If you're grappling with the Digital Operational Resilience Act (DORA) register, you've probably wondered about the financial data requirements. What exactly do you need to report? And how can you make this data collection work smoothly? This article breaks down the specific reporting requirements, explains why they matter, and offers practical advice to help you navigate this compliance step.
Importance of financial data in DORA
The financial data required in the DORA register is critical for understanding your organization’s dependencies on ICT service providers and ensuring regulatory compliance. Accurately reporting this data not only meets obligations but also helps your organization gain insights into its ICT dependencies, manage outsourcing risks, and make informed strategic decisions.
The DORA register requires detailed financial information related to ICT service providers. Here’s a step-by-step guide to gathering and organizing this data effectively.
Step 1: The contract perspective – RT.02.01
The first step is to take the contract perspective. This is based on template RT.02.01, which focuses on individual contractual arrangements. According to the Implementing Technical Standards (Annex I, Part 2), you need to report:
- Annual expense or estimated cost of the contract for the past year (RT.02.01.0050)
- Currency of the amount reported (RT.02.01.0040)
When preparing the register, this means you need a breakdown of annual spend on ICT providers at the contract level. You can search the contract or sales order for pricing or ask a finance colleague for an overview of annual ICT service provider spend, broken down per contract.
Be mindful of the broad definition of an ICT service provider. To avoid missing any, conduct an inventory of in-scope ICT service providers first.
If you have multiple contracts with the same provider, refer to these ITS instructions:
- Total cost alignment: All related arrangements must sum to the total cost of the overarching contract.
- Zero-cost overarching arrangements: If the top-level contract has no cost, report cost at the level of each associated document.
- Unspecified sub-arrangement costs: If you can’t break it down, report total cost under the main contract.
- Costs at multiple levels: Avoid duplication by reporting cost only once per contract structure.
In practice, most contracts are standalone arrangements. Associated documents like DPAs or addenda are usually not treated as separate contracts.
Step 2: The ICT provider perspective – RT.05.01
The second step is to take the ICT provider perspective, based on template RT.05.01. It gives a consolidated view of annual spend per ICT third-party service provider. You must report:
- Total annual expense or estimated cost per provider (RT.05.01.0070)
- Currency of the amount reported (RT.05.01.0060)
This is essentially the sum of contract-level expenses from RT.02.01 per provider. It applies only to external third-party providers — not intra-group ones.
Ensure that totals reconcile between RT.05.01 and RT.02.01. Identify all relevant contracts per provider.
Common pitfalls and how to avoid them
- Inconsistency between views: Reconcile contract-level and provider-level expenses to avoid discrepancies.
- Wrong reporting period: Use the actual or estimated annual cost for the past year.
- Failing to update: This is not a one-time task. Annual updates are required to keep financial data current.
Conclusion and benefits
Financial data in your DORA register isn’t just about compliance — it’s a tool for understanding ICT risk and strategic decision-making. Accurate financial reporting gives clarity into your digital supply chain.
Although gathering and maintaining this data can be challenging, especially across templates, tools designed for DORA compliance can automate data collection, ensure consistency, and simplify your reporting process.
If you want to take the pain out of building and maintaining the DORA register and accelerate your progress:
Reach out for a demo of our prebuilt DORA register
Originally published on DORA Solutions Insights.