Register of information regulatory packages

  • Release version: Xanadu
  • Updated November 3, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Register of Information Regulatory Packages

    The Register of Information (RoI) is a regulatory reporting requirement under the Digital Operational Resilience Act (DORA), facilitated by the Digital Resilience Third-party Information Register application in the Vendor Management Workspace. Financial entities must submit RoI packages to regulators to demonstrate compliance with DORA, detailing legal entities, third-party service providers, contracts, and functions.

    Show full answer Show less

    Key Features

    • Starting with version 21.1.x, third-party assessors can generate RoI packages using the Plain-CSV Report Package option, producing a ZIP file that meets regulator specifications.
    • The framework aligns with DORA’s five pillars, focusing on ICT third-party risk management and incident reporting.
    • Includes DPM business validation rules and configuration files for consistent regulatory submissions.
    • Role-based access for managing RoI requests, ensuring proper permissions for data handling.

    Key Outcomes

    By utilizing the RoI framework, organizations can ensure compliance with DORA, streamline their reporting processes, and maintain regulatory integrity. The Digital Resilience Third-party Information Register supports data capture, CSV report generation, and validation workflows, enhancing the efficiency of compliance efforts.

    The Register of Information (RoI) is a regulatory reporting requirement under the Digital Operational Resilience Act (DORA) and is supported by the Digital Resilience Third-party Information Register application in the Vendor Management Workspace application.

    RoI overview

    The RoI is a structured data package that financial entities must submit to regulators to demonstrate compliance with DORA. It includes information about legal entities, third-party service providers, contracts, and functions.

    Starting with version 21.1.x, third-party assessors (sn_vdr_risk_asmt.vendor_assessor) can generate regulator-ready RoI packages using the Plain-CSV Report Package option on the download page. The ZIP file includes metadata and report folders structured to regulator specifications, with file names containing LEI, entity ID, and release version. This enhancement ensures EU DORA compliance and supports automated validation workflows. You can follow the guide provided in the Instructions section on the Download/Upload request page for step-by-step instructions and required permissions.
    Note:
    You can use the Excel master template option to download a document to use for data preparation and internal review and the Plain-CSV reporting package option to download a document to use for regulator submission and compliance validation.

    The RoI framework in TPRM is designed to align with DORA’s five pillars, particularly ICT third-party risk management and incident reporting. RoI packages generated in TPRM follow the European Banking Authority’s structure and validation requirements.

    Note:
    RoI framework includes DPM business validation rules and additional configuration files such as report.json, reportPackage.json, and FrameworkCodeModuleVersion. These components enable third-party risk administrators (sn_vdr_risk_asmt.vendor_admin) to view and maintain validation logic and configuration settings for CSV reporting and automated validation workflows, ensuring consistency and compliance across regulatory submissions. TPR admins can access these properties by navigating to All > Digital Operational Resilience Management > Properties and can access DPM business validation rules by navigating to All > Digital Operational Resilience Management > DPM business validation rules.

    Digital Resilience Third-party Information Register support for RoI

    The Digital Resilience Third-party Information Register provides the following capabilities to support RoI compliance:

    • Data capture for entities, contracts, functions, and third parties
    • CSV report generation aligned with regulator specifications
    • ZIP packaging with metadata and report folders
    • Validation workflows for technical, schema, and business rule checks
    • Role-based access for managing RoI requests
    Note:

    All RoI-related actions are performed in the Digital resilience third-party registers section of the Vendor Management Workspace. This workspace provides access to download/upload requests, validation tools, and master templates.

    For more information, see Generate a register of information package