A robust Register of Information (RoI) is the beating heart of Digital Operational Resilience Act (DORA) compliance. It turns a sprawling web of technology contracts into a single, regulator‑ready view of who delivers which digital services, how resilient those services are, and what would happen if they failed. Below is a practical blueprint for the sections and data fields your RoI template should cover. When you are ready to build or validate your own register, the CyberUpgrade Dora Register Tool offers a structured framework that already aligns with these elements.

1.  Entity and Service Catalogue

Start with a master list that answers two basic questions: Which legal entity am I reporting for, and which ICT‑enabled services do I rely on? Capture the entity’s regulatory identifier, followed by a concise description of each business function the service supports (e.g., retail payments, securities settlement, claims processing).

2.  Provider Identification

Every ICT third party must be uniquely and unambiguously identified. Record:

• Legal name, trading name and country of incorporation

• Global Legal Entity Identifier (LEI) or, if unavailable, company registration number

• Primary and secondary operating locations

3.  Contract and Service‑Level Details

For each service, log the governing contract reference, signature date, initial term, renewal cycle and next review date. List the agreed service‑level objectives (uptime, recovery time objective, recovery point objective) so you can trace resilience metrics back to legally binding commitments.

4.  Criticality and Risk Classification

DORA differentiates between critical and important services. Your template should include a yes/no field for criticality, supported by a short rationale (e.g., “Direct impact on payment system availability”).

5.  Sub‑outsourcing Chain

If the provider relies on subcontractors—cloud operators, data‑centre hosts, niche software vendors—capture at least the first level of that chain. Note whether the primary contract requires prior notification or approval before further outsourcing, and highlight any known concentration risk (multiple critical services sitting on the same hyperscaler, for instance).

6.  Operational and Security Controls

Summarise the controls the provider must operate: encryption standards, vulnerability‑management cadence, incident‑response timelines, audit rights and penetration‑testing frequency.

7.  Testing and Assurance Evidence

Reserve fields for the date and outcome of the latest business‑continuity test, security audit, or penetration test. If evidence is stored elsewhere (e.g., a GRC platform or shared drive), reference the exact location or link.

Putting it All Together

A well‑structured RoI template covers far more than contract basics; it weaves together legal, operational, security and governance data so you can demonstrate resilience at a glance. Creating that template from scratch can be time‑consuming, which is why many firms lean on tools such as the CyberUpgrade Dora Register Tool—pre‑configured to capture every mandatory field, handle bulk uploads and produce regulator‑friendly exports.