The Digital Operational Resilience Act became applicable on 17 January 2025, and by 30 April 2025 every financial entity in scope had to deliver its Register of Information (RoI) on ICT third-party arrangements to its national competent authority for onward submission to the European Supervisory Authorities (ESAs). National deadlines clustered between 31 March and 15 April depending on jurisdiction — Austria opened first on 31 March, Ireland followed on 4 April, Belgium on 10 April, Luxembourg on 15 April — with the consolidated submission to the ESAs due 30 April. Roughly a quarter million ICT-service contracts across European banks, insurers, asset managers, and trading venues were inventoried against 105 prescribed data points. The exercise revealed where third-party risk management actually was, rather than where firms had previously claimed it to be.
What was actually filed?
The Register of Information is defined by the Implementing Technical Standards adopted under DORA Article 28(9) and operationalised by Commission Implementing Regulation (EU) 2024/2956. It comprises four mandatory templates and several sub-templates that, taken together, require firms to disclose:
- Every ICT third-party service provider (TPP) by legal entity, including the LEI, country of registration, and ultimate parent;
- Every contractual arrangement with each TPP, distinguishing between intragroup and external, and identifying which support a critical or important function (CIF);
- The full subcontracting chain to the extent it supports a CIF — including subcontractors of subcontractors where the chain materially contributes to delivery;
- The function each contract supports, mapped to a standardised function taxonomy;
- The location of data and processing, including any third-country processing;
- A liability and exit-strategy assessment for each CIF-supporting contract.
The 105 data points are spread across these templates and include identifying information, contractual metadata, risk classification, and service-delivery characteristics. The LEI requirement deserves special note: every TPP, including small SaaS vendors that had never registered for a Legal Entity Identifier, had to obtain one or be flagged as deficient. This single requirement created weeks of work for procurement teams.
Who is in scope and what did regulators learn?
DORA applies to twenty categories of financial entity, including credit institutions, investment firms, payment institutions, central counterparties, trading venues, central securities depositories, crowdfunding service providers, and crypto-asset service providers. Microenterprises receive a lighter, principles-based variant, but they still file an RoI. EIOPA, EBA, and ESMA reported that 27 EU/EEA national competent authorities had collected RoIs from approximately 22,000 financial entities in time for the 30 April deadline, of which roughly 18,500 met the structural validation gates.
What competent authorities learned from the first submission can be summarised in four findings:
- LEI gaps were endemic. A large fraction of small TPPs — typically niche SaaS or local managed-service providers — did not hold LEIs at the deadline. The ESAs accepted submissions with provisional identifiers but flagged them for follow-up.
- Subcontracting chains were under-disclosed. Many filings stopped at the direct contractual counterparty. Where the DORA ITS requires disclosure of subcontractors supporting a CIF, several jurisdictions raised follow-up questions about cloud provider sub-processors, particularly hyperscaler regional services.
- Function taxonomy was inconsistent. Firms classified the same service (for example "core banking platform hosting") under different functions, making cross-firm aggregation difficult for the ESAs' designation of critical TPPs.
- CIF-status disagreement between business and risk functions surfaced in audit. A trading-floor team treats market-data feeds as critical; the chief risk officer's residual-risk calculation may not.
What is happening with critical TPP designation?
The RoI is not just a compliance artefact — it is the data substrate for the designation of critical ICT third-party service providers (CTPPs) under Article 31 DORA. CTPPs become subject to direct oversight by a lead overseer (one of the three ESAs depending on the dominant financial sector served). The ESAs announced in mid-2025 their timeline for the designation process: technical analysis of the consolidated RoI through Q3 2025, draft designations communicated to providers in Q4 2025, and the first cohort of formally designated CTPPs published in early 2026.
The criteria under the delegated act adopted in 2024 weigh four factors: systemic impact on financial sector stability if the provider failed, criticality of the financial entities relying on the provider, reliance and substitutability, and aggregate number of financial entities supported. Hyperscale cloud providers (AWS, Microsoft Azure, Google Cloud), large core-banking platform vendors, market-data utilities, and some specialised post-trade providers were widely expected to receive designation in the first cohort.
Article 28(9) DORA — RoI Submission Sequence (2025)
+-------------------+ RoI ITS template +---------------------+
| Financial entity | ---------------------------> | National competent |
| (~22,000) | 105 data points/contract | authority |
+-------------------+ +---------------------+
|
consolidated NCA submission
v
+-----------------------+
| EBA / EIOPA / ESMA |
| Joint analysis + |
| CTPP designation |
+-----------------------+
What are the supervisory powers and penalties?
DORA does not set a single Union-wide administrative-fine ceiling. Article 50 leaves penalty levels to Member States, requiring only that they be "effective, proportionate and dissuasive." Several Member State implementing laws have set fines at up to 1% of average daily worldwide turnover per day of continuing breach for legal persons, and up to €1 million for natural persons, with multipliers for repeat or wilful breaches. Italy's Legislative Decree 23/2024 and Ireland's S.I. No. 670/2024 are illustrative.
For CTPPs, the ESAs as lead overseers have a different toolkit. They can issue recommendations, order corrective measures, and, in the case of non-cooperation, impose periodic penalty payments of up to 1% of the CTPP's average daily worldwide turnover under Article 35(6). They can also recommend to competent authorities that financial entities pause or terminate contracts with non-cooperative CTPPs — a powerful indirect lever.
How are firms responding?
The April 2025 deadline produced a year-long cleanup. Three patterns are visible across the larger institutions:
- Procurement-engineering co-tooling. Firms that had treated procurement and TPRM as separate functions are now sharing a single TPP master record across both, with the RoI 105 fields as the canonical schema. The LEI is the join key.
- Subcontracting-chain instrumentation. Banks that found themselves blind to fourth-party services are demanding sub-processor lists from cloud providers and SaaS vendors as a contractual right, and they want them in machine-readable form. Vendors who ship a quarterly PDF are losing renewals.
- Function-taxonomy alignment. The CIF designation process is being moved from a manager-by-manager judgement to a controls-based assessment using residual risk, recovery time objectives, and impact tolerance — and the result is being persisted in the RoI.
Smaller insurers and asset managers, particularly those reliant on a single core platform vendor, have raised concentration-risk concerns. The ESAs' designation of a CTPP that they rely on will not relieve them of contractual lock-in; it just makes the lock-in visible.
What should defenders do now for the 2026 cycle?
The RoI is not a one-off. Article 28(3) requires it to be maintained on an ongoing basis, with the 2026 submission expected on a similar April cadence (jurisdictions are confirming exact dates). Four steps are common in mature programmes:
- Persist the RoI in a system, not a spreadsheet. The 105 fields are tractable in a relational model; they are unmanageable in Excel beyond a few hundred contracts.
- Capture sub-processor changes in real time from your top three CIF providers. Cloud and core-banking vendors publish sub-processor notices on a feed; ingest them.
- Run quarterly reconciliations between RoI entries and procurement contract data, with mandatory closeout of discrepancies before quarter-end.
- Treat the 2026 CTPP designation list as a concentration-risk trigger: if more than one CIF runs on a single CTPP, build an explicit exit plan even if no incident is in sight.
How Safeguard Helps
Safeguard's TPRM workflows ingest the RoI 105-field schema natively and link each ICT provider to its SBOMs, known vulnerabilities, and ongoing security posture, so the register is a living artefact rather than an annual scramble. Policy gates evaluate each contract against the DORA Article 28 risk-management criteria, flagging missing exit clauses, undefined recovery time objectives, or unverified subcontracting chains before contract signature. Griffin AI maps which financial-services workloads depend on which CTPPs and quantifies blast radius if a designated provider experiences a major incident, giving CIOs the data needed for Article 11 ICT business-continuity planning. VEX and CSAF ingestion lets institutions correlate provider-disclosed vulnerabilities against the RoI, so a CVE in a CTPP's product is automatically tied to every dependent CIF. Compliance automation produces the structured XBRL/CSV export the ESAs expect, with reconciliation evidence that auditors can trace back to source.