DORA and Register of Information Submission: what supervised entities must do

The Bank of Italy has published a communication to indicate the timeline for the annual routine submission of the registers of information under Regulation (EU) 2022/2554 (DORA), which entered into force on January 16, 2023 and has been applicable since January 17, 2025.

This regulation, let us recall, introduces a uniform European framework on digital operational resilience for the financial sector, imposing organizational, contractual and reporting obligations.

Submission obligations under DORA

Among the central obligations is the maintenance and submission of the Register of Information relating to contractual arrangements for ICT services provided by third parties.

Pursuant to Art. 28 DORA, financial entities must:

• maintain an up-to-date register of all ICT contracts;
• include information on suppliers and subcontractors;
• classify services based on criticality;
• make the register available to the competent authority.

On a steady-state basis, submission is annual, with a reference date of December 31 and delivery by March 15 of the following year. In Italy, according to Bank of Italy guidelines, transmission has been steadily in effect since 2026.

What must be submitted and to whom

The complete Register of Information must be submitted, structured according to the Implementing Technical Standards (ITS) issued by the European Supervisory Authorities.

The register contains, among other things:

• complete list of ICT suppliers;
• detail of services provided;
• identification of contracts;
• indication of any sub-outsourcing;
• criticality assessment of services;
• data location and supported business functions.

In Italy, submission is made to the Bank of Italy, as the competent authority for the supervised entities under its jurisdiction.

Submission via INFOSTAT

Submission must be made via INFOSTAT, the Bank of Italy's regulatory reporting platform.

INFOSTAT:

• allows upload of structured files;
• applies automatic consistency and validation checks;
• may require resubmission in case of formal or substantive errors.

Free-form or descriptive submissions are not accepted: the file must comply with the technical layout required by the ITS.

Who has access to INFOSTAT

Access is reserved to:

• entities supervised by the Bank of Italy;
• third parties formally delegated by the intermediary (e.g. outsourcers or consultants).

The intermediary must appoint contacts and manage authorizations. Responsibility for the transmitted content always remains with the supervised entity.

Must ICT suppliers submit the register?

No. The submission obligation rests exclusively with supervised financial entities, not with ICT suppliers.

However, suppliers must:

• provide complete and up-to-date information;
• accept DORA-compliant contractual clauses;
• allow audits and inspections.

In the case of designation as critical third-party providers (CTPPs), they may be subject to a European direct oversight regime.

Technical specifications of files and where to find them

The file must comply with:

• official template required by the ITS;
• harmonized EU data model;
• data dictionary and validation rules.

Technical specifications are available on the websites of:

• European Banking Authority
• European Securities and Markets Authority
• European Insurance and Occupational Pensions Authority

Reference should be made to the final version of the ITS published in the Official Journal of the European Union and to national operational instructions.

How consultants can assist

The complexity of the register is not only technical but organizational. It requires:

• comprehensively map ICT contracts;
• integrate ICT, risk and compliance functions;
• build a data set consistent with the European model;
• design a continuous update process.

An integrated approach combining legal expertise and information systems architecture reduces the risk of structural errors and last-minute work.

In this context, firms like Tomato Blue Consulting operate with a compliance-by-design model (see our DORA core service), combining contractual review, ICT risk governance and technical register implementation according to DORA standards, with a permanent "audit-ready" approach.

DORA is not a one-off compliance exercise: it is an ICT supplier governance system based on structured, verifiable and transmittable data. Preparing it correctly means transforming a regulatory obligation into a strategic control element.