • "How do you keep the register current?"
  • "Provide evidence of business continuity arrangements"

Supporting Documentation

Maintain readily available:

  • Source contracts for all register entries
  • Criticality assessment methodology and results
  • Due diligence files for significant providers
  • Business impact analyses
  • Exit strategy documentation and testing results
  • Evidence of ongoing monitoring activities

Special Considerations

Group-Level Register Management

For financial groups:

  • Consolidation Approach: Determine group vs. entity-level reporting
  • Shared Services: Properly reflect group-wide service arrangements
  • Consistency: Ensure uniform classification across entities
  • Coordination: Central oversight with local input

Cross-Border Arrangements

For international service delivery:

  • Clearly document all data locations and processing jurisdictions
  • Address data transfer mechanisms and legal bases
  • Consider multiple supervisory authority requirements
  • Assess geopolitical and regulatory risks

Forward-Looking Considerations

CTPP Implications

As CTPPs are designated:

  • Update register to reflect provider's critical status
  • Document how ESA oversight affects your risk assessment
  • Adjust due diligence approaches for critical vs. non-critical providers
  • Monitor CTPP oversight outcomes and incidents

Evolving Requirements

Stay alert to:

  • Potential changes to register format or content requirements
  • Enhanced expectations based on supervisory findings
  • Industry standards and best practices emerging
  • Technology solutions for register management

Key Takeaways

  • Register maintenance is an ongoing obligation, not a one-time exercise
  • Data quality and completeness are critical for supervisory confidence
  • Leverage register data for entity-level risk management
  • Prepare for supervisory inquiries with supporting documentation
  • Implement technology and governance for efficient maintenance
  • Remediate any gaps or deficiencies identified in initial submission
  • Monitor CTPP developments and update register accordingly

Conclusion

The DORA Register of Information is a cornerstone of the third-party risk management framework. By maintaining accurate, complete, and current register data, financial institutions not only meet regulatory obligations but also enhance their own understanding and management of ICT dependencies. As the ESAs utilize this information for CTPP designations and supervisory priorities, the quality of your register will increasingly impact regulatory interactions and expectations.