Blog
DORA Register of Information Requirements Explained (Guide for EU Financial Entities)
Fiona Jelly,
Founder & CEO of Complyfirst
Under the Digital Operational Resilience Act (DORA), all in-scope EU financial entities must submit a detailed Register of Information. Regulators like the European Banking Authority (EBA) use this Register to monitor ICT dependencies, assess exposure to critical ICT providers, and identify concentration risk across the EU financial system.
Nearly 93.5% of firms failed the dry run at the end of 2024, largely due to data quality problems and incorrect mapping. With mandatory annual reporting beginning in 2025, firms across the EU must improve their approach for the next DORA submission.
Let’s get into it. 💪🏻
TL;DR
The DORA Register of Information is a mandatory EU-wide return that captures a firm’s full ICT service and supply chain. It consists of 15 interconnected tables linked by four keys: contract references, LEIs, function IDs, and ICT service types. 93.5% of firms failed the dry run due to missing mandatory data, weak supply-chain mapping, and inconsistent keys. This guide explains what the Register of Information contains, how to complete it, and how to avoid the common errors identified in the first round of DORA reporting.
What the DORA Register of Information Contains
The DORA Register of Information consists of 15 structured tables that map a firm’s entire ICT environment. These tables are designed to capture all ICT arrangements and the interdependencies across providers and functions.
The Register of Information includes:
- Entity details
- List of entities
- List of branches
- Contract overview
- Contract details
- Intra-group contracts
- Signing entities
- ICT providers
- In-group providers
- Service users
- Subcontractors
- Supply chain
- Functions list
- ICT assessment
- Definitions used
💡 To support standardisation, the Register must be submitted in XBRL-CSV format. It relies on extensive EBA Implementing Technical Standards (ITS) and Data Point Model (DPM) rules that define each data point. These rules determine what must be reported and how the keys must be used consistently.
Who Must Comply and When
Almost all financial entities in the EU must submit the Register of Information, regardless of size or number of ICT contracts. This includes:
- Banks and credit institutions
- e-Money and payments firms
- Investment firms
- Insurers
- Crypto-asset service providers (MiCA + DORA interaction)
- Trading venues
- FinTech and RegTech entities in scope
Frequency of reporting:
- Annual reporting
- Additional reporting when material ICT changes occur (per DORA Articles 28–30)
These timelines mean firms need ongoing governance of ICT data, not just point-in-time collection.
How to Complete the Register of Information (Using the 4 Keys)
Now, most importantly, let’s take a look at the four keys that connect all 15 tables. These keys determine how data links together and form the backbone of the Register.
Key 1: Contract Reference Number
- Unique internal ID for each ICT contract
- Must be consistent across all templates
- Applies to external and internal/intragroup providers
Key 2: Legal Entity Identifier (LEI)
- Required for the contracting entity and each direct ICT provider
- This is a 20-character code unique to each entity
Key 3: Function ID
- This is a unique function ID that you create from the LEI, the licensed activity + the function
- For example, if Salesforce supports your sales team for both your payment and e-money activities, you need two separate function IDs.
Key 4: ICT Service Type (Annex III Codes S01–S19)
- Classifies the service and determines applicable data fields
- Examples include S01 (ICT Project Management) and S02 (ICT Development)
Using these keys correctly is essential because all validation checks rely on them. Take a look at how these keys link across the 15 tables.
Step-by-Step Compliance Checklist
This checklist provides a practical step-by-step process to follow once the four keys are understood.
Step 1: Build the ICT Services Inventory
Begin by capturing all ICT services used across the organisation, including external and intragroup arrangements. Engage operational teams to ensure the list reflects actual usage. This step forms the foundation for the steps to follow.
Step 2: Assess Criticality
Next, determine whether each service supports Critical or Important Functions (CIFs) under Article 3(22). Identify material subcontractors under Article 30(2). This assessment helps determine which additional data fields will apply in later steps.
Step 3: Map the ICT Supply Chain
Once criticality is established, map the supply chain for each service.
- Assign the correct Annex III ICT service type
- Identify direct providers and any material subcontractors
- Rank them appropriately (Rank 1 = direct provider)
- Link all providers using contract references and ICT service types
Below is an example of what an ICT service supply chain looks like in practice.
Your direct ICT providers are always Rank 1.
They may use Rank 2 material subcontractors.
And those may rely on Rank 3 subcontractors.
The key point is that everyone in that chain sits in the same supply chain if they map back to the same contract reference number and the same Annex III ICT service type.
Step 4: Apply the Four Keys Consistently
Then, apply the four keys across every relevant template.
- Use the same contract reference number throughout
- Ensure each provider’s LEI is correct
- Apply Function IDs consistently across business units
- Verify that ICT service types match the service they describe
Step 5: Validate Data Quality
Finally, validate all fields. Check that all fields are complete and accurate. Follow the EBA’s Data Point Model (DPM) dropdown lists and coding rules carefully to avoid misreporting.
💡 Conduct early validation using a test portal to confirm that the dataset meets the submission requirements ahead of the reporting deadline.
Lessons Learned from DORA 1.0
The dry run results show why firms must improve their approach ahead of the next DORA submission.
As mentioned above, 93.5% of firms failed the dry run 😰 meaning only 6.5% passed all 116 validation checks, with most failures being due to missing mandatory data.
Here’s where firms tripped up:
| Missing mandatory data (86% of errors) | Key identifiers were missing: LEI’s for parent entities and ICT providers, Function IDs, ICT service type, Country of provider, Supply chain details. |
|---|---|
| Not using the 4 keys correctly | Firms re-used values that must be unique (contract ref no, function ID etc) which prevents tables from linking correctly. |
| Not following the DPM (Data point model) | Didn’t use the required drop-down values, used free text instead of the allowed codes, or didn’t follow the official DPM structure. |
| FAQs differing from EBA guidance | Firms got stuck when newer FAQs superseded the EBA guidance and working with multiple files + packages. |
| Missing supply chain details | Left supply chain fields blank, didn’t identify subcontractors, didn’t assign ranks, or didn’t link providers correctly. |
| Gap in compliance AND technical knowledge | Teams struggled to fix validation errors + existing vendors couldn’t support or generate the correct files. |
These lessons show where firms should focus in the next submission, particularly on supplier LEIs, service-type mapping, and consistent key usage.
Submit Your DORA Return 90% Faster with Complyfirst
Now, in case you’re wondering how we support firms with their DORA returns, here’s a quick overview. We focus on 4 key things:
1. Easy Uploads and Updates
Easily upload your own files or EBA templates, and reuse last year’s Register to avoid having to start from scratch.
2. EBA Guidance Built into Every Cell
Each cell you’re working in includes direct extracts from official EBA materials to remove having to search across different documents.
3. Real-Time, Plain-English Error Messages
Validate your data as you work, and fix issues with clear “how to fix it” steps.
4. 1:1 Expert Support
Most importantly, we’re here for you! We’re available via Slack, Teams, and Zoom for quick troubleshooting (even on deadline day 😬).
Watch Our DORA ROI Lessons-Learned Webinar with Fiona
After supporting firms through the first full year of DORA, Fiona hosted a live webinar with fscom sharing how financial entities across Europe responded to DORA, and what to do differently for the next submission. Have a watch below.
FAQ
The DORA Register of Information is complex, data-heavy, and strictly validated. Firms must understand the 15-table structure, apply the four keys consistently, and document the full ICT supply chain, including subcontractors. With improved data governance, early preparation, and the right support, firms can avoid the high failure rates seen in DORA 1.0 and ensure smooth 2026 reporting.