DORA Regulation: Reporting of the ICT Register of Information approaches, Are You Ready?

March 27, 2025

DORA Regulation Reporting of the ICT Register of Information approaches

The application of the DORA regulation began on January 17, 2025, and financial entities are currently implementing the final practical aspects of this regulatory framework. The next significant step in this implementation is preparing for the first regular reporting under the DORA framework, the ICT Register of Information reporting. Financial entities must report their ICT Register of Information (ROI) to the Finnish Financial Supervisory Authority (FIN-FSA) by April 30, 2025.

What is the DORA Regulation?

DORA (Digital Operational Resiliency Act, Regulation (EU) 2022/2554 of the European Parliament and of the Council on digital operational resilience for the financial sector) came into force in 2023, and its application began on January 17, 2025. The purpose of DORA is to enhance the ability of financial sector entities to withstand and anticipate disruptions to their information systems and to better prevent cyber-attacks. Many of DORA’s requirements correspond to existing operational risk management obligations in financial regulation, still bringing forth clarifications and more extensive obligations specifically from an ICT perspective. Although DORA primarily imposes obligations on financial sector entities, it also affects ICT service providers offering services to these entities. ICT service providers must comply with certain DORA requirements, and a separate supervisory framework has been established for critical ICT service providers.

ICT Contract Register to be prepared according to regulatory template

Financial entities must maintain a ICT Register of Information (ROI, ICT contract register) as part of their ICT risk management framework. The register is prepared according to the detailed criteria of DORA’s delegated regulation ((EU) 2024/2956) and contains information on all ICT service contracts made with ICT service providers. The register is largely standardized and requires a significant amount of information about the ICT services and ICT service providers used by the financial entity. Collecting the necessary information has proven challenging for many entities.

Financial entities must report the ICT contract register data annually to the FIN-FSA via the FIN-FSA reporting portal. The first report shall be filed by April 30, 2025, based on the situation as of March 31, 2025. Despite the approaching reporting deadline, the functionalities related to ICT Register of Informaiton reporting have not yet been published in the FIN-FSA’s reporting portal. A separate reporting release from the FIN-FSA regarding the upcoming ICT Register of Information reporting is expected in the coming days when the necessary functionality is released.

Significance of reporting

Reporting to the FIN-FSA is a central part of the DORA regulation. It allows the FIN-FSA to assess the ability of financial entities to manage ICT risks and ensure compliance with the regulation’s requirements. Reporting also helps identify potential weaknesses and areas for improvement in the ICT risk management of financial entities. The ICT Register of Informatoin reporting also has broader significance within the DORA framework, as the European Supervisory Authorities (EBA, ESMA, EIOPA) use the reported data to identify critical ICT third-party service providers (CTTPs). A separate supervisory framework under DORA applies to these critical ICT service providers. According to current information, the European supervisory authorities will designate critical ICT service providers by July 2025.

Lexia supports in implementing the DORA Regulatory Framework

Although the application of DORA began in January, many financial entities are still in the process of implementing the new regulatory framework. Lexia’s experienced team provide the necessary legal support in implementing the DORA regulatory framework into the practical operations of financial entities. Learn more about our team below.

This article was written by Emilia Lostedt, Counsel, [email protected]

Team: Emilia LostedtKatariina PesonenElina VääräJesse KinnaslampiRebecca Rafkin

Back to Top