DORA (EU Regulation 2022/2554) requires financial institutions to maintain a detailed register of all ICT third-party service providers and subcontractors. EU-based ICT providers may be identified using EUID or LEI, while non-EU providers require LEI. Using verified company identity data from official EU business registers enables accurate, automated, and audit-ready DORA registers across borders. 

Financial institutions across Europe are operating under full DORA enforcement, and one of the most complex obligations is building and continuously maintaining an accurate ICT third-party register. 

The challenge isn’t technology. It’s identification. 

DORA requires granular visibility into all ICT providers, but supplier identity data is fragmented, inconsistent, and often outdated. That’s why EUID, derived from the national business registers of EU member states, is becoming essential for accurate, automated register maintenance. 

 Who is this guide for? 

• Compliance officers at EU financial institutions 

• ICT risk & operational resilience managers 

• Third-party risk and vendor-management teams 

• CISOs managing ongoing DORA compliance and annual reporting

This article explains: 

• what DORA requires, 

• how ICT providers must be identified, 

• the legal status of LEI vs EUID in DORA reporting, 

• why identity inconsistencies block operational resilience, 

• and how automation solves the register challenge. 

A dedicated section is reserved for the upcoming G-BRIS DORA API, which will streamline supplier verification workflows.

 

What Is DORA and Who Does It Apply To?

 

DORA (EU Regulation 2022/2554) is the EU’s unified framework for digital operational resilience, introduced and overseen by the European Supervisory Authorities (ESAs). 

It establishes mandatory requirements for managing ICT risk, overseeing ICT third-party providers, and ensuring continuity during disruptions. 

DORA applies to: 

• banks and credit institutions 

• payment and e-money institutions 

• investment firms 

• insurance and reinsurance companies 

• crypto-asset service providers 

• critical ICT third-party service providers 

 

Ongoing compliance requirements 

Financial entities submitted their initial ICT third-party registers in April 2025. 

From 2026 onwards, updated registers must be submitted annually. Financial entities should confirm the exact submission deadline with their national competent authority, as competent authorities must report aggregated registers to the ESAs by 30 April each year. 

Institutions must also maintain their registers continuously, ensuring real-time updates when ICT suppliers, subcontractors, or service classifications change. 

DORA’s Requirements for ICT Third-Party Providers

 

Under Article 28, institutions must maintain a complete, accurate inventory of all ICT third-party arrangements. This includes: 

• identification of the ICT provider 

• contractual details 

• classification of the service 

• subcontractor involvement 

• criticality assessment 

• risk mitigation measures 

 

Why identity creates problems 

Even when institutions know their suppliers, they often cannot verify them confidently because: 

• names differ across countries 

• registry numbers are inconsistent 

• companies operate under multiple legal entities 

• mergers and acquisitions alter corporate identity 

• EU and non-EU suppliers follow different identifier rules 

For DORA, inconsistent identity = inaccurate register = audit findings. 

 

How Should ICT Providers Be Identified Under DORA? (LEI vs EUID)

 

What the law and EC/ESA decisions say: 

• EU-based ICT providers may be identified using EUID or LEI

• Non-EU providers: must have LEI 

• The European Commission explicitly approved EUID as an accepted identifier for EU companies 

• LEI remains preferred for global identification and cross-border consistency 

For global identification, the Legal Entity Identifier (LEI) is governed by the Global LEI Foundation (GLEIF). 

An LEI must be applied for and renewed annually through an accredited registration authority or registration agent. 

In contrast, the EUID already exists automatically for all EU companies as soon as they are registered in their national business register. 

Institutions need processes that support both identifiers, depending on the supplier’s jurisdiction. 

 

Why EUID Matters for DORA Compliance 

 

EUID is a standardised, EU-wide corporate identifier derived from each member state’s official business registers. Its structure is documented publicly on EUID.eu, which provides examples of the format and composition. 

EUID solves core DORA challenges: 

• consistent identification across all EU member states 

• tied directly to official national business register data 

• eliminates naming inconsistencies 

• resolves cross-border ambiguity (“AWS Europe”, “AWS EMEA”, etc.) 

• provides a stable identity anchor for automation 

Automating the ICT Third-Party Register Using Verified Company Identity Data  

 

Manual DORA registers fail quickly. Most institutions have hundreds of ICT suppliers with complex dependencies. Names change, entities merge, and manual spreadsheets cannot keep up. 

Automation resolves the identity problem by: 

• verifying each ICT provider’s legal identity 

• resolving naming variants 

• pulling verified identity data from official EU business registers 

• maintaining classification and subcontractor mapping 

• reducing audit remediation work 

• ensuring consistent register accuracy throughout the year 

Automation delivers improvements such as: 

• clean supplier lists (no duplicates) 

• validated identifiers (registry number, EUID, LEI) 

• harmonised cross-country records 

• faster audit preparation 

• reliable, traceable updates 

Introducing the G-BRIS DORA API (Early Preview) 

 

Financial institutions are now looking for a reliable, automated way to link their ICT supplier lists with official business register data. To address this, G-BRIS is releasing a dedicated DORA API, purpose-built for verifying and enriching ICT third-party records with official identifiers such as EUID and LEI.  

The G-BRIS DORA API enables financial entities to query registry data in a consistent, structured way — ideal for DORA’s ongoing supplier-register maintenance and annual reporting obligations.  

Key features: 

• Verified data directly from official business registers. Returns official company names, EUIDs, and registration numbers for all EU suppliers.  

• Expanded jurisdictional coverage. In addition to EU registers, the API supports the United States, Australia, and India. Coverage will continue to expand based on beta user feedback and regulatory priorities.  

• Dual identifier support (EUID + LEI). Supports both EU-based (EUID) and global (LEI) suppliers, ensuring full regulatory coverage across jurisdictions.  

• Flexible query input. Accepts company name, country, registration number, or existing identifiers (EUID, LEI, etc.). If both name and identifier are provided, results are strictly filtered for accuracy. 

How the DORA API fits into compliance workflows 

The G-BRIS DORA API integrates seamlessly into internal vendor-management or regulatory-reporting systems. By automating supplier identity verification: 

• compliance teams can validate every ICT provider continuously, 

• operational risk teams get unified supplier data across jurisdictions, 

• and annual DORA submissions can be generated directly from verified source data. 

Early-access program 

The early-preview phase invites regulated institutions to join as beta users, offering direct feedback on API design, data schema, and integration of workflows. 

Interested participants can contact [email protected] to register for early access. 

 

Conclusion: Verified Identity Is Now the Core of DORA Compliance  

 

DORA requires institutions to understand and continuously monitor their ICT providers. Without verified, consistent identity data, the ICT register becomes unreliable and impossible to maintain manually. 

EUID for EU suppliers and LEI for global ones provide the foundation needed to: 

• automate supplier verification 

• maintain accurate registers 

• reduce audit findings 

• meet ongoing annual reporting requirements 

• support long-term operational resilience 

Verified identity data — combined with automated workflows — transforms DORA compliance from a manual burden into a scalable process. 

The upcoming G-BRIS DORA API will help institutions achieve this at scale. 

If you would like early access to the upcoming G-BRIS DORA API or have technical integration questions, contact us at [email protected]. 

 

FAQ: Common Questions About DORA’s ICT Requirements 

What is the DORA regulation? 

DORA is the Digital Operational Resilience Act (EU Regulation 2022/2554). It sets uniform requirements for how financial institutions manage ICT risk, ensure digital resilience, and oversee external ICT service providers. DORA has been fully enforceable since January 2025 and is now in its ongoing compliance cycle. 

 

Who must comply with DORA? 

DORA applies to a wide range of EU financial entities, including banks, payment institutions, investment firms, insurance and reinsurance companies, crypto-asset service providers, and any critical ICT third-party service providers supporting their operations. 

 

What is required in the ICT third-party register? 

Institutions must maintain a complete, continuously updated record of all ICT service providers and subcontractors. The register must include provider identity (using LEI or EUID), contractual details, service classification, criticality assessment, subcontractor chains, and relevant operational details, as defined in Article 28 and the related Implementing Technical Standards. 

 

What is an EUID and why is it used? 

EUID is the European Unique Identifier, a standardised code derived from national business registers in EU member states. It provides a consistent, verifiable way to identify EU-based ICT service providers and removes naming inconsistencies across borders.  

A typical EUID structure is: Country Code + Register ID + Local Company Number (e.g., EE.BR.12345678) 

 

How do I automate DORA compliance? 

Automation typically involves using verified identity data (EUID, LEI) and integrating information from official business registers into internal systems. Automated workflows help maintain continuously accurate registers, reduce manual errors, validate supplier identities in real time, and support annual DORA reporting requirements. 

Solutions such as the G-BRIS DORA API (coming soon) can streamline this process by providing verified company identity data and automated supplier lookups. 

Glossary  

 

DORA: EU digital operational resilience regulation. 

EUID: EU-wide company identifier derived from national business registers. 

ICT Third-Party Provider: External supplier delivering ICT services. 

LEI: Global Legal Entity Identifier. 

EU Business Registers: National registries that maintain official legal entity data.