What is the DORA Register of Information?
What the DORA Register of Information is, who it is for, what it must cover, and what obligations come with maintaining it.
Covered on this page:
-
Are we expected to provide the RoI outside the annual submission?
-
Do I include arrangements that don't support a critical or important function?
Who is the actual audience — EBA or NCA?
Your primary audience is your national competent authority — your regulator.
The NCA reviews and challenges the data you submit and is the body that will ask questions or request resubmissions. The EBA defines the harmonised technical framework and templates that all Member States must follow, but supervisory scrutiny happens at the national level.
NCAs collect registers from financial entities and forward them to the ESAs — the EBA, EIOPA, and ESMA. The ESAs use this data primarily for the designation of critical ICT third-party service providers.
So while the EBA sets the rules and receives the aggregated data, your direct relationship is with your NCA.
Which parts of the RoI does Copla Registry cover?
Copla Registry covers the full core dataset of the DORA Register of Information as defined by the ITS on registers of information (EU 2024/2956).
This includes all entities, branches, functions, ICT providers, contractual arrangements, supply chain information, assessments, and definitions required for a complete register.
Is X an ICT service or not?
DORA defines ICT services broadly as digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis.
The "ongoing basis" requirement is the key filter — a one-time purchased service without continuing maintenance, support, or updates is not an ICT service for the purposes of the register.
Beyond that, no bright line exists for many common cases, and the regulation intentionally allows flexibility. The ITS defines 19 service categories that cover most arrangements — from ICT project management and software development to cloud services, data storage, and hardware as a service.
When a service fits clearly into one of these categories and is provided on an ongoing basis, it belongs in the register.
The grey zones are real and acknowledged. Telecoms services fall in — with the explicit exception of traditional analogue fixed-line telephone services, which are excluded by the regulation.
SaaS tools that are arguably business-process rather than ICT, professional services with an ICT component, and hardware leasing arrangements all require judgement.
The questions to apply are: is the service digital in nature, is it provided on an ongoing basis, and does it support a function of your entity?
If yes to all three, the presumption is that it belongs in the register. If you are uncertain, your legal or compliance team should make the call — and if the question concerns payment systems operators or similar, note that specific Q&As from the ESAs on those cases are still under development.
Is the RoI a one-time report or an ongoing obligation?
The Register of Information is an ongoing obligation.
Financial entities are required to maintain and update it continuously as contracts are added, changed, or terminated, and as providers and functions evolve. The annual submission to your NCA is a snapshot of the register at a fixed reference date — it is not the register itself.
Practically, this means the register should reflect the current state of your ICT third-party arrangements at any given time, not only during the reporting cycle.
Are we expected to provide the RoI outside the annual submission?
Yes.
While the formal submission to NCAs for CTPP designation purposes is annual, your NCA can request the register at any time for supervisory purposes.
This is why keeping the register current throughout the year matters — a register that is only accurate at the submission date is not sufficient to meet the ongoing maintenance obligation.
Do I include arrangements that don't support a critical or important function?
Yes — best practice, and the supervisory expectation, is that all ICT contractual arrangements go into the register regardless of whether the supported function is critical or important.
DORA requires financial entities to maintain a register of all ICT third-party arrangements, not only those supporting critical or important functions.
The distinction matters at the submission level: if you have internally assessed that a provider does not support any critical or important function, that assessment is recorded in the register and the relevant fields reflect it. Whether that provider is ultimately included in the submission to your NCA may depend on your NCA's specific instructions. But the arrangement should still be captured in the register itself.