The sub-contractors clearly seem to provide DORA-relevant ICT-services and therefore, going by DORA Article 28 would need to be included in the registers of information and disclosed to financial undertakings. Some of these sub-providers might also be candidates for a designation as CTPP, therefore an inclusion might indeed make sense. However, as the security argument cannot simply brushed aside without due consideration and the ISPs are critical infrastructure for everyone, not only the financial sector, guidance on European level would be very welcome.

The register of information is a document to be maintained by financial entities and includes information on subcontractors when the service they provide effectively underpins ICT services supporting a critical or important function or material parts thereof, in accordance with Article (3)(b) of the Commission Implementing Regulation (EU) 2024/2956.

This information needs to be received and kept by financial entities to ensure their compliance with the obligations of DORA stemming from:
-    Article 28(3), Article 29(2) of Level 1
-    Article 3(1)(b), (f), (g), (h), (i), Article 4(1) (c) (h) of RTS on subcontracting 
-    Article 3(2)(b) and 3(6) of the ITS on Register of information (COMMISSION IMPLEMENTING REGULATION (EU) 2024/2956 (link))

Regarding the confidentiality aspect of the RoI, it is moreover crucial and important to note the following elements in relation to the information included in the register of information:
-    The register of information is an internal document for the financial entities’ internal ICT risk management and is meant to be kept confidential by the financial entities. The register is meant to be reported to CAs and ESAs as Lead Overseer, who have an obligation of confidentiality;
-    The information concerning subcontractors included in template B_5.02 of the register of information includes descriptive information of the subcontractors and its rank.