DORA · Art.28 · Register of Information · ICT TPP

DORA ICT Third-Party Provider Register of Information Builder

Build and validate the Register of Information on ICT third-party service provider contracts required by DORA Article 28. Validates against EBA/ESMA/EIOPA Joint ITS template. For all DORA-scoped EU financial entities.

DORA Jan 2025 Art.28 RoI ESAs Joint ITS Zero PII

🔒 All inputs are processed locally in your browser. No data is transmitted. Do not enter real personal data — use synthetic or anonymised inputs only.

Panel 01Entity & Register Scope
Panel 02Provider Entries (up to 4)

Enter details for up to 4 ICT third-party service providers. All critical/important providers must be fully documented in the Register of Information.

Panel 03Art.30 Contractual Provisions
DORA Register of Information
Register Summary
ProviderService CategoryCriticalityHQ JurisdictionExit StrategySubcontractingContract Type
Art.30 Gaps & Remediation
AP2 Policy Mandate · CC BY 4.0 · Post Oak Labs

Regulatory Citations

[1]Regulation (EU) 2022/2554 (DORA) Article 28 — Register of Information on contractual arrangements with ICT third-party service providers. Financial entities must maintain a complete register and report to competent authorities upon request. Applicable from 17 January 2025.
[2]DORA Article 30 — Key contractual provisions for ICT third-party service provider agreements. Critical/important services must include: service description, SLAs, data location, audit rights, incident notification, exit strategy, and business continuity obligations.
[3]ESAs Joint ITS on Register of Information JC 2023 84 (draft) — Joint ITS from EBA, ESMA, and EIOPA specifying the standardised format and templates for the Register of Information to be submitted to NCAs. Based on DORA Art.28(9).
[4]EBA Single Rulebook Q&A on DORA third-party register requirements — clarifies scope, timing, and content obligations for the Register of Information, including treatment of intra-group ICT service arrangements.
[5]ESMA Guidelines on outsourcing to cloud service providers — sets out expectations for contractual provisions, exit strategies, and security requirements for cloud outsourcing arrangements relevant to DORA Art.30 compliance.