What a WordPress agency supplier must populate to be entered in a DORA Article 28(3) Register of Information at a financial entity.
EN

DORA Register of Information for WordPress vendors: required fields

4.70 /5 - (6 votes )
Last verified: May 1, 2026
5min read
Reference
500+ WP projects

#DORA Register of Information for WordPress vendors: required fields

Article 28(3) of Regulation 2022/2554 obliges every financial entity to maintain and update a Register of Information on contractual arrangements with ICT third-party service providers. The Implementing Regulation (EU) 2024/2956 sets the field structure: fifteen tables, each with named columns. A WordPress agency supplying a bank, an insurer, an investment firm or a payment institution lands inside this register and must provide the data, on time, in the right shape.

This is a supporting article inside the NIS2 and DORA on WordPress pillar, with a cross-reference to the DORA Article 28 third-party risk explainer.

#TL;DR

  • Fifteen tables, set by Commission Implementing Regulation 2024/2956.
  • Critical or important function arrangements have extra columns (substitutability, concentration risk, exit plan).
  • Sub-processor chains are transparent up to the level relevant to the financial entity.
  • The agency does not file the Register; the agency feeds it.
  • Most agencies miss four of the fifteen tables on first submission.

#What the financial entity files

Per Article 28(3), each financial entity must report the Register at least annually to its competent authority and the European Supervisory Authority via the joint reporting framework. The 2024 Implementing Regulation defines the schema. The fifteen tables are:

  1. Entity information.
  2. Branch information.
  3. Subsidiary information.
  4. ICT services.
  5. Functions identification.
  6. Contractual arrangements.
  7. Functions of contractual arrangement.
  8. ICT services of contractual arrangement.
  9. Risk of contractual arrangement.
  10. Subcontracting arrangements (sub-processors).
  11. Termination provisions.
  12. Locations.
  13. Persons or bodies responsible.
  14. Critical or important function arrangements.
  15. Concentration arrangements (group-wide third party).

Of these fifteen, a WordPress agency typically appears in tables 4, 6, 8, 9, 10, 11, 12, 14. Tables 1-3, 5, 7, 13 belong to the financial entity. Table 15 is rare for a small agency and only appears if the agency has a parent or is a frequent supplier across the entity’s group.

#What the WordPress agency must supply

Per ICT services (table 4) and per contractual arrangement (table 6), the agency must provide the columns the financial entity copies into the Register. The non-exhaustive practical list:

  • Service description: WordPress hosting, plugin development, headless front-end, support, security audits - itemised, not a single bucket.
  • Provider name and LEI: the agency’s legal entity identifier. A small WordPress agency without an LEI must obtain one before signing the contract.
  • Country of registration and headquarters.
  • Group affiliation: parent, subsidiaries, sister companies if any.
  • Services rendered to the financial entity: which products are touched, with criticality flag.
  • Data processed: customer data, transactional data, employee data, none.
  • Data locations: country and data centre vendor for each storage tier (production, backup, log archive).
  • Sub-processors: every supplier the agency uses to deliver the service (Cloudflare, Sentry, deployment platform, monitoring, AI APIs).
  • Sub-processor jurisdictions: country and applicable law for each sub-processor.

Table 11 (termination provisions) requires the agency to disclose:

  • Notice period for the financial entity.
  • Notice period for the agency.
  • Triggers for early termination by the financial entity.
  • Exit plan: how the financial entity gets data and operations back.

Table 14 (critical or important function arrangements) demands extra evidence if the WordPress service supports a critical or important function. Substitutability assessment, concentration risk, exit plan with realistic timelines, regular testing schedule.

#What most WordPress agencies miss

Five recurring gaps from supplier reviews in 2025-2026:

LEI not obtained. A WordPress agency without a Legal Entity Identifier delays the contract and the Register. LEIs cost approximately the price of a domain renewal per year. There is no excuse not to have one when working with regulated finance.

Sub-processor list incomplete. Cloudflare is listed; Sentry is listed; the AI provider for editorial tools, the email-relay vendor, the deployment platform and the off-site backup target are forgotten. The Register fails review and the agency goes back through procurement.

Exit plan is one paragraph. “We will hand over data on request” is not an exit plan. The financial entity needs estimated handover days, format of data delivery, source code repository handover, runbook handover, dependency list and shut-down procedure for accounts. Three pages minimum, ideally a versioned document.

Backup test evidence missing. Article 11 of DORA requires regular testing of operational resilience, including restore. The agency without a quarterly restore log fails the supplier review on the first audit pass.

No critical-function flag judgement. The agency claims “we are not critical” because the WordPress site is “just marketing”. The financial entity’s compliance team disagrees because brand outage damages customer trust. Settle this early in the contract, not during the audit.

#How to prepare for first inclusion

A practical checklist for a WordPress agency entering its first Register:

  1. Obtain an LEI if missing.
  2. Inventory sub-processors, with country and applicable law per provider.
  3. Write a versioned exit plan covering data, code, runbook, accounts.
  4. Document data locations per storage tier and per sub-processor.
  5. Test a full restore from off-site backup; log timestamp, duration and outcome.
  6. Map services rendered to the financial entity’s functions; flag critical or important.
  7. Draft a substitutability statement: which competitors can replace your service, in how many weeks.
  8. Ship a quarterly review cadence: every quarter, refresh the data, sign off, store.

Done before the first contract, this preparation pays back many times over. Done during the first audit, it doubles the engagement cost.

#Cross-references

Next step

Turn the article into an actual implementation

This block strengthens internal linking and gives readers the most relevant next move instead of leaving them at a dead end.

Most relevant next steps

WordPress developer

Implementation, architecture, and custom WordPress engineering.

Website redesign

Fix structure, messaging, and conversion paths.

WordPress maintenance

Updates, monitoring, and reliable post-launch support.

Want this implemented on your site?

If you want to convert the article into a working site improvement, redesign, or build plan, I can define the scope and implement it.

Write about the implementation Browse the blog
Related cluster

Explore other WordPress services and knowledge base

Strengthen your business with professional technical support in key areas of the WordPress ecosystem.

WordPress Developer

Custom WordPress engineering and architecture.

View service
WooCommerce Developer

Stores, checkout flow, and sales logic.

View service
Maintenance & Support

Stability, updates, and post-launch support.

View service
Speed Optimization

Core Web Vitals, caching, and faster delivery.

View service
Next.js / Astro Migration

Migration to Astro, Next.js, and headless WordPress.

View service
Website Redesign

Clearer structure, messaging, and conversion flow.

View service

Related categories

wordpress development technology architecture

Supporting articles

WordPress development tutorial: a comprehensive guide for beginners in 2026
WordPress development tutorial: a comprehensive guide for beginners in 2026

How to start as a WordPress developer in 2026. Local environment, theme and plugin development, REST API and headless paths, security and Core Web Vitals. A practitioner playbook that does not waste your first month.

WordPress 7.0 vs Astro 6 after Cloudflare acquisition - who wins in 2026?
WordPress 7.0 vs Astro 6 after Cloudflare acquisition - who wins in 2026?

WordPress 7.0 with AI Client vs Astro 6 after Cloudflare acquisition. Speed, cost, SEO and security comparison. My take after 20 years as a WP developer - when to migrate and when to stay.

EmDash vs WordPress, a feature-by-feature comparison for 2026
EmDash vs WordPress, a feature-by-feature comparison for 2026

A detailed comparison table of EmDash CMS and WordPress across architecture, security, plugins, AI features, content model, hosting, and ecosystem maturity.

Article FAQ

Frequently Asked Questions

Practical answers to apply the topic in real execution.

SEO-ready GEO-ready AEO-ready 4 Q&A

Popular questions

Who maintains the Register of Information? Which DORA RTS define the field structure? Is a WordPress site always considered an ICT service? Does the Register apply to small WordPress agencies?
Who maintains the Register of Information?
#
The financial entity maintains it, not the agency. The agency provides the inputs. The Register is a regulatory deliverable to the European Supervisory Authorities (EBA, EIOPA, ESMA) under DORA Article 28(3).
Which DORA RTS define the field structure?
#
The Implementing Technical Standards on the Register of Information adopted by the European Commission in 2024 (Commission Implementing Regulation (EU) 2024/2956). Fifteen tables of fields.
Is a WordPress site always considered an ICT service?
#
Almost always when it supports a financial service or holds financial customer data. A pure brochure site of a bank with no logged-in user flow is borderline; supervisory practice treats it as ICT services anyway because the brand surface is itself critical.
Does the Register apply to small WordPress agencies?
#
It applies to the financial entity, but every supplier (including small agencies) must provide the data the financial entity needs. A five-person agency is not exempted from supplying jurisdiction, sub-processors and exit plan information.

Need an FAQ tailored to your industry and market? We can build one aligned with your business goals.

Let’s discuss

Related Articles

Article 28 of Regulation 2022/2554 makes financial entities responsible for the ICT risk of every third-party they touch. I walk through the supplier due-diligence checklist I ship with WordPress engagements for banks and insurers in 2026.
wordpress

DORA Article 28 ICT third-party risk: WordPress hosting and WAF supplier audit

Article 28 of Regulation 2022/2554 makes financial entities responsible for the ICT risk of every third-party they touch. I walk through the supplier due-diligence checklist I ship with WordPress engagements for banks and insurers in 2026.

NIS2 (Directive 2022/2555) and DORA (Regulation 2022/2554) cover similar ground but with different mechanics. Where they overlap, where they diverge, and how a WordPress agency satisfies both with one evidence trail.
wordpress

NIS2 vs DORA scope overlap for WordPress agencies in 2026

NIS2 (Directive 2022/2555) and DORA (Regulation 2022/2554) cover similar ground but with different mechanics. Where they overlap, where they diverge, and how a WordPress agency satisfies both with one evidence trail.

The NIS2 Directive (2022/2555) was to be transposed into national law by 2024-10-17. The DORA Regulation (2022/2554) applies directly from 2025-01-17. For a WordPress site operator this means specific obligations if the site relates to a regulated entity. We explain it without panic, with references to the texts of the acts.
wordpress

NIS2 and DORA on WordPress: what a site must meet in 2026

The NIS2 Directive (2022/2555) was to be transposed into national law by 2024-10-17. The DORA Regulation (2022/2554) applies directly from 2025-01-17. For a WordPress site operator this means specific obligations if the site relates to a regulated entity. We explain it without panic, with references to the texts of the acts.