ICT Third-Party Provider Register
All mandatory fields for the DORA-compliant register of information under Article 28 and the ITS
When a competent authority requests your register of information, they expect it to be complete, current, and structured to the ITS specification — not a spreadsheet someone exported last year. The register is a regulatory artefact. How you maintain it signals how seriously you manage third-party ICT risk.
Bottom Line
The ITS prescribes exact fields. Missing fields are a direct finding. Stale data is a direct finding. A register that only covers IT-managed contracts and misses departmental SaaS subscriptions is an incomplete register. Regulators can request it at any time — it must be ready on demand.
What Auditors Will Actually Look For
- Every ICT provider — not just critical ones — in scope and in the register.
- All ITS-required fields populated for each provider record.
- Current data: contract dates, data residency, and sub-contractor information up to date.
- Version history or audit trail showing the register has been actively maintained.
- Named owners for each provider record — not an ownerless shared spreadsheet.
- Group-level consolidation if your entity is part of a wider group with cross-border subsidiaries.
Common Mistakes
- Populating the register at DORA go-live and treating it as done — providers added since are missing.
- LEI field left blank because "it takes time to look up" — the ITS requires it where available.
- Sub-contractor fields empty because no one asked the provider — this is your obligation to verify.
- No version control: regulators may ask for the register's state at a specific point in time.
Module A — Provider Identity
One record per provider. If a provider delivers multiple distinct services, create a record per service.
| Field | What to Capture |
|---|---|
| Legal name | Full registered legal name of the provider entity |
| LEI | Legal Entity Identifier (20-character alphanumeric) — mandatory where available |
| Registration number | Company registration number and jurisdiction |
| Country of incorporation | ISO country code of the provider's legal domicile |
| Ultimate parent | Name and LEI of ultimate parent entity, if applicable |
| Provider type | Cloud IaaS / PaaS / SaaS, network, co-location, data, managed services, software, other |
Module B — Service Description
Captures what the provider does and how critical it is to your operations.
| Field | What to Capture |
|---|---|
| Service name | Name of the specific ICT service or product supplied |
| Service category | ITS taxonomy: cloud IaaS / PaaS / SaaS, software, data analytics, network, security, other |
| Service description | Brief plain-language description and its operational role |
| Critical / important function | Yes / No — does this service support a critical or important function? |
| Functions supported | List of business functions that rely on this service |
| Substitutability | High / Medium / Low — how easily can this provider be replaced? |
Module C — Contract Information
Contract fields must reflect the current contract — renewals and amendments trigger a register update.
| Field | What to Capture |
|---|---|
| Contract reference | Internal contract ID or reference number |
| Contract start date | Date the contract became effective |
| Contract expiry date | Scheduled end date or rolling renewal date |
| Notice period | Contractual notice period for termination (days) |
| Auto-renewal | Yes / No — does the contract auto-renew without action? |
| Governing law | Jurisdiction governing the contract |
Module D — Data and Geography
Data residency is an ITS requirement and a GDPR compliance input. Both must be accurate.
| Field | What to Capture |
|---|---|
| Data storage country | Country(ies) where data is stored at rest |
| Data processing country | Country(ies) where data is actively processed |
| Data transmission country | Countries through which data transits |
| Personal data involved | Yes / No — does the service involve personal data processing? |
| Data classification | Confidential / Internal / Public — highest classification handled |
Module E — Sub-contracting
Sub-contractor visibility is your responsibility — not something to leave to the provider's discretion.
| Field | What to Capture |
|---|---|
| Material sub-contractors | Names of sub-contractors delivering material parts of the service |
| Sub-contractor country | Country of incorporation of each material sub-contractor |
| Sub-contractor LEI | LEI of each material sub-contractor where available |
| Sub-contracting consent | Yes / No — has the entity consented to material sub-contracting? |
Module F — Risk and Governance
Risk fields drive your monitoring programme and surface concentration exposures.
| Field | What to Capture |
|---|---|
| Risk tier | Tier 1 / Tier 2 / Tier 3 per your documented tiering methodology |
| Last risk assessment date | Date of most recent formal risk assessment |
| Assessment outcome | Pass / Conditional / Fail — summary outcome |
| Next review date | Scheduled date of next formal review |
| Concentration risk flag | Yes / No — is this provider used across multiple entities or functions? |
| Exit strategy in place | Yes / No — is a documented exit strategy maintained for this provider? |
3-Step Action Checklist
- 1. This week: Check whether your register covers all six modules with all fields populated. Identify any blank mandatory fields and assign ownership for completing them within 10 business days.
- 2. This month: Compare your register against your contract management system and expense records. Identify any providers active in the last 12 months not in the register. Add them.
- 3. This quarter: Implement a register update trigger in your contract management workflow — any new contract, renewal, or amendment must generate a register update within 5 business days. Assign a named register owner responsible for version history.
Need a DORA gap assessment?
Use our free readiness tool to identify your compliance gaps across all five DORA pillars.