Preparations for reporting of DORA registers of information

The Digital Operational Resilience Act (DORA) became applicable on 17 January 2025. From that date all financial entities in its scope will need to have a comprehensive register of their contractual arrangements with ICT third-party service providers available at entity, sub-consolidated and consolidated levels. 

The registers of information will serve for:

  • financial entities to monitor their ICT third-party risk,
  • the EU competent authorities to supervise ICT and third-party risk management at the financial entities and
  • the ESAs to designate the critical ICT third-party service provides (CTPP) which will be subject to an EU-level oversight.

This page provides a set of resources to help the financial entities to be ready with the preparation and submission of the registers of information to the competent authorities that will provide the collected registers to the ESAs for the purposes of designation of the CTPPs. The resources provided cover both official reporting starting form 2025 and preparatory dry run exercise the ESAs carried out in 2024.