DORA ICT Provider Evidence Checklist: Free Template (XLSX)
Published Jul 3, 2026
By Orbiq Team

DORA ICT Provider Evidence Checklist: Free Template (XLSX)

Free DORA ICT provider evidence checklist: RoI-aligned provider register fields, criticality tiers, evidence cadence per tier, and exit-strategy tracker.

dora
templates
third-party-risk
register-of-information
eu-regulation

Download this template

Version 1.0 · Updated Jul 3, 2026 · Free, no email required

DORA ICT Provider Evidence Checklist: Free Template (XLSX)

Quick answer: This free DORA ICT provider evidence checklist is a downloadable XLSX (plus PDF and machine-readable Markdown) that gives financial entities a Register-of-Information-aligned provider register, a criticality assessment rubric based on Article 28(2) of Regulation (EU) 2022/2554, a per-tier evidence checklist mapped to Article 30, subcontracting-chain disclosure fields per Article 29 and the subcontracting RTS, and an exit-strategy tracker per Article 28(8). Field names follow the structure of the ESAs' Register of Information templates adopted in Commission Implementing Regulation (EU) 2024/2956, so the data you collect feeds straight into your supervisory register.

DORA has applied across the EU since 17 January 2025, and supervision has moved from guidance to data quality: national competent authorities now collect registers annually, run the EBA validation rules against them, and push back on incomplete provider, subcontractor, and criticality data. The bottleneck for most compliance teams is not understanding the rules — it is having a single working document that tracks which provider, which criticality tier, which evidence, at which cadence. That is what this DORA third party risk checklist does.


Key Takeaways

  • One register, RoI-aligned. The provider register sheet mirrors the field logic of the ESAs' Register of Information templates (15 templates in 8 groups under Implementing Regulation (EU) 2024/2956), so nothing you track needs re-mapping at submission time.
  • Criticality drives everything. DORA's core distinction is binary — does the ICT service support a critical or important function (CIF) or not (Article 28(2)). The template adds an operational third tier for low-dependency services so evidence effort matches risk.
  • Evidence has a cadence, not a checkbox. Article 30(3)(e) gives you ongoing monitoring rights for CIF providers; the checklist turns them into quarterly and annual evidence rows instead of a one-off onboarding pack.
  • Subcontracting chains are in scope. Article 29 and Commission Delegated Regulation (EU) 2025/532 require you to identify and assess the subcontracting chain behind CIF services — the template captures it per provider.
  • Exit strategies must be documented and tested. Article 28(8) requires comprehensive, documented, periodically tested exit plans — the exit sheet tracks alternatives, transition plans, data portability, and test dates.

What's Inside the Template

The XLSX contains five sheets. Here is a representative preview of each.

1. ICT Provider Register (RoI-aligned)

FieldExampleRoI / DORA anchor
Provider legal name + LEICloudCore Europe B.V. · 5493001KJTIIGC8Y1R12ITS provider identification (B_05)
Contract reference + typeCTR-2024-018 · Standalone agreementITS contractual arrangements (B_02)
ICT service type (ESA taxonomy)Cloud computing — IaaSITS ICT services (B_04)
Supports critical or important function?Yes — payment processingArt. 28(2), Art. 3(22)
Data storage / processing locationsNetherlands; Ireland (DR)Art. 30(2)(b)
Contract dates, renewal, notice period01.03.2024 → indefinite · 6 monthsITS contract fields
CTPP designated provider?NoESAs' CTPP list (Nov 2025)

2. Criticality Assessment

FieldOptions
Function supportedFree text + function ID
Critical or important function?Yes / No / Under assessment
Criticality tier (operational)Tier 1 — CIF · Tier 2 — Standard · Tier 3 — Low dependency
SubstitutabilityEasy / Difficult / Highly complex
Concentration risk flagYes / No (Art. 29 preliminary assessment)
Reassessment dueDate (at least annually)

3. Evidence Checklist (per tier, with cadence)

Evidence categoryExample evidenceDORA anchorTier 1 cadenceTier 2/3 cadence
Security certificationISO/IEC 27001 certificateArt. 28(4)–(5) due diligenceAnnualAnnual (T2) / At onboarding (T3)
Independent assuranceISAE 3402 / ISAE 3000 reportArt. 30(3)(e) monitoring rightsAnnualOn request
Service-level reportingSLA performance reportsArt. 30(3)(a)Quarterly
Resilience testingPen test summary; TLPT cooperation confirmationArt. 30(3)(c)–(d), Arts. 26–27Annual / per TLPT cycle
Incident cooperationIncident notification SLA + contact matrixArt. 30(2)(f), Art. 19Annual reviewAnnual review
Subcontracting disclosureCurrent subcontractor list + locationsArt. 29; CDR (EU) 2025/532QuarterlyAnnual (T2)
Business continuityBCP/DR test resultsArt. 30(3)(c)Annual
Exit readinessData portability statement; tested exit planArt. 28(8), Art. 30(3)(f)Annual test

4. Subcontracting Chain & Exit Strategy

For each Tier 1 provider: subcontractor name, jurisdiction, service underpinned, data locations in the chain, chain-length concern flag — plus exit fields: identified alternative provider or in-house option, transition period agreed in contract, data return format, last exit-plan test date, and contingency measures.

5. Instructions

Field definitions, enum values, and a suggested quarterly review workflow.


How to Use This Checklist

  1. Inventory first. List every ICT service arrangement in the Provider Register sheet — DORA's register covers all contractual arrangements on ICT services, not just cloud or just critical ones (Article 28(3)).
  2. Classify. Run each arrangement through the Criticality Assessment sheet. The CIF determination (Article 28(2)) decides whether the full Article 30(3) contractual provisions and Tier 1 evidence set apply.
  3. Collect on cadence. Work the Evidence Checklist sheet quarterly for Tier 1 providers and annually for the rest. Attach evidence references, not documents — the sheet tracks status and dates.
  4. Map the chain. For every Tier 1 provider, complete the subcontracting fields. If you cannot identify who effectively underpins the service, that is a finding in itself.
  5. Test the exit. Review and test exit plans on the schedule the sheet tracks — an untested exit plan does not meet Article 28(8)'s "sufficiently tested" bar.
  6. Feed the register. At your NCA's submission window, transfer the structured data into the official EBA reporting package and run the validation rules before filing.

A note on timing: there is no single universal EU deadline for firms. NCAs set their own windows — the Central Bank of Ireland, for example, collected 2026 registers between 2 and 31 March 2026 against a 31 December 2025 reference date, so that authorities could forward consolidated registers to the ESAs by 31 March. Confirm your window with your own competent authority.


Legal Basis

  • Article 28(2) — before contracting, assess whether the arrangement covers ICT services supporting a critical or important function, whether supervisory conditions are met, and all relevant risks including concentration risk.
  • Article 28(3) — maintain and update the Register of Information at entity, sub-consolidated, and consolidated levels; report at least yearly on new arrangements; make the register available to the competent authority.
  • Article 28(8) — for CIF services, put in place documented, comprehensive, sufficiently tested and periodically reviewed exit strategies, identify alternative solutions, and develop transition plans for the secure and integral transfer of services and data.
  • Article 29 — preliminary assessment of ICT concentration risk, including risks from long or complex subcontracting chains and third-country subcontractors.
  • Article 30(2) and 30(3) — baseline contractual provisions for all ICT services (30(2)), plus the CIF extras (30(3)): full SLA descriptions with quantitative targets (a), notice and reporting obligations (b), contingency and security requirements (c), TLPT participation (d), ongoing monitoring with access, inspection, and audit rights (e), and exit strategies with a mandatory adequate transition period (f).
  • Commission Implementing Regulation (EU) 2024/2956 (29 November 2024) — the ESAs' ITS establishing the standard Register of Information templates: 15 templates in 8 groups linked by relational keys, submitted to NCAs in the EBA's reporting format.
  • Commission Delegated Regulation (EU) 2025/532 (24 March 2025, in force 22 July 2025) — RTS specifying what financial entities must determine and assess when subcontracting ICT services supporting critical or important functions.
  • EBA Register of Information reporting resources — official data model, validation rules, and data-quality materials.

For the full regulatory picture, see our DORA compliance guide; for why Articles 19, 28, and 30 outgrow a traditional ISMS, see the DORA Article 19, 28 and 30 analysis.


UK, Norway, and the EEA

UK: there is no UK DORA. UK firms operate under the FCA/PRA operational resilience regime (FCA PS21/3 and PRA SS1/21) — important business services, impact tolerances, and scenario testing, fully in force since 31 March 2025 — plus the critical third parties regime under FSMA 2023 (PS16/24, effective January 2025). The UK requires internal mapping and a living self-assessment, but no Register of Information submission. Groups spanning both markets can still use this checklist as the superset: the DORA evidence set covers what UK mapping requires.

Norway / EEA: DORA was incorporated into the EEA Agreement on 20 February 2025, and Norway's DORA Act entered into force on 1 July 2025, replacing the former ICT Regulation (IKT-forskriften) for in-scope entities. Finanstilsynet is the competent authority and collects register information and incident reports — so Norwegian financial entities should treat this checklist exactly as EU peers do, with Finanstilsynet's windows and forms substituted for their NCA's. If you are weighing DORA against NIS2 obligations elsewhere in your group, our DORA vs NIS2 comparison maps the differences.


Keep the Register Continuously Current

A spreadsheet gets you through the first submission. What supervisors increasingly test is whether the register is continuously updated — new subcontractors disclosed, evidence refreshed on cadence, criticality reassessed when functions change. Orbiq's Vendor Assurance Platform automates exactly this layer: structured provider records, evidence collection with expiry tracking, and continuous monitoring of ICT providers' security posture — built for European financial entities, with EU data residency. For the assessment methodology behind the criticality rubric, our vendor risk assessment template is the natural companion. The machine-readable Markdown variant of this checklist is available at /downloads/templates/dora-ict-provider-evidence-checklist.md for AI-agent workflows.


Sources & References

  1. Regulation (EU) 2022/2554 (DORA) — EUR-Lex — Official Journal text; Articles 28, 29, and 30 references
  2. Commission Implementing Regulation (EU) 2024/2956 — EUR-Lex — ITS on the standard templates for the Register of Information
  3. Commission Delegated Regulation (EU) 2025/532 — EUR-Lex — RTS on subcontracting ICT services supporting critical or important functions
  4. EBA — Preparation for DORA application: Register of Information reporting resources — Data model, validation rules, and data-quality materials
  5. EBA — Joint RTS on subcontracting — Status and application date of the subcontracting RTS
  6. Central Bank of Ireland — Reporting of Registers of Information — Example NCA submission window for 2026
  7. FCA PS21/3 — Building Operational Resilience — UK operational resilience regime
  8. Finanstilsynet — Norwegian DORA Act in force 1 July 2025 — Norwegian implementation and competent authority

Download this template

Version 1.0 · Updated Jul 3, 2026 · Free, no email required

Frequently Asked Questions

What is the DORA Register of Information?

The Register of Information is the structured register of all contractual arrangements on the use of ICT services that financial entities must maintain under Article 28(3) of Regulation (EU) 2022/2554 (DORA). It must be kept at entity, sub-consolidated, and consolidated levels, distinguish arrangements that support critical or important functions, and be reported to the national competent authority using the standard templates in Commission Implementing Regulation (EU) 2024/2956.

What evidence should financial entities collect from ICT providers under DORA?

It depends on criticality. For ICT services supporting critical or important functions, DORA Article 30(3) requires contractual rights to full service-level reporting, incident cooperation, TLPT participation, ongoing monitoring with audit and inspection rights, and exit support — so entities should collect SLA reports, ISO/IEC 27001 certificates or ISAE assurance reports, resilience test results, subcontracting-chain disclosures, and tested exit plans. For non-critical services, baseline Article 30(2) evidence such as service descriptions, data locations, and security commitments is sufficient.

Is there a single EU deadline for the Register of Information submission in 2026?

No. National competent authorities set their own submission windows for financial entities — for example, the Central Bank of Ireland collected 2026 registers between 2 and 31 March 2026 with a 31 December 2025 reference date. The 31 March date constrains when NCAs forward consolidated registers to the ESAs, not when every firm files. Always confirm the window with your own competent authority.

What must a DORA exit strategy include?

Under Article 28(8), exit strategies for ICT services supporting critical or important functions must be comprehensive, documented, sufficiently tested, and periodically reviewed. They must identify alternative solutions, include transition plans to remove services and data from the provider and transfer them securely to an alternative provider or in-house, and be backed by contingency measures that keep the business running if the provider fails or service quality deteriorates.

Does DORA apply in the UK?

No. The UK has no direct DORA equivalent. UK firms follow the FCA/PRA operational resilience regime (FCA PS21/3 and PRA SS1/21, fully in force since 31 March 2025) built on important business services and impact tolerances, plus the critical third parties regime under FSMA 2023. The UK regime requires internal mapping and self-assessment but no DORA-style Register of Information submission.

Does DORA apply in Norway?

Yes. DORA was incorporated into the EEA Agreement on 20 February 2025, and Norway's national DORA Act (Lov om digital operasjonell motstandsdyktighet i finanssektoren) entered into force on 1 July 2025, replacing the former ICT Regulation for in-scope entities. Finanstilsynet is the competent authority and collects incident reports and register information from Norwegian financial entities.

DORA ICT Provider Evidence Checklist: Free Template (XLSX)