How to Build Your DORA Register of Information (RoI)
Learn how EU financial entities can build and maintain a DORA-compliant Register of Information under Article 28.3. Practical steps, required data fields, and common pitfalls.
Expert analysis, compliance tools, and the latest updates on the Digital Operational Resilience Act - curated by the DoraLytics team.
How DoraLytics maps to EU Regulation 2022/2554 requirements. Based on our analysis of all six DORA chapters.
| Article | Requirement | Coverage | DoraLytics Capability |
|---|---|---|---|
| Chapter II - ICT Risk Management | |||
| Art. 5 | Governance & Organisation | Partial | Compliance dashboard with real-time overview, role-based access, board-ready reports |
| Art. 6 | ICT Risk Management Framework | Full | Complete assessment framework, risk scoring, gap analysis, annual review tracking |
| Art. 7 | ICT Systems, Protocols & Tools | Indirect | ICT asset register inventories systems and status |
| Art. 8.1-4 | Identification & Asset Mapping | Full | ICT Asset & Dependency Mapping - register, classify, map dependencies |
| Art. 8.5 | Third-Party Dependencies | Full | Third-Party Risk Management with vendor register, risk assessment, sub-contracting visibility |
| Art. 8.7 | Legacy System Risk Assessment | Partial | ICT asset register flags legacy systems with specific risk assessment |
| Art. 9 | Protection & Prevention | Partial | Assessment framework covers security policy compliance, gap identification |
| Art. 10 | Detection | Gap | Operational requirement - requires SIEM/IDS/IPS (outside compliance tool scope) |
| Art. 11 | Response & Recovery | Partial | Tracks BCP/DRP status, test results, findings management |
| Art. 12 | Backup & Restoration | Partial | ICT asset register tracks backup status, maturity assessment |
| Art. 13 | Learning & Evolving | Partial | Incident log for post-incident review, findings tracking, board reports |
| Art. 14 | Communication | Gap | Crisis communication is organisational/operational (outside tool scope) |
| Art. 16 | Simplified Framework | Full | Essentials plan designed for smaller entities with proportionate frameworks |
| Chapter III - Incident Management | |||
| Art. 17 | Incident Management Process | Partial | Incident register with classification, prioritisation, status tracking |
| Art. 18 | Incident Classification | Full | All six DORA criteria built in, automatic severity assessment |
| Art. 19 | Reporting Major Incidents | Partial | Report generation suitable for authority submission with timeline support |
| Art. 20 | Reporting Templates | Partial | Pre-filled templates following ESA guidelines, PDF export |
| Art. 22 | Supervisory Feedback | N/A | Authority requirement |
| Art. 23 | Payment-Related Incidents | Full | All incident types handled equally |
| Chapter IV - Resilience Testing | |||
| Art. 24 | Testing Programme | Partial | Tracks resilience testing status, findings management |
| Art. 25 | Testing of ICT Tools | Partial | Gap analysis function, tracks test results and remediation |
| Art. 26 | TLPT (Threat-Led Penetration Testing) | Indirect | Tracks TLPT status and results, links to vendor register |
| Art. 27 | Tester Requirements | N/A | Requirement for testers/vendors |
| Chapter V - Third-Party Risk | |||
| Art. 28.2 | Third-Party Strategy | Full | Full third-party risk management with strategy view and vendor registers |
| Art. 28.3 | Register of Information (RoI) | Full | Automated RoI with mandatory data fields, ESA format export |
| Art. 28.4 | Pre-Contract Due Diligence | Partial | Risk assessment template, concentration risk analysis |
| Art. 28.7-8 | Exit Strategies | Partial | Vendor register documents exit strategies, substitutability assessment |
| Art. 29 | ICT Concentration Risk | Full | Dependency chain visualisation, concentration risk heatmap |
| Art. 30 | Key Contractual Provisions | Partial | Contract requirements checklist, mandatory clause tracking |
| Art. 31-44 | CTPP Oversight Framework | N/A | ESA/authority requirements |
| Chapter VI - Information Sharing | |||
| Art. 45 | Cyber Threat Information Sharing | Indirect | Resources section with links to ENISA, TIBER-EU, ECB |
Practical guides and analysis on DORA compliance for financial entities.
Learn how EU financial entities can build and maintain a DORA-compliant Register of Information under Article 28.3. Practical steps, required data fields, and common pitfalls.
Step-by-step guide to ICT asset identification and dependency mapping under DORA Article 8. Classification, criticality assessment, and dependency chain documentation.
Understanding the relationship between DORA and NIS2 for financial entities. Key differences, overlaps, and which regulation takes precedence.
Looking for regulatory resources, ESA links, and technical standards? Visit our curated resources section with links to all major European supervisory authorities and DORA documentation.
Browse Resources