EU DORA Register of Information
Detects extracts and working copies of the DORA Article 28(3) register of information on contractual arrangements with ICT third-party service providers, including the ESAs' Implementing Regulation (EU) 2024/2956 template content (contractual arrangement reference numbers, provider LEIs, ICT service supply chain, critical or important function flags). The register maps a financial entity's entire ICT outsourcing estate and its concentration risk; disclosure exposes supplier dependencies and attack surface.
- Type
- keyword_proximity
- Engine
- universal
- Confidence
- medium
- Confidence justification
- Medium confidence: honest topic matcher, not an identifier detector. The Article 28(3) phrase 'register of information' and the ITS field name 'contractual arrangement reference number' are regulation-specific terms of art, and the 85 tier additionally requires DORA register vocabulary (Regulation (EU) 2022/2554, critical or important function, LEI, ICT service supply chain) or B_xx.xx template codes. Compliance-consultancy and news content about DORA uses the same vocabulary and is suppressed only by noise exclusions.
- Jurisdictions
- eu
- Regulations
- Regulation (EU) 2022/2554 (DORA), Implementing Regulation (EU) 2024/2956
- Frameworks
- ISO 27001
- Data categories
- financial, governance, security
- Scope
- wide
- Risk rating
- 6
Pattern
(?i)\b(?:register\s+of\s+information|contractual\s+arrangement\s+reference\s+number|ICT\s+third[\s-]party\s+service\s+provider)\b
Corroborative evidence keywords
register of information, contractual arrangement reference number, ICT third-party service provider, Regulation (EU) 2022/2554, DORA, critical or important function, ICT intra-group service provider, ICT service supply chain, type of ICT services, LEI, competent authority, contractual arrangement, subcontractor, substitutability, exit strategy, board, committee, governance, compliance, fiduciary (+10 more)
Proximity: 300 characters
Should match
Register of Information — entity level, reporting reference date 31/03/2026. B_02.01 Contractual arrangements — general information. Contractual arrangement reference number: CAR-2026-00187. ICT third-party service provider: CloudCore Services GmbH, LEI 529900T8BM49AURSDO55. Type of ICT services: S02 — cloud computing resources. Supporting a critical or important function: Yes (F-07 retail payment processing).— Register extract with ITS 2024/2956 template code and field valuesAttached for submission to the competent authority under Article 28(3) of Regulation (EU) 2022/2554 (DORA) is our register of information covering all contractual arrangements on the use of ICT services provided by ICT third-party service providers, distinguishing arrangements that support a critical or important function. New entries this quarter run from contractual arrangement reference number CAR-2026-0201 to CAR-2026-0219.— Annual register submission memo to the competent authorityB_05.02 ICT service supply chain: rank 1 — direct ICT third-party service provider NordicHost ApS (LEI 549300HHFXW9BQOKF824); rank 2 — subcontractor DataVault OU providing storage of data. Substitutability assessment: difficult to substitute. Exit strategy agreed for the contractual arrangement; reintegration considered not feasible.— Supply chain template rows with rank and substitutability fields
Should not match
The ESAs issued a press release reminding financial entities that the first register of information submissions under DORA are due in April, and that reporting via the competent authorities will use the harmonised formats.— Regulator press release about register submission deadlinesJoin our DORA readiness webinar: what belongs in the register of information, how to assign a contractual arrangement reference number, and how supervisors will use your submission. Register now — places are limited.— Consultancy webinar marketing about the registerThis tutorial for new compliance staff explains what an ICT third-party service provider is under DORA and walks through a sample register of information built from placeholder vendor names.— Internal training tutorial with sample register content
Known false positives
- Compliance-consultancy marketing, webinars, and law-firm client alerts discussing the register of information Mitigation: Negative keyword exclusion: 'press release', 'webinar', 'explainer', 'newsletter', 'blog post', 'consultation paper'. Concept-class collision is inherent: consultancy content uses the regulation's own vocabulary and can only be suppressed, not eliminated.
- The regulation or ITS text itself quoted in policy memos, procedures, or legal analysis Mitigation: Higher tiers require co-occurring register field values (template codes, reference numbers, LEI) rather than bare Article 28(3) phrasing; residual matches on quoted text are expected for a topic classifier
- Training material and sample registers with placeholder data Mitigation: Shared template-exclusion dictionary (template, sample, placeholder, tutorial, training data) as NOT evidence on every tier
- Procurement and vendor-management documents that mention ICT third-party service providers without being the register Mitigation: 85 tier requires register-specific vocabulary (contractual arrangement reference number, template codes, substitutability) in proximity
References
- DORA Article 28(3) — register of information on contractual arrangements with ICT third-party service providers
- Commission Implementing Regulation (EU) 2024/2956 — standard templates for the register of information
- ITS 2024/2956 Annex I — register of information template codes (B_01.01 to B_99.01) and field instructions