Skip to main content
Logo
European Insurance and Occupational Pensions Authority
 

3558 - DORA 294

Q&A

Question ID: 3558 - DORA 294

Regulation Reference: (EU) 2022/2554 - Digital Operational Resilience Act (DORA)

Topic: Register of Information (DORA)

Article: 28

Status: Rejected

Date of submission: 28 Apr 2026

Question

Vulnerability assessments are usually one-shot activities that are done "on a project-by-project" basis by changing supplier from time to time and usually have a limited duration of 1 or 2 months. Do these agreements need to be recorded in the Register of Information?

EIOPA answer

This question falls into the category of questions seeking confirmation of a requirement already clearly set out in DORA Art. 3(21) (incl. related guidance in the Commission Implementing Regulation (EU) 2024/2956 with regard to standard templates for the register of information [Annex III] and Q&A DORA030).