When firms first engaged with calQrisk to address their Digital Operational Resilience Act (DORA) obligations, many were managing their ICT third-party information across a patchwork of spreadsheets. The Register of Information, a cornerstone requirement under DORA, demands more. It requires a structured, auditable and regularly updated record of all contractual arrangements with ICT third-party service providers – in a very specific format.
For most regulated firms, producing this register to the standard required by the European Supervisory Authorities (ESAs) using manual tools was neither sustainable nor reliable.
calQrisk worked with firms across different regulated sectors in several different jurisdictions to implement a structured solution for building and maintaining the Register of Information. The result has been a consistent, auditable and reportable register that satisfies regulatory expectations, reduces the manual burden on compliance teams and integrates seamlessly with wider ICT risk management and operational resilience frameworks.
The Digital Operational Resilience Act (DORA) applies to a broad range of financial entities across the EU and came into force on 17 January 2025. Among its many requirements, Article 28 obliges regulated entities to maintain a comprehensive Register of Information in respect of all contractual arrangements with ICT third-party service providers.
The register must capture detailed information about each provider, the services they deliver, the criticality of those services, sub-outsourcing chains, data localisation and exit strategies among many other data points. The ESAs have published prescribed templates for the register which must be submitted to competent authorities as part of an annual reporting cycle.
For many firms, the challenge is not simply understanding what is required, it is actually generating it.
Regulated firms approaching DORA compliance faced a common set of difficulties when attempting to build and maintain the Register of Information:
The ESA templates require granular data across multiple linked tables. This covers the financial entity, functions / business services provided, the contractual arrangement, the ICT third-party service provider and any sub-contractors. Managing the relationships between these tables in spreadsheets proved error-prone and time-consuming.
DORA requires the register to reflect the live position of a firm's ICT third-party arrangements. Any change to a contract, provider or service scope must be captured promptly. Without an integrated solution, firms found it difficult to ensure the register remained accurate between formal review cycles.
Regulators and internal audit functions require not just the register itself, but evidence that it is actively governed. Reviews should be scheduled, findings acted upon and accountability clearly assigned. Spreadsheet-based approaches offered little in the way of evidence.
The Register of Information does not exist in isolation. Under DORA, firms must also assess the concentration risk associated with their ICT providers, monitor performance against contractual SLAs and ensure that critical providers are subject to enhanced oversight. Linking the register to abroader risk and resilience framework was beyond the capability of most manual tools.
calQrisk developed a structured approach to the Register of Information that maps directly to the ESA-prescribed templates while integrating the register into a firm's wider governance, risk and compliance framework. The key elements of the solution include:
Purpose-built modules that capture all mandatory data fields as set out in the ESA templates covering ICT third-party service providers, contractual arrangements, supported business functions, sub-outsourcing and data localisation. The register can be exported in the format required for regulatory submission at the touch of a button.
calQrisk enables firms to assess and document the criticality of each ICT service in a consistent and auditable manner by applying defined criteria and linking risks, DDQs, etc. directly to the relevant third party.
Where gaps or issues are identified in the register (for example, missing contract data, overdue reviews, or in complete sub-outsourcing information), tasks can be assigned, tracked and evidenced directly within the system.
ICT third-party providers identified in the register can be linked to relevant risks within the firm's risk register allowing concentration risk and provider-specific risks to be monitored and reported alongside the wider risk profile.
Senior management and the board can view the real-time status of the firm's ICT third-party register including the proportion of services assessed for criticality, outstanding actions and upcoming review dates.
Navro helps businesses smoothly navigate their growth into foreign markets by providing them with access to the best payments infrastructure around the world through one contract and one API. Making borders a thing of the past, and enabling businesses to scale more smoothly than ever before.
“calQrisk expertly navigated the complexities of the DORA RoI report, turning a difficult new regulatory requirement into a seamless process. Their platform effectively eliminated the administrative burden. Our report was accepted by the Central Bank of Ireland with very minimal iterations, saving us hours of manual effort and ensuring a stress free submission”
Niamh Quinn, Operations Manager
Arachas isIreland’s largest insurance broker and part of the Ardonagh Group. They offerinnovative products and exceptional service while making insurance as easy aspossible.
“calQrisk made generating the DORA Register of Information submission file for the Centra lBank of Ireland remarkably straightforward, turning a complex regulatory requirement into a fast, simple process. Its ease of use gave us real confidence that our submission would be free from error and meet all expectations.”
Hugh Smith, Headof Operational Governance & Resilience
