Register of information

Register of information

Regulatory Requirement

Financial entities shall maintain, update and operate a Register of Information (RoI) covering all contractual arrangements on the use of ICT services provided by ICT third-party service providers. This obligation applies at entity, sub-consolidated, and consolidated level. The RoI forms a mandatory component of the ICT risk management framework under Article 6 DORA and constitutes the supervisory basis for oversight of ICT third-party risks and the designation of critical ICT TPPs.

Core Obligations

Comprehensive Maintenance and Updating (Entity, Sub-consolidated, Consolidated Levels)

The RoI must capture all contractual arrangements related to ICT services, and financial entities shall:

  • Maintain the RoI at the appropriate structural level (entity, sub-consolidated, consolidated).
  • Ensure internal consistency across all levels, particularly in groups.
  • Guarantee accuracy, completeness, integrity, uniformity and validity of all data entries (ITS Article 3(4)).

Mandatory Distinction of Criticality

Every contractual arrangement must be documented such that supervisory authorities can distinguish:

  • ICT services supporting critical or important functions, and
  • ICT services not supporting such functions.
    This distinction governs subsequent reporting duties and determines whether subcontractor chains must be recorded.

Supply Chain Mapping and Ranking

The RoI must include a complete ICT service supply chain (ITS Article 1(2)), identifying:

  • The direct ICT TPP (rank = 1),
  • All subcontractors effectively underpinning ICT services supporting critical or important functions (rank ≥ 2),
  • Ranking rules where multiple subcontractors hold identical positions.
    The templates B_05.01 and B_05.02 operationalise these obligations with key relational fields.

Annual Reporting to Competent Authorities

Entities must report at least yearly:

  • Number of new ICT service arrangements,
  • Categories of ICT TPPs,
  • Types of arrangements,
  • ICT services and supported functions.
    Supervisors may request the full RoI or any defined subset at any time. Planned arrangements supporting critical or important functions must be notified in advance.

Mandatory Use of Standard Templates (ITS 2024/2956, Annex I–IV)

The RoI must be maintained using all templates B_01.01 to B_99.01. These templates define:

  • Entity identification (B_01.01–B_01.03),
  • Contractual arrangements (B_02.01–B_02.03),
  • Providers and contracting entities (B_03.01–B_03.03),
  • Users (B_04.01),
  • ICT TPPs and subcontractors (B_05.01, B_05.02),
  • Function mapping and criticality (B_06.01),
  • Risk assessment for critical services (B_07.01),
  • Closed-list definitions and taxonomies (B_99.01).
    Each template contains strict data-format rules (ITS Article 4). Values must be atomic (one value per field) and additional rows added where multiple values apply.

Identification Standards (LEI/EUID)

Financial entities must use:

  • LEI or EUID for all ICT TPPs that are legal persons in the EU,
  • LEI only for ICT TPPs outside the EU,
  • Alternative identifiers only where the provider is an individual acting in a business capacity.
    The same convention applies to subcontractors involved in critical-function supply chains.

Intra-Group Contract Mapping

When ICT intra-group arrangements exist, entities must:

  • Capture intra-group contracts,
  • Link these arrangements to extra-group subcontractors using template B_02.03,
  • Ensure that a complete end-to-end service supply chain is represented.

Classification of ICT Services (Annex III)

Each ICT service in the RoI must be categorised using standard identifiers S01–S19, covering project management, development, incident support, ICT security, ICT operations, infrastructure, cloud services (IaaS/PaaS/SaaS), and specialised ICT professional services.

Purpose and Supervisory Significance

The RoI is a central supervisory instrument serving three regulatory objectives:

  1. Internal ICT Risk Management
    Financial entities rely on the RoI to evaluate concentration risks, substitutability, subcontracting depth, exit readiness, and criticality mapping.
  2. Prudential Supervision and DORA Oversight
    The RoI provides competent authorities with a complete, timely, and granular view of ICT third-party landscapes.
  3. Designation of Critical ICT TPPs (Article 31 DORA)
    The ESAs use RoI data to determine whether a provider meets criteria for designation as a critical ICT third-party provider.

Article 28 (3) DORA

Article 28 DORA – General principles

ITS RoI

ITS RoI

Source:

https://www.bafin.de/DE/Aufsicht/DORA/Informationsregister_und_Anzeigepflichten/Informationsregister_und_Anzeigepflichten_node.html

https://www.bafin.de/SharedDocs/Downloads/DE/Anlage/Informationsregister_Vorlage.html

https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/operational-resilience/implementing-technical-standards-establish-templates-register-information

https://www.eba.europa.eu/activities/direct-supervision-and-oversight/digital-operational-resilience-act/preparation-dora-application