Post by Complissimo

📌 𝗗𝗢𝗥𝗔 𝗥𝗼𝗜: 𝘁𝗵𝗲 𝗿𝗲𝗴𝗶𝘀𝘁𝗲𝗿 𝗶𝘀 𝘁𝗲𝘀𝘁𝗲𝗱 𝗱𝘂𝗿𝗶𝗻𝗴 𝗶𝗻𝗰𝗶𝗱𝗲𝗻𝘁𝘀 — 𝗻𝗼𝘁 𝗿𝗲𝗽𝗼𝗿𝘁𝗶𝗻𝗴 𝘀𝗲𝗮𝘀𝗼𝗻 The Belgian regulator recently made something clear about the DORA Register of Information (RoI): yes, it’s submitted once per year — but it must reflect reality at all times. That’s easier said than done. The RoI reporting template is extremely intricate because it’s designed for supervisory automation: detecting concentration risk and identifying ICT providers for possible direct oversight. But regulators also insist the RoI should primarily be an internal third-party risk management tool. That’s the contradiction: 📌 a format built for supervision,  📌 incentivising annual “tick-the-box” exports, 📌 while the real expectation is continuous accuracy. And here’s why this matters: regulators have explicitly warned that 𝗶𝗻𝗰𝗼𝗺𝗽𝗹𝗲𝘁𝗲𝗻𝗲𝘀𝘀 𝗶𝘀 𝗻𝗼𝗻-𝗰𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 — 𝗮𝗻𝗱 𝗶𝘁 𝘄𝗶𝗹𝗹 𝗲𝘃𝗲𝗻𝘁𝘂𝗮𝗹𝗹𝘆 𝘀𝘂𝗿𝗳𝗮𝗰𝗲. For example, if a major incident involves a provider missing from your RoI that’s not a minor documentation issue — it’s a direct compliance gap (and can trigger findings, remediation and potentially sanctions). The RoI shouldn’t be a yearly spreadsheet ritual. It should be a living dataset that supports daily risk decisions — and is always submission-ready. ➡️ We unpack this contradiction — and what a ‘continuous RoI’ approach looks like — in a short article on our website (link in comments below). 👉 How are you keeping your RoI accurate throughout the year? #DORA #ThirdPartyRisk #ICTRisk #OperationalResilience #RegTech #Complissimo