dora central register for information

DORA – Central Register of Information

Article IT Advisory Sourcing Advisory Cyber Security & Privacy

In September 2020, the European Commission proposed an entirely new regulatory framework for digital risk management for financial entities and certain critical ICT service providers. The objective? To improve digital operational resilience in the financial sector. DORA entered into force on 16 January 2023 and, from 17 January 2025, will apply to a broad range of financial institutions. Amongst others, these institutions include credit institutions, payment and electronic money institutions, investment firms, insurance and reinsurance undertakings, investment fund managers and ICT suppliers providing services to support critical or important functions within financial institutions

Requirements of DORA

DORA consists of two levels of regulation. The top level legislation contains 62 articles, of which 28 apply to institutions, the other 34 are for the supervisor. These 28 articles are further broken down in 120 sub articles, and cover the following five topics:

  1. IT Risk Management
  2. ICT-related incident management, classification and reporting
  3. Digital operational resilience testing
  4. Managing of ICT third-party risk
  5. Information-sharing arrangements

Level two of the documentation is provided in the form of two Implementing Technical Standards, eight Regulatory Technical Standards, and 1 Guideline further providing specifications to support certain articles in the level one legislative document.

Central Register of Information

This blog focuses on article eight of the level one legislation (Identification), and the Implementation Technical Standard containing templates for the purposes of the register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers (the ITS on outsourcing register). In short, these two sources require institutions to build a register that contains the following information:

  • All ICT supported business functions, roles and responsibilities, information and ICT assets supporting those functions and their roles and dependencies regarding ICT Risk
  • All information and IT assets, network resources and hardware equipment
  • All processes that are supported by external ICT SPs as well as interconnections with these providers where they support critical or important functions.

The ITS on outsourcing register furthermore contains a specification of 132 data fields to be maintained and yield reporting according to 14 reporting templates.

As this register plays a general role in the work to be done for several of the main topics referred to in section 2, Eraneos developed a methodology for building this register. An exercise that should be part of any DORA implementation exercise for it to be successful.

Challenges

Based on our experience, we’ve identified the following challenges in the setup of a central register of information:

  • To yield a complete overview, 15 tables containing approximately 200 data fields must be sourced from typically several different data sources (e.g. CMDB, process administration, IT Risk administration, contract administration, …). Many of these data fields are typically absent and must be added and populated.
  • It is not always clear who is/should be the owner of source systems and their data (especially when new systems need to be implemented to source certain types of data)
  • Data quality in the source systems, as well as referential integrity between source systems is often lacking.
  • A landing platform is required for the data from different source systems to be exported, formatted and combined.
  • The ITS on outsourcing register prescribes a consolidated view on outsourcing arrangements is required, including those from subsidiaries in the group.

Make sure you are ready for DORA!

Join our virtual roundtable on the 20th of June, where leading experts share their practical experiences with DORA. We will talk about the pitfalls, best practices and the latest positions of the regulators.

dora gap analysis

Are you ready to comply with the European regulation?

Eraneos has hands-on experience in supporting the build-up of a Central Register of Information – a centralized database containing combined data from different source systems such as outsourcing administration, CMDB and GRC tooling. This solution provides insight into entities, business functions, processes, and IT Risks, IT assets and contracts existing/supporting these processes. Having such a register will:

  • provide you with direct insight in your entire IT landscape and relations within the landscape (e.g. critical value chains, IT risks existing in certain aspects of your organisation, supply chains and the processes they support, critical or important functions and the processes and contracts that support them);
  • yield demonstrable compliance with DORA L1 regulation, article 8 and the ITS on outsourcing register, and,
  • provide much needed support for other efforts that are part of your DORA program, e.g. by yielding the possibility to prioritize adaptions to processes, contracts and IT assets based on their criticality.

As part of our efforts, Eraneos is able to support with:

  • the identification of source systems;
  • the implementation of a target system to contain the register of information;
  • the connection of source systems to target systems, yielding the Extract, Transfer and Load (ETL) of the required data;
  • the identification of the data fields to be loaded in the central register;
  • the measuring and improvement of the data quality in the source systems, as well as the referential integrity between them, and,
  • the building of the central register of information, as well as the reporting templates required by the level one legislation as well as the ITS on outsourcing register.

More information

For more information on what we can deliver, and investigation whether, and if so Eraneos can add value to your DORA implementation efforts, contact us today!

Camiel Castillo
By Camiel Castillo
Senior Manager – Cyber Security

Knowledge Hub overview