5 Practical tips for implementing the DORA Register of Information

The EU’s Digital Operational Resilience Act (DORA) is in effect since 17 January 2025. Now banks, insurers, and other covered financial entities must keep a complete Register of Information (RoI) listing all contracts with third-party ICT providers.

As a risk professional, you know that maintaining an accurate RoI isn’t just about ticking compliance boxes. It’s also crucial for managing vendor risk and ensuring operational resilience. A well-maintained RoI helps you stay on top of third-party ICT risks while giving regulators the oversight they need to identify critical service providers.

Regulators will start requesting these registers soon and expect them to be complete and up to date. Unlike the 2024 “dry run,” there’s no room for missing details this time.

Our top tips for implementing the DORA Register of Information 

Building a Register of Information that meets DORA’s requirements while adding real value to your organisation isn’t easy. From collecting data across different teams to keeping it accurate and accessible, as a financial institution, you face both technical and operational challenges.

In this article, we’ll share 5 practical tips to help you meet DORA RoI requirements and turn your RoI into a valuable asset for your organisation. 

Here’s what we’ll cover:

1. Set up a centralised process for collecting data across teams
2. Focus on critical and high-risk providers first
3. Make Register of Information updates part of your regular workflows
4. Use technology and standards to work more efficiently
5. Build strong governance while staying flexible

Whether you’re a compliance officer, risk manager, or part of an operations team, we’ll help you understand how to make RoI work for you.

1. Set up a centralised process for collecting data across teams

One of the first challenges you’ll face when starting to build your Register of Information is gathering all the information needed. DORA’s RoI requires many new data fields for each vendor, including details like subcontractors and unique vendor identifiers—information you may not have tracked in your previous outsourcing register.

This data is often spread across different departments: Procurement manages the contracts, IT manages systems and services, and Compliance teams handle risk assessments. Without a coordinated approach, key details can easily be missed or recorded inaccurately. Plus, it’ll take a long time to manually gather the data. 

So, how can you tackle these challenges as a risk professional? 

Treat the RoI as an ongoing program, not a one-off project. Create a cross-functional team with members from compliance, IT, vendor management, risk, legal, and business. The role of this team will be to assess all ICT third-party providers and gather the necessary information into a centralised platform, like 3rdRisk (that’s us, by the way 👋).

Here’s how to get started:

• Create an initial list of your vendors from existing sources like outsourcing registers, vendor lists, accounts payable, and IT asset inventories to make sure nothing is missed.
• Assign clear ownership for each data field in the RoI template. For example, contract managers handle contract terms, IT architects define the services or systems, risk officers provide risk classification, and the finance team adds the value or spend if needed.
• Implement a centralised platform as the ‘source of truth’ for all RoI data. This reduces confusion over different versions and helps you track progress as the information comes in.

By centralising data collection and assigning clear responsibilities to individuals from each department, you’ll close information gaps early and won’t have to scramble for missing details when it’s time to report. This is especially important if you’re working for a large organisation or group, where data needs to be collected at entity, sub-consolidated, and consolidated levels. 

2. Focus on critical and high-risk providers first

DORA’s RoI requirement is broad, covering every ICT third-party service provider that you work with. This could mean hundreds or even thousands of contracts, from major cloud providers to niche vendors. You might feel overwhelmed by the volume of data you need to gather across your supply chain. 

While not all third-party relationships carry the same risk, documenting each one is still a significant task. A common mistake is tackling the register alphabetically or by department, which can slow you down instead of helping you focus on what matters most.

The best way to start building your RoI is to focus on the high-risk providers first. Here’s how to do this:

• Take a risk-based approach: Start with the ICT third-party relationships that are most critical to your operations, like providers for banking services, payments, trading systems, or data centres. This helps capture the key information for operational resilience and aligns with regulators’ focus on Critical ICT Third-Party Providers under DORA. 
  
  • Extra tip: prioritise vendor contracts that support critical functions to manage the workload.
• Organise your vendor list into tiers: Sort vendors based on factors like criticality of the service to your operations, potential impact of an outage, or regulatory classification of the function.
• Prioritise your work: Start by completing the RoI entries for the top tier. This doesn’t mean ignoring other tiers, but focusing your efforts on what’s most important.
• Move to the next tier once the first is complete: Once you’ve documented critical providers and validated their data, move on to the next tier. This phased approach helps your team stay on track and ensures the most important third-party information is captured first.

Remember: regulations evolve over time, so be prepared for updates. If regulators or management ask for an update on key outsourcing risks, your register will already have those answers ready.

3. Make Register of Information updates part of your regular workflows

An RoI isn’t something you just create and forget about. DORA requires you to keep it updated regularly. In the rush to meet the compliance deadline, many organisations treat the RoI like a one-time project. But the risk is that after the initial setup, the register can quickly become outdated as new vendors are added, contracts change, or services evolve. 

If the RoI isn’t part of your regular workflows, keeping it up to date will become a hassle, and important changes might be missed. To avoid this, make the RoI a regular part of your vendor and risk management routines. This way, whenever there’s a change in your ICT third-party landscape, you update the RoI right away as part of your normal processes.

Examples of how RoI can fit into your existing compliance process

Here are a few ways to make updating the ROI immediately part of your normal processes:

• Update on onboarding/offboarding: When a new ICT vendor is contracted or an existing one is offboarded, make updating the RoI a required step in the procurement or vendor onboarding process. You can also use a tool like 3rdRisk to gather the right data. Do the same when key contract terms change or a vendor’s status changes (e.g., they become critical or start using a new subcontractor). 
• Periodic reviews: Set up regular reviews (quarterly or semi-annually) where your cross-functional RoI team checks the register’s accuracy. During these reviews, look for missing entries (cross-reference with accounts payable or IT’s system list) and make sure fields like contact info, contract renewal dates, and service descriptions are up-to-date.
• Align with risk assessments: Link RoI maintenance to your third-party risk assessment cycle. For example, during annual or biannual risk reviews of vendors, use the opportunity to make sure the RoI data for those vendors is current. This helps keep the RoI fresh and shows that it’s not just for compliance, but a tool for managing risk.

By making RoI updates a regular part of your business processes, you’ll avoid the risk of the data getting outdated. This helps create a habit of keeping the register current, so it remains a trusted tool for both compliance and managing risk. 

Plus, it makes audit and regulatory reporting easier since you won’t have to rush to update everything before each submission. The data will already be up-to-date.

4. Use technology and standards to work more efficiently

Keeping the RoI up to date manually, like using spreadsheets sent by email, is time-consuming and prone to mistakes. During the 2024 dry-run, many companies realised they lacked automated tools and central systems to gather data efficiently. Regulators noted that many still rely on manual processes and scattered data, lacking confidence in producing a DORA-compliant register.

Does this sound familiar to your organisation? If it does, it’s time to invest in a smart tool to make DORA RoI implementation easier.

3rdRisk is a great example of a platform that makes this process easier:

• Automatic data collection: During third-party onboarding, our platform automatically flags DORA-specific contract data you need to collect, based on the third party's role and risk profile.
• Simplified onboarding: It includes a supplier registration and onboarding workflow, so you can collect details directly from third parties, cutting down on manual work and improving accuracy.
• Risk assessment automation: 3rdRisk also has an advanced assessment module that automates the third-party risk assessment. All the collected data integrates seamlessly into your Register of Information.
• One-click export: When it’s time to report, you can export the RoI in the right regulatory format with just one click, ensuring compliance without the hassle of manual data conversion.
• Health checks: The 3rdRisk platform shows which required data is missing for ensuring DORA compliance.

5. Build strong governance while staying flexible

Regulatory requirements around the RoI are still changing. Implementing DORA’s RoI isn’t a one-time task—t’s an ongoing process. Guidelines can change, templates may get updated, and feedback from early submissions could lead to new instructions.

For example, at the end of 2024, companies discovered that the “latest” Excel template from the EBA didn’t fully match the final Implementing Technical Standards and that some fields were missing. The EBA then announced there wouldn’t be a new Excel template, and companies would need to adjust their data once the official reporting format was confirmed. 

These kinds of changes can catch your team by surprise. Without proper governance, your DORA RoI could become non-compliant or be missing important updates. Also, if the information isn’t regularly checked and updated, data quality problems are likely to come up.

Okay, so if regulations keep changing, how do you keep up? Treat the RoI as an ongoing governance matter, with clear ownership and a feedback loop for continuous improvement.

Here’s how:

• Assign accountability: Choose someone to take charge of the RoI. This person should make sure updates to regulations, like new fields, definition changes, or reporting process tweaks, are quickly added to your RoI. 
• Monitor regulatory updates and guidance: Stay updated on regulatory and industry communications, including the ESA’s FAQs and RoI guidance. Staying ahead of changes helps you adjust your data well in advance of  deadlines. For example, if regulators require an active LEI from all ICT providers, you can gather missing info early. A third-party risk management platform like 3rdRisk helps keep your RoI aligned with the latest regulations.
• Continuous data quality checks: Set up regular data quality audits for the register using the regulator’s validation rules as a checklist. Check for missing mandatory fields, valid and active identifiers like LEIs, and consistency across entries. The 2024 dry-run showed incomplete registers won’t pass in 2025, so have internal controls to catch errors early. If you find any gaps, like an unfilled field, have a plan to fix it. 

Bonus tip: be ready to adapt your processes and RoI as DORA evolves 

Adaptability is key. If the EBA or your regulator updates the RoI template or data model, gather your team to review the changes and update your process or tools. If new guidance is released, like how to handle cloud subcontractors or define 'critical' vs 'non-critical' contracts, make sure your internal instructions are updated.

With strong governance and the right tooling, your RoI will stay current and compliant. Over time, this approach will also help you improve the RoI process, making it a more valuable part of your operational resilience framework.

Key takeaways

Remember, DORA compliance isn’t a one-time task: it’s an ongoing process. By keeping your RoI updated, you’ll meet regulatory requirements and strengthen your resilience.

To make your RoI a valuable asset, follow these tips:

• Organise data collection and prioritise key info.
• Automate processes to reduce manual work and improve accuracy.
• Ensure good governance to keep your RoI updated and compliant.

Now is the time to act. Bring your team together, refine your processes, and ensure your RoI is both compliant and effective. This will help you prepare for audits, meet supervisory requests, and manage third-party relationships confidently.

Start with 3rdRisk to easily implement the DORA Register of Information 

With 3rdRisk, managing the DORA Register of Information is a lot faster and hassle-free. Our platform automates data collection, risk assessments, and keeps everything in sync, so your RoI stays complete and up to date. By centralising your third-party data, we help you simplify compliance reporting and stay on top of any regulatory changes. With guided video tutorials, implementing and maintaining DORA becomes more straightforward and manageable.

Ready to take control of your third-party risk management? Schedule your demo today and one of our DORA experts will show you how!