DORApp Blog
DORA Fundamentals

DORA ITS Register (2026 Guide): Implementation Standards

M
ByMatevž Rostaher
DORA ITS Register (2026 Guide): Implementation Standards
its-dora-register-implementation-workspace-showing-structured-reporting-validati.jpg

The DORA Register of Information is not “just a vendor list.” Under the Digital Operational Resilience Act (DORA), the Register is a structured supervisory artifact that must support governance, ICT third-party risk management, and oversight of critical or important functions. The Implementing Technical Standards (ITS) on the Register specify the reporting structure and technical requirements, including standardized tables and an XBRL-based submission format used across the European Banking Authority (EBA), European Securities and Markets Authority (ESMA), and European Insurance and Occupational Pensions Authority (EIOPA). If you are still maintaining the Register in spreadsheets, the main operational challenge is not data entry. It is repeatable validation, evidence of controls, and producing regulator-ready exports without last-minute remediation. If you need a baseline on scope and obligations, start with what is dora.

Contents

  • What the DORA ITS Register requires in practice
  • What “ITS” means for the Register of Information
  • Core implementation obligations for financial entities
  • ITS templates, reporting tables, and what supervisors actually consume
  • Governance and operating model: keeping the Register defensible between submissions
  • How RTS, ITS, and delegated acts change what you need to operationalize
  • Product evaluation: what to look for in an ITS-ready Register workflow
  • Where Dorapp can fit (and where it may not)
  • Strengths and Challenges
  • Selection guide: choosing an ITS Register approach
  • Frequently Asked Questions
  • Key Takeaways
  • Conclusion

    • What the DORA ITS Register requires in practice

    DORA requires financial entities to maintain a Register of Information on contractual arrangements with ICT third-party service providers (ICT TPPs). The ITS on the Register then standardize how that information must be structured for reporting. Operationally, this shifts the Register from an internal inventory into a controlled dataset that should be consistent across reporting cycles and defensible in supervisory review.

    In most institutions, the ITS-driven pain points appear in three places:

  • Data model complexity: the Register spans entities, branches, functions, contracts, service providers, and ICT service supply chains, with relationships between them.
  • Validation and completeness: small data quality issues (missing identifiers, inconsistent naming, broken references) typically prevent a clean export.
  • Repeatability: supervisors will expect the Register to be maintained as a living control, not rebuilt ad hoc for a submission date.

    • If you are aligning your internal program, it helps to distinguish the Register obligation itself from broader DORA interpretation topics, such as dora regulation explained and the full scope of the digital operational resilience act dora.

    What “ITS” means for the Register of Information

    Within the EU regulatory architecture, Implementing Technical Standards (ITS) specify standardized formats and technical details for how information is reported to competent authorities. For the DORA Register of Information, the ITS define the structure of the Register reporting tables and technical requirements that support consistent supervisory intake across the European Supervisory Authorities.

    From an implementation standpoint, “ITS-ready” typically implies:

  • A clear mapping between your internal data objects (contracts, providers, services, functions) and the ITS reporting tables.
  • Controlled relationships across records (for example, an ICT service tied to a contract, contract tied to the contracting entity, and service linked to critical or important functions where relevant).
  • A regulator-compatible export format, commonly XBRL for the Register submission, depending on current supervisory requirements.

    • Most importantly, ITS readiness is not only a file format question. It is a data governance and evidence question. A spreadsheet can sometimes produce a submission, but it often struggles to evidence controls, approvals, and ongoing maintenance without additional process tooling.

    its-dora-register-of-information-visual-showing-standardized-tables-and-governan.jpg

    Core implementation obligations for financial entities

    At a practical level, implementing the ITS Register usually requires coordination across procurement, vendor management, ICT, risk, and compliance. The work is less about “collecting fields” and more about ensuring the Register reflects operational reality and can be kept current.

    1) Build a reliable inventory of ICT contractual arrangements

    The Register must reflect contractual arrangements with ICT TPPs and, in many cases, the underlying ICT services and related dependencies. If your institution has multiple legal entities or branches, consolidation and normalization become central to the effort. This is where many institutions realize that “vendor,” “service,” and “contract” are not interchangeable objects.

    2) Tie ICT services to governance concepts, not just vendors

    The Register is intended to support oversight, including visibility of dependencies supporting critical or important functions. If your internal taxonomy for functions and criticality is not aligned, you can end up with a Register that is complete but not decision-useful.

    For additional context on how the Register is typically framed, see dora register and dora register of information.

    3) Establish identifier discipline (LEI and legal entity hygiene)

    Supervisory reporting tends to expose weak legal entity hygiene quickly, especially across groups and multinational structures. Many teams underestimate the operational work needed for consistent naming, identifiers, and country data. A common anchor point is the Legal Entity Identifier, depending on your context and what your competent authority expects. Dorapp also publishes background on lei, which can help you frame internal data cleanup decisions.

    4) Operationalize validation before export time

    Institutions that wait until “reporting season” to validate typically face a spike in remediation work. The more defensible operating model is continuous validation, with clear accountability for fixing errors at the source, not in a late-stage reporting sprint.

    ITS templates, reporting tables, and what supervisors actually consume

    Under Article 28 of DORA, the Register of Information is tied directly to ICT third-party risk management supervision. What the regulation actually requires is not only that you maintain the Register, but that you can provide it in a standardized form that competent authorities and the European Supervisory Authorities can ingest and analyze. This is why the ITS focuses heavily on templates, tables, and technical submission structure, not narrative descriptions.

    Here’s the thing: many Register programs fail not because teams do not know their vendors, but because they underestimate how strict table-level consistency can be when the dataset is used for supervisory analytics. Competent authorities and the ESAs may use Register submissions to:

  • Assess whether your ICT outsourcing footprint aligns with your ICT Risk Management Framework and governance under Chapter II.
  • Identify dependencies supporting critical or important functions across entities and groups.
  • Support system-wide analysis, including concentration risk indicators and the designation process for critical ICT third-party service providers under the DORA oversight framework.

    • From a practical standpoint, “templates” should be read as a controlled specification. You typically need to be able to demonstrate that your dataset:

  • Uses consistent identifiers across tables, so relationships can be reconstructed reliably in supervisory systems.
  • Applies closed lists correctly (where the ITS requires standardized values), so validation does not fail at ingestion.
  • Maintains completeness for mandatory fields, including where group structures and cross-border contracting models introduce edge cases.

    • This content is for informational purposes only and does not constitute legal advice. Financial institutions should seek qualified regulatory counsel for institution-specific DORA compliance guidance and for interpreting how their competent authority applies the ITS in practice.

    Governance and operating model: keeping the Register defensible between submissions

    What many compliance teams overlook is that the Register becomes a living control once DORA entered full application in January 2025. Supervisors may care about the submission artifact, but they can also ask how you keep it accurate over time, especially when outsourcing changes frequently and responsibilities are split across procurement, ICT, and business owners.

    In most institutions, a defensible operating model for the Register includes:

  • Clear ownership by data domain: provider master data, contract records, ICT service records, and function criticality mapping should each have accountable owners with the authority to enforce quality.
  • Event-driven update triggers: new contracts, renewals, terminations, material changes, and subcontracting changes should drive updates, not only periodic refreshes.
  • Quality gates before approval: validation, remediation, and sign-off steps should be defined so the organization can show that exceptions are handled intentionally rather than left unresolved.
  • Evidence retention: you typically want to retain dataset versions and export artifacts in a way that supports audit and supervisory review, subject to your internal retention policies and any guidance from your competent authority.

    • Now, when it comes to group structures, governance needs one extra layer. If subsidiaries maintain local contracting but the group reports centrally, you typically need standardized definitions for “ICT service,” “contractual arrangement,” and “supply chain,” otherwise consolidation becomes a manual reconciliation exercise with inconsistent outcomes.

    This content is for informational purposes only and does not constitute legal advice. Financial institutions should seek qualified regulatory counsel for institution-specific DORA compliance guidance, including proportionality considerations that may apply based on entity type and supervisory expectations.

    its-dora-register-reporting-structure-with-xbrl-style-export-and-supervisory-sub.jpg

    How RTS, ITS, and delegated acts change what you need to operationalize

    The Register sits in a broader technical standards ecosystem. DORA is Regulation (EU) 2022/2554, but the obligations you operationalize are often shaped by Regulatory Technical Standards (RTS), Implementing Technical Standards (ITS), and Commission delegated acts adopted over time. The ESAs (EBA, ESMA, and EIOPA), through the Joint Committee, develop many of these standards, and the Commission adopts them in the EU legal framework.

    Consider this: if your implementation plan treats the Register as a static template project, you are likely to miss how adjacent standards can change your evidence needs. Examples that can affect Register governance and data requirements include:

  • RTS on subcontracting elements for ICT services supporting critical or important functions: these requirements can affect what you need to capture about supply chains and subcontracting arrangements in a consistent way, and how you assess and approve changes.
  • RTS and ITS for major ICT-related incident reporting: even though incident reporting is a separate pillar, incidents often reveal undocumented dependencies. Many institutions use incident lessons learned to improve service mappings and criticality classification referenced in the Register.
  • RTS on ICT Risk Management Framework and simplified frameworks: your internal governance, classification logic, and accountability model for ICT dependencies may need to align with how you maintain the Register, particularly where critical or important functions are involved.

    • The practical takeaway is that the Register is not isolated. If you are building an “ITS-ready” process, you typically want governance that can absorb technical standard changes without reinventing your dataset each year. Supervisory expectations can also vary by competent authority, so it is prudent to monitor ESA publications and your national supervisor’s communications for reporting instructions and timeline details.

    This content is for informational purposes only and does not constitute legal advice. Financial institutions should seek qualified regulatory counsel for institution-specific DORA compliance guidance, particularly when delegated acts or technical standards updates affect operating procedures and reporting controls.

    Product evaluation: what to look for in an ITS-ready Register workflow

    This section evaluates capabilities that typically matter for an ITS DORA Register implementation. It is written for financial entities assessing whether to continue with spreadsheets, extend a general GRC platform, build an internal workflow, or adopt a DORA-focused Register solution.

    Capability 1: A Register data model that matches supervisory structure

    A practical tool should represent the Register as connected objects (entities, branches, contracts, providers, services, supply chains, functions) rather than a single flat list. This matters because the ITS reporting structure is relational, and your institution will need to preserve referential integrity over time.

    Capability 2: Import workflows and controlled data onboarding

    Most institutions start with existing procurement and vendor datasets. Look for predictable import workflows, templates, and sequencing guidance so that relationships between objects are preserved. If imports are flexible but uncontrolled, the Register can become inconsistent, especially across multiple data owners.

    Capability 3: Automated validation against reporting rules

    Validation is a key differentiator between “we can store data” and “we can submit with confidence.” A meaningful Register solution should detect missing mandatory fields, invalid values, and broken relationships early, and it should make remediation actionable for data owners.

    Capability 4: XBRL export support aligned to ESA technical requirements

    Because the ITS is designed for consistent supervisory intake, an export that aligns to ESA technical requirements can reduce manual transformation work and late-stage errors. The export should also create evidence that an export was produced, when, and from which dataset version.

    Capability 5: Evidence and auditability (approvals, gates, audit trail)

    Even if your competent authority focuses on the data, supervisors can still ask how you ensure the Register stays current and accurate. Evidence of review, sign-off, and change history supports defensibility, particularly in group settings where accountability is distributed.

    Where Dorapp can fit (and where it may not)

    Dorapp positions DORApp as a modular, cloud-based platform for DORA execution. Based on available Dorapp documentation, the platform includes a dedicated Register of Information capability (DORApp ROI module) and supports structured import, validation, and regulator-oriented export workflows.

    For the DORA ITS Register specifically, Dorapp documentation indicates the following Register-oriented capabilities:

  • Register modules mapped to ITS tables: the Register is maintained through modules representing the required information set (for example, entities, contracts, ICT third-party service providers, functions, and supply chains), with an internal mapping to the European Supervisory Authorities’ taxonomy.
  • Predefined import templates: Dorapp provides Microsoft Excel templates intended to reduce mapping effort and enforce allowed values during onboarding.
  • Automated validation: the documentation describes validation checks designed to identify noncompliant or incomplete records prior to export, reducing failed submission attempts.
  • DORA Report export: the Register can be exported as an XBRL package described as compliant with ESA taxonomy and technical requirements, and the export is stored as an attached artifact to evidence that reporting output.
  • Audit trail and change tracking: Dorapp documentation describes a system audit trail including record changes, workflow transitions, approvals or sign-offs, timestamps, and rationale, which can support supervisory defensibility.
  • LEI enrichment: the documentation describes automatic LEI validation and enrichment using public LEI sources (GLEIF) for certain record types, which can reduce manual identifier work where name matching is clean.

    • Where Dorapp may not be a fit depends on your operating model. If your institution already has a mature enterprise data platform, a mature vendor master data process, and a reporting engine that can reliably produce the ITS submission with robust evidence, you may prefer to extend existing tooling. In that case, a DORA-specific Register platform may still be useful, but the decision tends to come down to integration effort and ownership boundaries.

    If you want to see the Dorapp workflow in context, the least disruptive next step is often to request a walk-through and test your own dataset import and validation cycle. You can Book a Demo and focus the session on your ITS table mapping, validation outputs, and XBRL export evidence.

    its-dora-register-governance-image-highlighting-validation-discipline-and-eviden.jpg

    Strengths and Challenges

    Strengths

  • ITS-oriented reporting output: Documentation describes XBRL export aligned to ESA taxonomy and technical requirements, which can reduce manual transformation work for the Register submission.
  • Structured Register data model: Managing the Register through connected modules (entities, contracts, providers, services, supply chains, functions) is typically easier to keep consistent than a flat spreadsheet.
  • Validation before export: Automated validation can surface issues earlier, which may reduce submission failures and last-minute remediation.
  • Evidence and traceability: Audit trail, timeline, and export artifacts can support supervisory defensibility and internal assurance.
  • Import accelerators: Predefined Excel templates and defined import sequencing can speed initial onboarding and reduce relationship breakage across modules.
  • LEI enrichment support: Automatic enrichment via GLEIF can improve legal entity hygiene when names match reliably and the LEI is available.

    • Implementation Considerations

  • Data normalization remains your responsibility: Even with templates, you still need internal alignment on what constitutes an ICT service, supply chain, and contract record, especially in complex groups.
  • Name-matching limits for LEI enrichment: The documented enrichment depends on equal names (case-insensitive). If your vendor master is inconsistent, you may need cleanup before enrichment is effective.
  • Process adoption is as important as tooling: A Register tool supports governance, but it does not replace clear ownership, review cadence, and escalation paths across procurement, ICT, and compliance.
  • Roadmap dependencies for broader DORA pillars: Dorapp documentation references additional modules planned or coming later for other DORA pillars. If you want a single platform for all DORA requirements immediately, validate current availability and timelines during evaluation.

    • Selection guide: choosing an ITS Register approach

    An ITS Register implementation choice is usually a decision about operational control and reporting risk. Below are five criteria that tend to predict whether your institution will have a stable, repeatable reporting cycle.

    1) Regulatory alignment depth (ITS structure, not just storage)

    Ask whether your approach can produce the ITS tables and submission format with minimal manual manipulation. If your process relies on ad hoc macros or one-off transformations, it may work once, but it is harder to defend over time. A toolset that is explicitly mapped to the ITS data model can reduce ambiguity and rework.

    2) Data quality controls and validation workflow

    Validation should be operational, not theoretical. You want actionable error reporting, clear ownership of fixes, and evidence that issues were resolved. In practice, an institution that can validate continuously typically has fewer end-of-cycle surprises and a cleaner narrative in audit and supervisory review.

    3) Evidence, audit trail, and approvals

    Supervisory expectations vary by competent authority, but most institutions benefit from being able to show: who changed the Register, when, why, and who reviewed or approved key outputs. This becomes more important in group contexts and when the Register is used to support third-party risk decisions.

    4) Import and integration realism

    Most Register programs start by importing from procurement systems, vendor masters, CMDBs, or contract repositories. The question is not whether you can import, but whether imports preserve relationships, minimize duplication, and avoid breaking the reporting model. Look for sequencing guidance, templates, and predictable reconciliation steps.

    5) Operating model fit (people, cadence, and cross-functional ownership)

    No platform compensates for unclear accountability. Before selecting tooling, clarify:

  • Who owns provider records, contract records, service records, and function mappings.
  • How often the Register is reviewed and how changes are approved.
  • How you handle mergers, outsourcing changes, and supply chain updates.

    • If you are evaluating Dorapp specifically, use the demo to test your most common failure modes: duplicate providers, inconsistent entity names, incomplete contract metadata, and unclear service-to-function mapping. If the tool helps you catch and resolve those issues early, that usually translates into lower reporting risk.

    Frequently Asked Questions

    What is the “ITS DORA Register” in practical terms?

    It typically refers to the DORA Implementing Technical Standards that define the standardized reporting structure and technical requirements for submitting the Register of Information to competent authorities. In practice, it pushes institutions toward a structured dataset that can be exported in a regulator-accepted format (often XBRL) with consistent tables and relationships across contracts, ICT services, and ICT third-party service providers.

    Is the DORA Register of Information mandatory for all financial entities?

    DORA applies broadly across EU financial entities, but specific obligations can vary depending on your classification. Maintaining a Register of Information on contractual arrangements with ICT third-party service providers is a core expectation for many in-scope entities. You should confirm exact scope and any proportionality considerations with qualified counsel and your competent authority’s guidance.

    Does the ITS require XBRL for Register submissions?

    Supervisory technical requirements for the Register are defined in the ITS and associated ESA technical materials. Many institutions prepare for an XBRL-based submission model aligned with ESA taxonomy. Because supervisory expectations can evolve, you should verify the current submission mechanism and technical specifications applicable to your authority before finalizing your reporting workflow.

    What data quality issues most commonly cause failed Register exports?

    Common failure points include missing mandatory fields, inconsistent naming for legal entities or service providers, invalid values in closed lists, and broken references between tables (for example, a service pointing to a non-existent contract). Institutions also struggle with duplicate providers across subsidiaries and inconsistent service-to-function mappings, which can lead to internal contradictions.

    How does LEI help with the Register of Information?

    The Legal Entity Identifier can help normalize legal entity records and reduce ambiguity in reporting, especially for cross-border groups. It may also support internal reconciliation across systems. That said, LEI coverage and naming consistency can vary, and enrichment approaches often depend on clean matching rules. You should validate your identifier strategy against supervisory reporting expectations.

    Can we keep the Register in spreadsheets and still be compliant?

    Some institutions may be able to produce a submission from spreadsheets, particularly if their environment is simple and well-controlled. The risk is operational: spreadsheets often struggle with referential integrity, consistent validation, approvals, and audit-ready evidence over time. If your Register changes frequently or spans multiple entities, you may find that spreadsheets increase remediation effort and reporting risk.

    What should we test in a Dorapp demo for ITS readiness?

    Bring a representative subset of your vendor and contract data and test: import sequencing, duplicate detection behavior, validation error output, and your ability to generate an export artifact suitable for reporting. Also test governance workflows: who can change what, how review or sign-off is captured, and whether the audit trail provides the evidence your internal audit and supervisors typically expect.

    How does Dorapp relate to the broader DORA program beyond the Register?

    The Register is one DORA deliverable, but it touches third-party oversight, governance, and operational resilience decision-making. Dorapp describes a modular platform approach across DORA pillars, with the Register of Information as a core capability and other modules referenced in product documentation. You should validate the current module availability and your integration needs during evaluation.

    How often should the Register be updated?

    DORA expects operational resilience controls to be maintained continuously. For the Register, most institutions adopt an event-driven update model (new contract, termination, material change) combined with periodic review cycles. The right cadence depends on outsourcing volume, organizational complexity, and supervisory expectations. A controlled workflow and validation process can make frequent updates more manageable.

    Where do the official Register templates come from, and do we have to use them exactly?

    The templates are defined through the ITS adopted under Article 28 of DORA and are published through the EU legal process and ESA materials. In most cases, you are expected to report using the standardized structure, including table definitions, relationships, and specified code lists. How strictly competent authorities enforce specific formatting can depend on the submission channel and the ESA technical specifications in force, so you should validate expectations with your competent authority and qualified counsel.

    How does the Register relate to the designation and oversight of critical ICT third-party service providers?

    The Register is designed to provide supervisors and the ESAs with consistent visibility into contractual arrangements and dependencies. It may be used as an input for system-wide analysis, including identifying providers with cross-market significance and supporting the DORA oversight regime for critical ICT third-party service providers. Individual designation decisions are made through the DORA oversight framework and supervisory processes, so institutions should treat the Register as a supervisory dataset, not just an internal inventory.

    Do we need to capture subcontractors and supply chain details in the Register?

    DORA’s third-party risk requirements include expectations around understanding ICT service supply chains, particularly where critical or important functions are supported, and related RTS can specify what should be assessed when subcontracting occurs. In practice, many institutions capture supply chain and subcontracting information in a structured way to support both Register reporting and third-party risk governance. The exact data you need and how it is reported can depend on the ITS table structure and the RTS applicable to subcontracting, subject to supervisory interpretation.

    Will the Register alone satisfy DORA ICT third-party risk management requirements?

    No. The Register is one deliverable under DORA’s ICT third-party risk management obligations, but it does not replace the broader requirements on governance, risk assessment, contractual arrangements, monitoring, and exit strategies under Chapter V. Most institutions use the Register as a controlled dataset that supports those controls and provides evidence during supervisory review, but you should assess your full obligation set with qualified counsel.

    Key Takeaways

  • The DORA ITS for the Register turns the Register into a standardized supervisory reporting dataset, not a simple internal inventory.
  • ITS readiness usually depends on relational data modeling, continuous validation, and defensible evidence of control.
  • XBRL-oriented export requirements can increase the cost of spreadsheet-based approaches, especially for complex groups.
  • Dorapp documentation indicates structured Register modules, validation, import templates, audit trail, and XBRL export artifacts oriented to ESA requirements.
  • A strong selection process tests real data failure modes, not just user interface features.

    • Conclusion

    The DORA ITS Register of Information requirement is best treated as an ongoing control with reporting outputs, not a one-time compliance deliverable. Institutions that invest early in data governance, validation, and evidence typically reduce rework and supervisory risk during submissions. If your current approach relies on spreadsheets or fragmented systems, consider whether your operating model can support repeatable ITS-aligned exports without manual transformation and late-stage cleanup.

    If you are evaluating tooling, a practical next step is to validate your import, validation, and export cycle end-to-end using a real data subset. Dorapp’s documentation suggests the DORApp ROI module is designed for structured Register maintenance and XBRL-oriented reporting evidence. You can Book a Demo to assess fit against your institution’s ITS reporting obligations and governance expectations.

    Disclaimer: This article is intended for informational purposes only and does not constitute legal advice. DORA compliance obligations vary depending on the classification and size of your financial institution. Consult qualified legal or regulatory counsel to assess your specific obligations under the Digital Operational Resilience Act and applicable regulatory technical standards.

    M

    About the Author

    Matevž Rostaher is Co-Founder and Product Owner of DORApp. He brings deep experience in building secure and compliant ICT solutions for the financial sector and is positioned by DORApp as an expert trusted by financial institutions on complex regulatory and operational challenges. DORApp’s own webinar materials list him as CEO and Co-Founder of Skupina Novum d.o.o. and CEO and Co-Founder of FJA OdaTeam d.o.o. His articles should carry the voice of someone who understands not just compliance requirements, but the systems and delivery realities behind them.