DORA ICT register template
DORA ICT register template guidance: provider inventory, contracts, criticality, subcontractors, concentration risk, exit plans and evidence fields.
Direct answer
A DORA ICT register template should include each ICT provider, service, contract owner, criticality, data location, subcontractors, exit plan, incident contact, renewal date, risk assessment and supporting evidence. The register should be usable for governance, audit, customer review and regulatory reporting.
What should a DORA ICT register template include?
A DORA ICT register template should include each ICT provider, service, contract owner, criticality, data location, subcontractors, exit plan, incident contact, renewal date, risk assessment and supporting evidence. The register should be usable for governance, audit, customer review and regulatory reporting.
- Provider identity
- Criticality
- Exit and incident data
| Main artifact | ICT third-party register |
| Best owner | Risk, compliance or operations |
| Review cadence | At onboarding, renewal and material service change |
A DORA ICT register template should include each ICT provider, service, contract owner, criticality, data location, subcontractors, exit plan, incident contact, renewal date, risk assessment and supporting evidence. The register should be usable for governance, audit, customer review and regulatory reporting.
Update whenever an ICT provider, contract, criticality or subcontractor changes.
Source: ESMA DORA guidance
DORA ICT register template checklist
Action checklistRecord legal name, service, contract owner and business process.
Assess service criticality, dependencies and concentration risk.
Keep exit plan, incident contact, SLA and renewal date.
Key deadlines
| Date | Requirement | Source |
|---|---|---|
| Ongoing | Provider register maintenanceUpdate whenever an ICT provider, contract, criticality or subcontractor changes. | ESMA DORA guidance |
30/60/90-day action plan
First 30 days
Confirm scope and assign an owner
Evidence needed: Applicability note, business owner, systems or product list, and source links.
DORA ICT register
Days 31-60
Close the evidence gaps
Evidence needed: Policies, supplier records, data maps, technical notes, training records, or process owners.
DORA ICT register
Days 61-90
Prepare for audit or customer review
Evidence needed: Versioned compliance file, action log, exception register, and next review date.
DORA ICT register
Evidence to retain
Applicability decision
Shows whether a DORA ICT register applies and why the SME made that decision.
Retain: Scope memo, trigger criteria, country notes, owner approval, and review date.
Action owner list
Regulators and enterprise customers expect named accountability, not generic intent.
Retain: Owner, backup owner, due date, status, and unresolved blocker notes.
Evidence folder
The fastest way to answer customer due diligence is a single audit-ready evidence file.
Retain: Policies, screenshots, registers, exports, supplier responses, and training records.
SME questions answered
Is a vendor list enough for DORA?
No. DORA needs an ICT register with service criticality, contracts, risks, subcontractors, incidents and exit planning.
Who should own the DORA ICT register?
Risk or compliance should govern it, but procurement, IT and service owners must maintain the underlying facts.
Turn this guide into a tracked action plan
Start with the Regulation Checker, save the result, and import the action plan into your EuroComply dashboard when you are ready to assign owners.
Informational only. This page is not legal advice and does not replace a qualified legal review of your business, systems, products or employment practices.