DORA Register
of Information
Automated tool for meeting ICT services
providers contract requirements
Completing the register of all contractual arrangements in Excel?
5 challenges you probably face
What is the DORA Register of Information Tool?
Timesaving Automation
The tool is an automated self guided platform covering all information required by DORA Register of Information, including contractual arrangements with ICT providers, organizational structure and business function mapping. The solution will effectively minimize your manual workload related to creation and maintenance of the register.
What takes your work with the information register to a higher level and saves your time is the automation of relationships and the automation of information transfer. One-time change of names (suppliers, codes) in the dictionary populates to all objects. Contract details, such as dates and contact information, are transferred from parent records to all related records.
Data Integrity
DORA Register of Information’s interface, with its representation of data sets and relationships between them, will help you effectively comply with the broad scope of information to be reported.
The information integration is at the level of a single data source and this provides the function of using natural language instead of incomprehensible alphanumeric codes. When interacting with the DORA Register you work with meaningful business language and only upon exporting the report will the system convert them into the required set of alphanumeric codes. The system will also automatically enforce data integrity across various reports.
DORA Compliance
It guides you through the DORA compliance process related to ICT services providers.
The DORA Register organizes such information as:
- organizational structure (entities and their relationships)
- financial assets and their locations (value of assets)
- business activities (business functions)
- support network (suppliers and contracts)
- expenditure on these supports (contract values)
- potential vulnerabilities (critical functions)
- risk tolerance (threshold parameters for critical functions – risk acceptance level for each supplier).
Why us?
We created the DORA Register because we believe that error-free management of ICT suppliers and constant access to up-to-date reports and contracts ensure compliance with DORA. It can work independently or as a part of our complex system dedicated to big financial companies to support risk management in compliance with DORA, NIS2, and GDPR.
They trusted us:
Price
According to DORA regulations, the Information Register includes external ICT providers. Therefore, the price of the tool depends solely on the number of contracts* with ICT providers outside the capital group.
We’ve verified that you can complete the DORA register in 1.5 hours per contract with around 10 ICT services*, while the same task in Excel took us 8 hours.
Calculate your savings and contact an advisor to show you how easy it can be.
*ICT service in the sense of any ICT service, regardless of its criticality, which should be included in the register of information.
FAQ
How does the DORA Register tool support xBRL-CSV reporting for regulatory compliance?
The reports are in the form of CSV flat files, supplemented with metadata in CSV and JSON format, packed in a ZIP archive.
How does the DORA Register tool facilitate compliance with RTS ITS under DORA?
How does the DORA Register tool facilitate compliance with RTS ITS (Regulatory Technical Standards and Implementing Technical Standards) under DORA? The DORA Register tool significantly facilitates compliance with Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) under the Digital Operational Resilience Act (DORA) in several key ways:
Comprehensive Information Management:
The tool provides a structured framework for maintaining the register of information required by DORA. It aligns with the ITS that establishes templates for the register of information, covering contractual arrangements with ICT Third-Party Providers (TPPs) at various levels. This ensures that financial entities can efficiently manage and report on their ICT service providers, supporting compliance with Article 28(9) of DORA.
ICT Risk Management Framework Alignment:
DORA Register incorporates the requirements outlined in the RTS on ICT Risk Management Framework. It helps financial entities implement and maintain a robust ICT risk management system, covering aspects of protection, prevention, detection, and response. This alignment ensures that users of the tool are well-positioned to meet DORA’s ICT risk management obligations.
Incident Classification and Reporting:
The tool integrates the criteria for classifying ICT-related incidents as specified in the RTS. It supports financial entities in identifying and reporting major incidents and significant cyber threats, ensuring compliance with DORA’s incident reporting requirements. This feature aligns with the RTS and ITS on major incident reporting, helping institutions meet their obligations efficiently.
Third-Party Risk Management:
DORA Register facilitates compliance with the RTS specifying the policy on ICT services supporting critical or important functions performed by ICT providers. It helps financial entities manage the lifecycle of third-party arrangements, focusing on critical or important functions. This feature is crucial for meeting DORA’s requirements on third-party risk management.
Automated Compliance Processes:
The tool automates many aspects of DORA compliance, including the generation of reports and maintenance of the information register. This automation helps financial entities meet the detailed requirements of the ITS on standard templates for the register of information, ensuring accuracy and completeness in compliance reporting.
Adaptability to Regulatory Updates:
As a dedicated DORA compliance tool, DORA Register is designed to be updated in line with evolving regulatory requirements. This ensures that financial entities using the tool can adapt to any changes in RTS or ITS without significant disruption to their compliance processes.
Support for Oversight Activities:
The tool aids financial entities in preparing for and responding to oversight activities. It aligns with the RTS on harmonization of conditions enabling the conduct of oversight activities, helping institutions maintain the necessary documentation and processes for regulatory inspections.
Simplified Compliance for Smaller Entities:
For smaller financial entities, DORA Register offers features that align with the simplified ICT risk management framework outlined in the RTS. This ensures that all sizes of financial institutions can effectively use the tool to meet their DORA obligations.
What are similarities and differences between Dora Register tool and ESA Excel Template?
Similarities
Purpose: Both tools aim to help financial entities maintain and update registers of information related to their contractual arrangements with ICT third-party service providers, as required by DORA.
Compliance Focus: They address the ICT third-party risk management requirements of DORA, particularly the need for comprehensive record-keeping of ICT service providers.
Regulatory Alignment: Both tools are designed to meet the requirements set forth by the European Supervisory Authorities (ESAs) for DORA compliance.
Differences
Format and Functionality:
ESA Excel Template: A standardized spreadsheet format provided by regulatory authorities for basic data entry and reporting.
DORA Register tool: A more sophisticated, web-based application offering enhanced functionality beyond basic data entry.
User Interface:
ESA Excel Template: Utilizes a familiar spreadsheet interface, which may be less intuitive for complex data relationships.
DORA Register tool: Features an intuitive interface designed specifically for navigating complex dependencies between ICT providers.
Data Visualization:
ESA Excel Template: Limited to standard Excel charting and pivot table capabilities.
DORA Register tool: Offers advanced visualization of dependencies, allowing users to explore the network of ICT provider relationships more effectively.
Automation:
ESA Excel Template: Requires manual data entry and updating.
DORA Register tool: Provides built-in automation for data updates and report generation, reducing the risk of manual errors.
Collaboration Features:
ESA Excel Template: Limited collaboration features inherent to spreadsheet software.
DORA Register tool: Includes a task management module for distributing responsibilities among team members, enhancing collaborative compliance efforts.
Compliance Checks:
ESA Excel Template: Manual verification of data completeness and compliance.
DORA Register tool: Automated checks for report completeness and compliance with regulatory requirements.
Scalability:
ESA Excel Template: May become unwieldy for large organizations with complex ICT provider networks.
DORA Register tool: Designed to handle complex, large-scale ICT provider ecosystems more efficiently.
Report Generation:
ESA Excel Template: Requires manual formatting and extraction of relevant data for reporting.
DORA Register tool: Offers one-click report generation in required formats, pre-validated for accuracy and compliance.
Regulatory Updates:
ESA Excel Template: May require manual updates as regulatory requirements evolve.
DORA Register tool: Offers one-click report generation in required formats, pre-validated for accuracy and compliance.
Regulatory Updates:
ESA Excel Template: May require manual updates as regulatory requirements evolve.
DORA Register tool: Likely to receive regular updates to align with changing regulatory landscapes, ensuring ongoing compliance.
Cost and Accessibility:
ESA Excel Template: Freely available from regulatory authorities, requiring only spreadsheet software.
DORA Register tool: A commercial solution that may involve licensing costs but offers more comprehensive features.
In conclusion, while both tools serve the purpose of DORA compliance, the DORA Register tool offers more advanced features, automation, and user-friendly interfaces compared to the basic functionality of the ESA Excel Template. The choice between them would depend on the size of the financial entity, the complexity of its ICT provider network, and the level of sophistication required in managing DORA compliance.
How does the DORA Register tool support the DORA Framework?
The DORA Register tool significantly supports the DORA Framework through several key features and functionalities:
- Comprehensive Information Management
The tool serves as an automated, self-guided platform that covers all information required by the DORA Register of Information. This includes contractual arrangements with ICT providers, organizational structure, and business function mapping. It effectively minimizes manual workload related to creating and maintaining the register. - Data Integrity and Automation
DORA Register of Information’s interface represents data sets and relationships between them, ensuring compliance with the broad scope of information to be reported. It automates relationships and information transfer, allowing one-time changes in dictionaries to populate across all objects. This automation extends to contract details, dates, and contact information, which are transferred from parent records to all related records. - DORA Compliance Guidance
The tool guides users through the DORA compliance process related to ICT services providers. It organizes critical information such as:- Organizational structure (entities and their relationships)
- Financial assets and their locations
- Business activities (business functions)
- Support network (suppliers and contracts)
- Expenditure on these supports
- Potential vulnerabilities (critical functions)
- Risk tolerance (threshold parameters for critical functions)
- Reporting to Authorities
DORA Register facilitates the review and distribution of third-party service provider contracts. It integrates with existing enterprise risk management and cybersecurity systems, as well as regulatory channels. The tool can handle the volume of third-party relationships in financial institutions and generate final reports with the required structure and content with a single click. - Third-Party Risk Management
The tool automates Third-Party Risk Management processes, starting from DORA-compliant questionnaires, through supplier classification with special codes, to generating reports for the Supervision Authority. - Security Measures
DORA Register implements robust security measures, including:- Individual instances for clients with separate databases
- Two-factor authentication
- Customizable password policies
- Automatic expiration of inactive user sessions
- Data snapshots and backups
- Regular pentests and source code reviews
- SSO Azure AD access.
- ICT Provider Classification
The tool supports the classification of ICT providers according to DORA guidelines, including categories such as suppliers supporting critical or essential functions and the 19 specific categories of ICT services identified in Annex 3 of RTS 85. - Supply Chain Management
Users can expand on the initial supply chain defined by the contract’s main vendor by adding secondary and further vendors, addressing fourth-party and Nth-party provider management.
By providing these features, the DORA Register tool effectively supports financial entities in meeting the requirements of the DORA Framework, ensuring compliance, enhancing operational resilience, and streamlining the management of ICT-related risks and third-party relationships.
What information should we include in the DORA Register of Information?
We have come across views that the register should hold a limited number of details related to ICT 3rd party providers:
- Suppliers and their supply chain
- Entities within the group
- Business functions
- Contracts, bounding the above-mentioned information.
However, there is much more information required that is related to:
1. A comprehensive list of entities and their relationships within the group.
2. Detailed mapping of contracts, including the entities involved in signing, distributing, and utilizing services, categorized by supplier, service type, and the business function addressed.
3. Extensive mapping of provider’s supply chains.
4. Criticality assessment of each entity’s business functions and validation of the ICT provider’s relevance.
What reporting capabilities does the DORA Register have?
The Dora Information Register performs all reporting operations automatically.
Each report containing business data is automatically extracted into a separate CSV file, supplemented by the required metadata files. The entire report is organized into a specified folder structure, and a specific naming convention is applied when it is packed into a ZIP file.
Does the DORA Register integrate with existing systems?
If the regulator offers such a possibility, we will implement integration with the report submission systems.
At the beginning of 2025, the DORA Register will be enhanced with new functionalities.
Recreating the register in the application based on the report according to the regulator’s specification and importing information into the register (contract metrics, supplier lists) from other repositories, based on templates downloadable directly from the application.
What security measures does the DORA Register have?
- Individual instances for individual clients (including separate databases for clients).
- Individual user and password of the application user, optional additional protection for the application instance.
- Two-factor application user login.
- Ability to define password policy (including password length, requirements for character types, validity periods, number of allowed login attempts).
- Automatic expiration of inactive user sessions.
- Management of application user permissions by permission groups.
- Data snapshots performed on request by an authorized user.
- Automatic source code tests.
- Source code review process and optimization.
- Monitoring the currency of used libraries and components.
- Application pentests performed periodically by specialized external entities.
- Multi-factor logins to the application hosting panel.
- Backups, at the application hosting level.
- Based on GCP infrastructure, provided by the National Cloud Operator, located in the EU.
- SSO Azure AD access.
How to classify ICT providers according to DORA?
Suppliers must be classified according to the detailed guidelines in JC 2023 85, which includes full documentation of the information registry. This implementing technical standard indicates several categories according to which ICT suppliers should be categorized. These include categories such as suppliers supporting critical or essential functions and the 19 specific categories of ICT services identified in Annex 3 of RTS 85. Intra-group suppliers, which are listed in Table RT.02.03, covering intra-group agreements and relationships with non-group suppliers, must also be included in the classification process.
How does the DORA Register handle fourth-party and Nth-party providers?
Users can expand on the initial supply chain defined by the contract’s main vendor, by adding secondary and further vendors to it.
How to transfer the registry from Excel to DORA Register tool?
If you have started creating a registry in Excel, transferring it to the DORA Register tool requires manually entering data on contractual arrangements with suppliers. However, manual entry is much faster because the entered data on ICT suppliers is automatically completed in all data sets e.g.: data related to contracts, supply chains, signatories and many more places.
By transferring the information record to the tool you check for errors. Finally, you gain time by automatically generating reports.
Can I purchase the DORA Register Tool in the On-premise variant?
Yes, please sign up for a conversation with our consultant.