DORA Register of Information: from annual reporting to continuous oversight

DORA Register of Information: from annual reporting to continuous oversight

Recent feedback from the Belgian regulator on DORA reporting has made one thing clear: while the DORA Register of Information (RoI) is typically submitted once per year, it should never be treated as a static document.

And yet, that is precisely what happens in many organisations. The RoI reporting template is intricate because the data is structured to support supervisory automation. It enables regulators to detect concentration risk and identify ICT third-party providers that may warrant direct oversight at EU level.

At the same time, regulators repeatedly emphasise another purpose: the RoI is not meant to be “just a report.” It should serve as a core internal third-party risk management tool, supporting continuous visibility and governance over ICT dependencies.

This creates a contradiction: the mandatory format is built for supervisory aggregation, but the RoI’s primary value lies in being a living operational risk dataset.

Why it matters: incompleteness is non-compliance — and will surface

The regulator have explicitly warned that incompleteness of the RoI constitutes non-compliance. And importantly: it will eventually come to the surface. Why? Because the RoI is “tested” at the worst possible time: during incidents.

If an ICT-related incident occurs and the involved service provider is missing from the RoI (or recorded incorrectly), that’s not a minor documentation issue — it’s a direct compliance gap. It can lead to regulatory findings, follow-up questions, remediation requirements, and potentially sanctions.

It also creates a dangerous incentive: organisations may feel pressure to downplay or avoid reporting incidents when they fear they have gaps in the RoI — exacerbating non-compliance.

The root cause: a format designed for supervision, treated as annual compliance

DORA’s definition of ICT services is broad. Accordingly, the RoI is meant to cover not only obvious “critical” providers, but potentially a long tail of third parties that support ICT services, including subcontracting chains.

Maintaining this manually is increasingly unrealistic:

• providers change,
• subcontracting chains evolve,
• services shift between teams,
• contracts get renewed, extended, or replaced,
• and the risk profile of dependencies changes continuously.
   

In this context, a once-per-year RoI exercise almost guarantees drift: the register becomes a snapshot of last quarter’s reality, not today’s.

What a “continuous RoI” approach looks like

The practical challenge is not generating the RoI once a year. The challenge is being able to answer — at any moment:

• Which ICT service providers are in scope?
• Where are we concentrated (by provider, service, geography, subcontractor)?
• Which dependencies support critical or important functions?
• Do we have actionable exit strategies and contingency plans?
• Would we be confident submitting our RoI today if the regulator asked?

To meet the spirit (and the letter) of DORA, the RoI needs to be treated as a living operational dataset — maintained continuously, connected to real risk management workflows, and capable of producing regulator-ready reporting outputs when required.

How Complissimo supports continuous RoI compliance

The Complissimo tool was designed to resolve this contradiction: enable day-to-day third-party risk visibility while ensuring the RoI remains audit-ready and submission-ready at all times.

Complissimo supports organisations by:

• providing a user-friendly interface that makes RoI data maintainable throughout the year,
• helping identify all ICT third-party providers that belong in scope,
• giving continuous insights into concentration risk, missing exit plans, and subcontracting exposure,
• and generating the mandatory RoI reporting output in the correct format with one click when needed (annual submission or ad-hoc regulator request).

The outcome is simple: the RoI stops being an annual scramble and becomes a source of continuous oversight — the way regulators intended.

👉 Want to explore what “continuous RoI” looks like in practice? We’d be happy to exchange insights.