Register of information regulatory packages

  • Release version: Yokohama
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Register of Information Regulatory Packages

    The Register of Information (RoI) is a regulatory reporting requirement under the Digital Operational Resilience Act (DORA) aimed at financial entities. It involves submitting structured data packages to regulators to demonstrate compliance with DORA. These packages include detailed information about legal entities, third-party service providers, contracts, and functions. The RoI aligns especially with DORA’s pillars on ICT third-party risk management and incident reporting, integrating third-party risk data managed through ServiceNow’s Digital Operational Resilience capabilities.

    Show full answer Show less

    From version 21.1.x onward, third-party assessors can generate regulator-ready RoI packages using the Plain-CSV Report Package option. These packages are ZIP files structured according to European Banking Authority specifications and include metadata and reports named with entity identifiers and release version details. This supports automated validation workflows and ensures compliance with EU DORA regulations.

    Key Features

    • Data Capture and Reporting: The Digital Resilience Third-party Information Register captures necessary data on entities, contracts, functions, and third parties, generating CSV reports aligned with regulatory requirements.
    • Validation Workflows: Automated technical, schema, and business rule validations ensure data accuracy and regulatory compliance. Validation results trigger email notifications to request initiators with attached reports for any errors or warnings.
    • Role-Based Access: Role-specific permissions enable third-party risk administrators and assessors to manage validation logic, configuration files, and RoI requests securely within the Vendor Management Workspace.
    • Configuration and Maintenance: Administrators can maintain DPM business validation rules and configuration files (e.g., report.json, reportPackage.json) to customize validation logic and reporting consistency.
    • Currency Conversion and Aggregation: Optional features allow standardized currency conversion and aggregation of third-party total expenses during report generation, without altering underlying source data.
    • Download Options: Users can download Excel master templates for data preparation and internal review or Plain-CSV packages for regulator submission and compliance validation.

    Practical Use for ServiceNow Customers

    ServiceNow customers using the Vendor Management Workspace can efficiently manage and automate the generation and submission of RoI packages to meet DORA compliance. The platform simplifies gathering third-party risk data, validating submissions against regulatory standards, and managing the entire reporting lifecycle securely through designated roles. This ensures that financial entities can confidently demonstrate regulatory compliance while streamlining operational resilience reporting.

    The Register of Information (RoI) is a regulatory reporting requirement under the Digital Operational Resilience Act (DORA) and is supported by the Digital Resilience Third-party Information Register application in the Vendor Management Workspace application.

    RoI overview

    The RoI is a structured data package that financial entities must submit to regulators to demonstrate compliance with DORA. It includes information about legal entities, third-party service providers, contracts, and functions.

    Starting with version 21.1.x, third-party assessors (sn_vdr_risk_asmt.vendor_assessor) can generate regulator-ready RoI packages using the Plain-CSV Report Package option on the download page. The ZIP file includes metadata and report folders structured to regulator specifications, with file names containing LEI, entity ID, and release version. This enhancement ensures EU DORA compliance and supports automated validation workflows. You can follow the guide provided in the Instructions section on the Download/Upload request page for step-by-step instructions and required permissions.

    Note:
    You can use the Excel master template option to download a document to use for data preparation and internal review and the Plain-CSV reporting package option to download a document to use for regulator submission and compliance validation.

    The RoI framework is designed to align with DORA’s five pillars, particularly ICT third-party risk management and incident reporting. TPRM contributes third-party risk data that is included in RoI packages generated by Digital Operational Resilience capabilities. These RoI packages follow the European Banking Authority’s structure and validation requirements.

    Note:
    RoI framework includes DPM business validation rules and additional configuration files such as report.json, reportPackage.json, and FrameworkCodeModuleVersion. These components enable third-party risk administrators (sn_vdr_risk_asmt.vendor_admin) to view and maintain validation logic and configuration settings for CSV reporting and automated validation workflows, ensuring consistency and compliance across regulatory submissions. TPR admins can access these properties by navigating to All > Digital Operational Resilience Management > Properties and can access DPM business validation rules by navigating to All > Digital Operational Resilience Management > DPM business validation rules.

    After validation completes, the system automatically notifies the request initiator by email and attaches the validation report when errors or warnings are detected.

    Currency conversion and aggregation

    During report generation, you can enable optional currency conversion and third‑party total expense aggregation. These options standardize or combine annual expense values in the reporting package. These options affect only the generated reporting package and do not modify source records in the digital resilience registers.

    For more information, see Currency conversion and third-party total expense aggregation.

    Digital Resilience Third-party Information Register support for RoI

    The Digital Resilience Third-party Information Register provides the following capabilities to support RoI compliance:

    • Data capture for entities, contracts, functions, and third parties
    • CSV report generation aligned with regulator specifications
    • ZIP packaging with metadata and report folders
    • Validation workflows for technical, schema, and business rule checks
    • Role-based access for managing RoI requests
    Note:

    All RoI-related actions are performed in the Digital resilience third-party registers section of the Vendor Management Workspace. This workspace provides access to download/upload requests, validation tools, and master templates.

    For more information, see Generate a register of information package