Digital resilience third-party registers

Beginning with Release 19.1.x, the Digital Resilience Third-party Information Register application is supported for DORA compliance in the Vendor Management Workspace.

The Digital Resilience Third-party Information Register application is used to download the Digital resilience third-party registers. The application contains the Microsoft Excel template that includes all tabs for reporting purposes. It helps the financial entities to maintain a comprehensive register of their contractual arrangements with ICT Third-party service providers at the individual entity, sub-consolidated, and consolidated levels.

You can use Digital resilience third-party registers to create or edit the records in bulk or individually for assessments, branches, contracts, functions, legal entities, supply chains, third parties, or third-party engagements using the Microsoft Excel upload and download feature.

Digital Operational Resilience

Digital Operational Resilience refers to the ability of a financial entity to build, assure, and review its operational integrity and reliability. It ensures that the entity has the full range of ICT related capabilities that are needed to secure its network and information systems. These systems support the continuous provision of financial services and maintain their quality, even during disruptions. The continuity can be achieved directly or indirectly with the services provided by the ICT third-party service providers.

Digital Operational Resilience Act

Digital Operational Resilience aligns with the Digital Operational Resilience Act (DORA). It’s a European Union (EU) regulation that came into effect on 16 January 2023 and it will be applicable from January 17, 2025. It enhances the ICT security of financial entities supervised by the European Supervisory Authorities (ESA)s and protects Europe's financial sector from major digital disruptions.

For more information on DORA and the Digital Resilience Third-party Information Register application, see https://www.eba.europa.eu/activities/direct-supervision-and-oversight/digital-operational-resilience-act and Exploring Digital resilience third-party registers.

Creating records for Digital resilience third-party registers

The following example shows how records appear in the Digital resilience third-party registers in the Vendor Management Workspace.

Legal entities

You can create a legal entity record, by navigating to the Digital resilience third-party registers in the Vendor Management Workspace. Here, you can view existing legal entities and enhance their digital resilience information to comply with DORA regulations. After installing the Digital Resilience Third-party Information Register application, a Legal Entities related list is added for existing companies that aren’t already defined as a third party, enabling you to add their details. The Legal Entity record includes essential fields for regulatory reporting, such as the Legal Entity Identifier (LEI), name, country of registration, and entity type. These fields are offered as choice lists within the system. The system acknowledges the entity hierarchy, with no additional details required for ultimate parents, while subsidiaries must specify their parent entity. The date of registration for each legal entity is also noted. Additionally, specific details like the last update, integration date, removal status, deletion date, currency used, and total asset value are documented for each entity, as required by regulators for entities engaging with external third parties for outsourced technical services. Regulators mandate these specific details for legal entities engaging with external third parties for outsourced technical services.

Note:

Existing third parties aren’t shown in the Legal entities list. Company records can only be defined as a Third party or Legal entity. For companies and legal entities, the Vendor option is set to False. (The check box isn’t selected.)

For more information see, Create a legal entity and enhance digital resilience data, Create New Company form, and Create New Legal entity form.

Branches

You can create a branch record by navigating to the Digital resilience third-party registers in the Vendor Management Workspace. This enables you to enhance the branch's digital resilience information to help ensure compliance with DORA regulations. A legal entity can operate multiple branches across different cities or countries, and all these branches can be documented. When a new branch is established, its information must be included for regulatory reporting. Some common details captured include the branch name and description, owner's details, business units and departments for reporting purposes, whether the branch is a head office or another type, the branch ID, and its originating country. The branch number is auto-generated, and once all details are complete, the information is ready to be captured in the information register.

For more information see, Create a branch and enhance digital resilience data and Create New Branch form.

Function

You can create a function record, by navigating to the Digital resilience third-party registers in the Vendor Management Workspace. Here, you can add details such as the function identifier, license activity, function name, and criticality or importance assessment. Each function represents a specific service or group of services as defined by the Digital Operational Resilience Act (DORA). The functions record is used to capture detailed information about each function, including descriptive text. Once the function record is created, you can enhance its digital resilience information to help ensure compliance with DORA regulations, effectively documenting the third-party provided ICT service usage.

For more information see, Create a function and enhance digital resilience data and Create New Function form.

Third parties

You can access and view existing third-party records by selecting the Third parties list within the Digital resilience third-party registers in the Vendor Management Workspace. After installing the Digital resilience third-party registers, a Digital Resilience Information related list is added on the third party's page, enabling you to set up the digital resilience information details.

Here, you can view the legal entity ID of the third party, which can be captured by the Value Added Tax (VAT) number or Company Registration Number (CRN). You can specify the country of registration and its code, which the system uses to generate the ID. Additionally, you can indicate if the third party is an ultimate or a subsidiary, include the name of the ICT third party and the type of service they provide (for example, Software as a Service), and optionally note if an individual acts on behalf of the organization. You can also select the reporting currency and input the total annual expense for this engagement.

For more information see, Create a third party and enhance digital resilience data, Create New Company form, and Create New ICT third-party service provider form.

Engagements

You can access and view existing third-party engagement records by selecting the Third-party engagements list within the Digital resilience third-party registers in the Vendor Management Workspace. After you install the Digital resilience third-party registers, the Digital Resilience Information related list is added on the third-party engagements page, enabling you to set up the digital resilience information details.

Here you can view the third party's name, its type, annual spend, engagement tier, and other relevant information. You can enhance the record's digital resilience information by creating ICT third-party service provider records. Add ICT third-party service provider details such as the name of the service provider, its identification code, type of ICT services, currency, and so on. This enhances the digital resilience information of its associated third-party engagement for compliance with DORA regulation.

For more information see, Create a third-party engagement and enhance digital resilience data, Create New Third-party engagement form, and Add Digital resilience information to third-party engagements.

Contracts

You can create a contract record by navigating to the Digital resilience third-party registers in the Vendor Management Workspace. Here, you can add details such as the vendor name, start and end dates, state, substate, and other relevant information. Once the contract record is established, you can enhance its digital resilience information to help ensure compliance with the DORA regulations.

The Digital resilience third-party registers provide details about who within your organization is using externally outsourced ICT services, which functions and branches are using them, and who the third-party providers and their engagements are. Contracts serve as the link between these aspects, binding legal entities, branches, and functions to third parties and their engagements.

You can access these contracts through the Contracts list in the Digital resilience third-party registers. Alternatively, navigate to a specific legal entity's record, open the Legal Entities related list, and access all associated contract information. To view contracts for a legal entity, go to the legal entity's record, open the Legal Entities related list, and navigate to the different Contracts-related tabs. If the entity signing the contract differs from the one using it, that detail is included in the record, along with the service provider. Details captured in these records can include data storage and processing locations, data sensitivity and service provider reliance, contract and termination details, annual assessments, and contractual reference numbers.

For more information see, Create a contract and enhance digital resilience data, Create New Contract form, and Create New Contractual arrangement form.

Note:

Provider‑level annual expense totals may be automatically aggregated during report generation when all contracts meet the required criteria. Aggregation applies only to exported reports and does not change contract records.

For more information, see Currency conversion and third-party total expense aggregation.

Supply chains

You can create a supply chain record by navigating to the Digital resilience third-party registers in the Vendor Management Workspace. Here you can capture details of the supply chain such as the type of the ICT services, Legal Entity Identifier (LEI) of the entity that provides the ICT services, and so on.

For more information see, Create a supply chain and enhance digital resilience data and Create New Contractual arrangement form.

Assessments

You can create an assessment of the ICT service record by navigating to the Digital resilience third-party registers in the Vendor Management Workspace. Here, you can add details such as the contractual arrangement reference number, identification code, and type of code for the ICT third-party service provider. Once the assessment is created, you can enhance its digital resilience information to help ensure compliance with the DORA regulation. It’s required to review your contracts and third parties annually.

Add details such as the contractual arrangement reference number, identification code, and type of code for the ICT third-party service provider. You can then enhance its digital resilience information for compliance with DORA regulation.

For more information see, Create an assessment and enhance digital resilience data and Create New Contractual arrangement form.

For more information on the roles related to using Digital resilience third-party registers, see Roles in Third-party Risk Management.

Uploading and downloading records

The following example shows where you can view and create Excel download/upload requests.

Register of Information packages

After upgrading the Digital Resilience Third-party Information Register application to version 21.1.x, third-party assessors (sn_vdr_risk_asmt.vendor_assessor) can generate regulator-ready Register of Information (RoI) packages using the Plain-CSV Report Package option on the download page. The resulting ZIP file includes metadata and report folders structured to regulator specifications, with filenames containing the Legal Entity Identifier (LEI), entity ID, and release version. This format ensures EU DORA compliance and supports automated validation workflows. Users can follow the guide provided in the Instructions section on the Download/Upload request page for step-by-step instructions and required permissions. For more information, see Register of information regulatory packages and Generate a register of information package.

During RoI package generation, users can optionally enable currency conversion and third-party total expense aggregation. When enabled, these options standardize annual expense values using historical exchange rates and consolidate eligible contract expenses at the provider or engagement level in the exported package.

Third-party risk managers (sn_vdr_risk_asmt.vendor_manager) can validate downloaded RoI packages using the same Plain-CSV Report Package option. The system performs validation across multiple tables, checking file format, structure, encoding, naming conventions, and field-level data. If validation warnings are detected, a report is automatically attached, including mappings to regulator fields such as Template Code, Row Code, and Column Code. These reports also include real-world field labels, rule expressions, and record identifiers. Validation errors can be cross-referenced using a downloadable Excel master template that mirrors the CSV structure, simplifying issue identification and resolution. This template can be generated using the Excel master template option on the download page. Additional enhancements include support for “Not applicable” values, enforcement of file size limits, and clearer error messages for malformed data. For more information, see Validation framework for Register of Information, Validate Register of Information packages, and .