DORA Compliance Guide

DORA Register of Information Requirements: What Financial Entities Actually Need to Report

Q: What are the penalties for non-compliance with the DORA Register of Information?

Under DORA Article 50, non-compliance can result in fines of up to 2% of global annual turnover for financial entities, plus daily penalties of up to 1% of average daily worldwide turnover to force remediation. Competent authorities use the register to assess systemic concentration risk and designate critical ICT third-party providers.

Updated 2026-05-18

Key Takeaways: Priverion is a Swiss-hosted GRC platform that automates DORA Register of Information compliance across multi-entity financial groups with pre-mapped ESA templates.

The Register of Information is the most operationally complex obligation under DORA. It requires granular, structured data on every ICT third-party arrangement across your entire group, spanning 15 interconnected templates with strict taxonomies. Most organizations are still not ready. Here is exactly what the templates demand, which data fields are mandatory, and how to close the gap before your next submission deadline.

Interconnected Templates

ESA ITS under DORA Article 28(9)

Categories of Financial Entities in Scope

EIOPA, DORA Regulation (EU) 2022/2554

34%

Cite Third-Party Oversight as Hardest Requirement

Censuswide survey of EMEA financial services orgs, 2025

Download the Free RoI Readiness Checklist

No demo required. Instant access to a practical self-assessment tool.

Trusted by 50+ privacy teams across 14 countries

Healthcare

Aviation

Energy

Legal

Technology

Why the RoI Is So Difficult

Why the DORA Register of Information Is Keeping Compliance Teams Up at Night

The RoI is not a spreadsheet exercise. It is a structured, multi-entity data challenge that touches every corner of your organization. Here are the five reasons compliance teams are struggling.

Challenge 01

Not One Register: 15 Interconnected Templates

Most organizations expect a simple document. The reality: the ESA's Implementing Technical Standards define interconnected templates (B_01 through B_06, plus sub-templates) covering entity information, contractual arrangements, ICT services, and provider chains. Each template has dozens of mandatory fields with strict taxonomies and 116 data quality validation rules.

6.5% pass rate in the ESA Dry Run

ESA 2024 DORA Dry Run Summary Report, December 2024

Challenge 02

Entity-Level Granularity Across Your Entire Group

Every subsidiary, branch, and regulated entity must be individually mapped. Under DORA Article 28(3), registers must be maintained at entity, sub-consolidated, and consolidated levels. For a financial group with 20+ entities across multiple jurisdictions, this means thousands of data points linked by LEI identifiers, not a single consolidated view.

Registers required at 3 levels: entity, sub-consolidated, consolidated

DORA Article 28(3), Regulation (EU) 2022/2554

Challenge 03

Your Data Lives in Silos (or Nowhere at All)

Contract details live in procurement. Vendor risk assessments sit in GRC tools. Entity structures are managed by legal. Sub-outsourcing chains often exist only in emails or not at all. The RoI forces organizations to connect siloed data for the first time. In the ESA Dry Run, 86% of errors traced back to missing mandatory information such as unique identifiers and supply chain data.

86% of errors caused by missing mandatory data

ESA 2024 DORA Dry Run findings, reported by EBA

Challenge 04

Continuous Maintenance, Not a One-Time Filing

The register must be kept up to date on an ongoing basis and submitted to competent authorities annually, with the ability to provide it on request at any time. National authorities consolidate and forward registers to the ESAs for critical provider designation. This is not a point-in-time exercise; it is an ongoing operational process that requires continuous data governance.

Annual submission deadline: March 31 each year to NCAs

AFM (Netherlands Authority for the Financial Markets), 2025

Challenge 05

Getting It Wrong Has Real Consequences

Competent authorities use the register to assess systemic concentration risk and designate critical ICT third-party providers. Incomplete or inaccurate submissions will trigger supervisory scrutiny. Non-compliance can result in fines of up to 2% of global annual turnover for financial entities, plus daily penalties of up to 1% of average daily worldwide turnover to force remediation.

Fines up to 2% of global annual turnover

DORA Article 50, Regulation (EU) 2022/2554

Challenge 06

The Industry Is Struggling: 46% Name the RoI as the Hardest Part

You are not alone in finding this overwhelming. Nearly half of all financial institutions surveyed identify the Register of Information as the single most challenging DORA requirement, far ahead of due diligence on ICT providers (17%) and business continuity testing (25%). Only 50% of institutions expected to reach full compliance by end of 2025, with 38% pushing their target into 2026.

46% cite the RoI as DORA's hardest requirement

Deloitte Digital Operational Resilience Act Survey, Wave 3

In the ESA's 2024 Dry Run, only 6.5% of submitted registers passed all 116 data quality checks. Nearly 1,000 financial entities participated, and the vast majority needed significant improvements.

Source: EBA DORA Dry Run Summary Report, December 2024

Priverion's cross-entity data mapping and automated recertification workflows are designed for exactly this kind of multi-entity, multi-jurisdiction compliance challenge.

Book a 30-Min Walkthrough

Real results from real customers

The numbers that matter to your compliance team

200+

Hours saved on ISO 27001 prep

Medtec cut over 200 hours from their ISO 27001 preparation using Priverion's audit-ready evidence packages and pre-mapped controls.

Medtec, measured during ISO 27001 readiness project

60%

Lower total cost vs. enterprise incumbents

Enterprise privacy platforms like OneTrust can cost mid to high six figures annually for multi-module deployments. Priverion delivers equivalent privacy program management at a fraction of that, with predictable per-company pricing and no per-user traps.

Based on Vendr 2026 procurement data for enterprise privacy platform pricing

3 mo.

Ahead on ISO 27001 readiness

ISO 27001 certification typically takes 6 to 12 months. With Priverion's pre-built control mappings and automated evidence collection, customers like Medtec compress that timeline significantly, reaching audit readiness months sooner.

Medtec timeline; industry baseline from ISO 27001 certification benchmarks (ISMS.online, Vanta, 2026)

See how these numbers translate to your organization

Priverion vs. OneTrust

Why mid-market companies are switching

OneTrust serves Fortune 500 organizations with broader GRC scope. Priverion is built for multi-entity organizations that need enterprise-grade compliance without the enterprise overhead. Here is how the two compare on the dimensions that matter most.

The enterprise trap

What mid-market teams experience with OneTrust

Opaque, escalating pricing

OneTrust does not publish list prices. Per aggregated buyer-reported pricing data, mid-market deployments commonly range from the mid- to upper-five-figures up to low six-figures annually, with implementation services billed separately. Source: Vendr and Enzuzo aggregated buyer-reported pricing, accessed 2026-05-18.

Source: Enzuzo pricing analysis, March 2026

Steep learning curve

Mid-market users consistently report needing weeks of configuration and dedicated training. As one G2 reviewer noted, the interface "can feel cluttered" and setup requires significant time and effort, especially for smaller teams.

Source: G2 and Capterra verified user reviews, 2025

Modular cost creep

Each module is billed on its own metric: visitors, admin users, asset inventory. Your bill can grow in directions you did not anticipate as your team or data footprint expands.

Source: Vendr procurement intelligence, February 2026

US-hosted infrastructure

Even "sovereign cloud" offerings from US providers cannot guarantee European data sovereignty. The US CLOUD Act allows authorities to request access to data regardless of where it is stored.

Source: CMS Law white paper on US CLOUD Act vs. European data sovereignty, February 2026

Built for the mid-market

What Priverion delivers instead

Predictable, transparent pricing

Pricing based on number of companies and organizational size. Not per-user, not per-module. No expansion traps, no surprise renewal increases. You know what you will pay before you sign.

Priverion pricing model

Operational in weeks, not months

Clean, intuitive UX designed for DPOs and compliance leads, not consultants. Aircraft manufacturer reduced compliance admin time by 60% within their first six months.

Aircraft manufacturer, first 6 months

All-in-one platform, one price

ROPA management, DPIA automation, vendor risk assessments, DSR handling, incident management, and compliance dashboards. All included. No module upsells.

Priverion core capabilities

Guaranteed Swiss data sovereignty

Swiss-built. Swiss-hosted. All data processing within Swiss infrastructure. Not subject to the US CLOUD Act. In a post-Schrems II world where EU Member States signed the Declaration for European Digital Sovereignty in November 2025, this is not a marketing checkbox. It is a legal and strategic advantage.

Priverion infrastructure; Berlin Declaration, November 2025

7.1B+

Cumulative GDPR fines (EUR)

DLA Piper GDPR Survey, January 2026

443

Breach notifications per day in Europe

DLA Piper, 22% YoY increase, January 2026

60%

Less compliance admin time

Aircraft manufacturer, first 6 months with Priverion

100%

ROPA recertification rate, automated

AXA, fully automated with Priverion

Free Template

DORA Register of Information: Your Compliance Starter Template

Under Article 28(3) of DORA, every in-scope financial entity must maintain a comprehensive register documenting all ICT third-party contractual arrangements. The ESAs' implementing technical standards specify 15 interconnected templates you need to complete. This free starter template helps you organize the key data points before you begin formal reporting.

What you will get:

+ A pre-structured inventory layout covering all ICT third-party service providers, contract details, and criticality assessments aligned with the EBA Reporting Framework 4.0
+ Field-by-field guidance for documenting service scope, nature, duration, and associated risks as required under Article 28(3) and the Commission Implementing Regulation (EU) 2024/2956
+ A subcontractor mapping section so you can track the ICT service supply chain, including direct providers (rank 1) and subcontractors underpinning critical or important functions
+ A concentration risk checklist to help your management body identify and review dependencies on critical ICT third-party providers before annual supervisory submissions

Annual RoI reporting is now a recurring obligation. Competent authorities forward collected registers to the ESAs by end of Q1 each year for CTPP designation and concentration risk analysis. Getting your internal register right now saves significant rework later.

Get the free DORA RoI template

Enter your work email and we will send it straight to your inbox.

Free PDF. No demo required. We'll send it to your inbox.

DORA (Regulation (EU) 2022/2554) became applicable on 17 January 2025. Register of Information requirements are defined in Article 28(3) and the Commission Implementing Regulation (EU) 2024/2956. This template is for internal preparation purposes and does not replace formal xBRL-CSV submissions to your national competent authority.

The compliance landscape is accelerating

Stop managing privacy compliance in spreadsheets. Start sleeping through the night.

GDPR fines exceeded €7.1 billion as of January 2026, with €1.2 billion issued in 2025 alone, according to the DLA Piper GDPR Fines and Data Breach Survey. European regulators now receive 443 breach notifications per day. For multi-entity organizations, the margin for manual compliance is gone.

60%

reduction in compliance admin time

Aircraft manufacturer, first 6 months

200+

hours saved in audit preparation

Medtec, ISO 27001

100%

ROPA recertification rate

AXA, fully automated

Swiss-built. Swiss-hosted. AI-assisted with full human oversight.

▸ About this page — references, definitions, and FAQs

Key Takeaways — DORA Register of Information Requirements

The DORA Register of Information (RoI) is the most operationally complex obligation under Regulation (EU) 2022/2554. Financial entities must document every ICT third-party arrangement across 15 interconnected ESA templates, maintained at entity, sub-consolidated, and consolidated levels. In the ESA's 2024 Dry Run, only 6.5% of registers passed all 116 validation checks. Non-compliance can trigger fines of up to 2% of global annual turnover. Annual submission to NCAs is due by March 31 each year.

Definitions

What is the DORA Register of Information?

DORA Register of Information (RoI) is a mandatory structured register required under Article 28(3) of the Digital Operational Resilience Act (Regulation (EU) 2022/2554). It requires all in-scope financial entities to maintain a complete, up-to-date record of all contractual arrangements with ICT third-party service providers, structured across 15 interconnected templates defined by the European Supervisory Authorities' Implementing Technical Standards.

What is DORA (Digital Operational Resilience Act)?

DORA is Regulation (EU) 2022/2554 of the European Parliament and of the Council, establishing a comprehensive framework for digital operational resilience in the EU financial sector. It entered into force on 16 January 2023 and applies from 17 January 2025, covering 20 categories of financial entities including banks, insurers, investment firms, and crypto-asset service providers.

What are ESA Implementing Technical Standards (ITS)?

ESA Implementing Technical Standards are binding technical rules developed jointly by the European Banking Authority (EBA), European Securities and Markets Authority (ESMA), and European Insurance and Occupational Pensions Authority (EIOPA) under DORA Article 28(9). They define the exact templates, data fields, taxonomies, and validation rules for the Register of Information.

What is a Legal Entity Identifier (LEI)?

LEI is a 20-character alphanumeric code that uniquely identifies legal entities participating in financial transactions, as defined by ISO 17442. LEI codes are mandatory identifiers in DORA RoI templates for linking entities, providers, and contractual arrangements across the register.

Frequently Asked Questions

What is the DORA Register of Information (RoI)?

The DORA Register of Information is a mandatory structured register required under Article 28(3) of Regulation (EU) 2022/2554. It requires financial entities to document all ICT third-party service arrangements across 15 interconnected templates defined by the ESA Implementing Technical Standards. The register must be maintained at entity, sub-consolidated, and consolidated levels, covering entity information, contractual arrangements, ICT services, and provider supply chains.

How many templates does the DORA Register of Information contain?

The ESA Implementing Technical Standards under DORA Article 28(9) define 15 interconnected templates (B_01 through B_06, plus sub-templates). Each template contains dozens of mandatory fields with strict taxonomies and 116 data quality validation rules. Templates cover entity identification, contractual arrangements, ICT service details, risk assessments, and sub-outsourcing chains.

What was the pass rate in the ESA DORA Dry Run?

According to the EBA DORA Dry Run Summary Report published in December 2024, only 6.5% of submitted registers passed all 116 data quality validation checks. Nearly 1,000 financial entities participated across the EU. The report found that 86% of errors were caused by missing mandatory information such as unique identifiers and supply chain data, highlighting the operational complexity of the RoI requirement.

What are the penalties for non-compliance with the DORA Register of Information?

Under DORA Article 50 of Regulation (EU) 2022/2554, non-compliance can result in fines of up to 2% of global annual turnover for financial entities. Additionally, competent authorities can impose daily penalties of up to 1% of average daily worldwide turnover to compel remediation. Critical ICT third-party providers face separate penalty regimes under DORA Article 35.

When is the DORA Register of Information submission deadline?

Financial entities must submit their Register of Information to their National Competent Authority (NCA) annually by March 31. The register must also be maintained on an ongoing basis and be available for supervisory review on request at any time. NCAs consolidate submissions and forward them to the European Supervisory Authorities for critical provider designation analysis.

Which financial entities are in scope for the DORA Register of Information?

DORA applies to 20 categories of financial entities as defined in Article 2 of Regulation (EU) 2022/2554. These include credit institutions, investment firms, insurance and reinsurance undertakings, payment institutions, electronic money institutions, central securities depositories, central counterparties, trading venues, trade repositories, managers of alternative investment funds, management companies, data reporting service providers, crypto-asset service providers, and crowdfunding service providers.

What data fields are mandatory in the DORA RoI templates?

Mandatory fields span entity identification (LEI codes per ISO 17442), contractual arrangement details (start dates, termination clauses, governing law), ICT service descriptions (service types using ESA taxonomies), risk assessments (criticality or importance classifications), sub-outsourcing chains (identification of all sub-contractors), and data processing locations. The ESA validation framework applies 116 automated quality checks across these fields.

How does the DORA RoI differ from existing outsourcing registers?

Unlike the EBA Guidelines on Outsourcing Arrangements (EBA/GL/2019/02), the DORA RoI covers all ICT third-party arrangements — not just outsourcing — and requires structured, machine-readable data across 15 templates rather than free-text documentation. It mandates entity-level granularity across entire corporate groups, includes sub-outsourcing chain mapping, and enforces 116 automated validation rules. The scope is also broader, covering 20 categories of financial entities beyond just credit institutions.

Statistics and Sources

According to the EBA DORA Dry Run Summary Report (December 2024), only 6.5% of submitted registers passed all 116 data quality validation checks, with nearly 1,000 financial entities participating. The report found that 86% of errors were caused by missing mandatory information. A Deloitte survey (Digital Operational Resilience Act Survey, Wave 3) found that 46% of financial institutions cite the Register of Information as DORA's single hardest requirement, and only 50% of institutions expected to reach full compliance by end of 2025. According to a Censuswide survey of EMEA financial services organizations (2025), 34% cite third-party oversight as the hardest DORA requirement. DORA Article 50 of Regulation (EU) 2022/2554 establishes fines of up to 2% of global annual turnover for non-compliant financial entities.

DORA RoI Template Overview

Template	Scope	Key Mandatory Fields
B_01.01	Entity maintaining the register	LEI, entity name, entity type, competent authority
B_01.02	Entities within the scope of consolidation	LEI, entity name, country, relationship type
B_01.03	Branches of entities	Branch identifier, country, head office LEI
B_02.01	Contractual arrangements — general	Contract reference ID, start date, governing law, termination rights
B_02.02	Contractual arrangements — specific	Criticality assessment, data processing country, substitutability
B_03.01	ICT third-party service providers	Provider LEI, provider name, country of incorporation, provider type
B_03.02	ICT third-party service providers — additional	Ultimate parent LEI, group structure
B_04.01	ICT services — function identification	Function name, criticality or importance, business line
B_05.01	Sub-outsourcing — ICT sub-contractors	Sub-contractor LEI, sub-contractor name, service description
B_05.02	Sub-outsourcing — chain details	Chain rank, data processing location, oversight arrangements
B_06.01	Assessment of ICT services	Exit strategy, alternative providers, impact assessment

Your trusted partner for a smarter, more efficient approach to data privacy management.

Product

Priverion Platform System Status

about us

About Priverion Careers

Imprint Privacy Notice Terms of Service Refund Policy

OneTrust, TrustArc, Drata, Vanta, BigID, DataGuard, Kertos, Securiti and Sprinto are trademarks of their respective owners. Priverion Solutions AG is an independent Swiss company and is not affiliated with, sponsored by, or endorsed by any of these companies. References to these products are made under the fair-use exception for comparative advertising (Swiss UWG Arts. 3(1)(a)(b)(e); EU Directive 2006/114/EC Art. 4) for the sole purpose of informing prospective customers. Methodology and sources for comparative claims are disclosed on each page that contains them; see also our comparative advertising policy. To challenge a specific claim, write to [email protected].