As the deadline for the EU’s DORA compliance (Digital Operational Resilience Act) approaches, financial institutions across Europe are submitting their first-ever Register of Information – a comprehensive list of all ICT third-party service providers and dependencies. From Ireland to Malta, national regulators have begun collecting this data in April 2025, setting in motion one of the most significant shifts in fintech regulatory compliance in recent years.
At a recent industry conference in Riga, Olegs Cernisevs, Chief Technology Officer at Blackcatcard, delivered a keynote addressing the strategic and technical challenges companies face when compiling this mandatory register – a central component of Fintech regulation EU.
“This is the first time we’re all doing this. And most companies are realizing: it’s not just about listing vendors. It’s about understanding your entire digital ecosystem – and being able to explain it to your regulator,” said Cernisevs.
The misunderstood backbone of DORA
The Register of Information is one of DORA’s most foundational requirements. But many institutions misunderstood its purpose at first.
“It’s not about registering ‘information’ — it’s about identifying and classifying every ICT supplier, even subcontractors and foreign parent entities. It forces companies to answer hard questions: Who do we depend on? Could we continue without them? What’s our exit strategy?” explained Cernisevs.
With his background at PrivatBank, First Swiss Card, and the Association of Commercial Banks of Latvia, Cernisevs brings a rare blend of technical depth and regulatory fluency. In 2023, he received the PayTech Leadership Award for his contributions to fintech innovation.
Cross-functional responsibility is key
One of the biggest mistakes companies make, he warned, is assigning responsibility for DORA compliance to a single team — usually Compliance or IT.
“Compliance knows the rules, but not the systems. IT knows the architecture, but not the risks. And Risk alone can’t interpret the tech stack. DORA requires all three departments to collaborate. There’s no workaround.”
He urged firms not to overcomplicate the process with expensive vendor tools: “Start with Excel if needed. The real value is in understanding — not automation.”
More than a report – it’s a mindset shift
Cernisevs emphasized that the Register is not a one-off submission. It’s a living document that must be maintained and used in risk assessments, exit planning, and business continuity testing.
“This register isn’t a document. It’s a diagnostic tool. You need to know who your suppliers are, what technologies they support, and how dependent you are on them – because the regulators certainly will.”
He also noted that companies need to understand the DORA Register requirements in detail, including how to track subcontractors, assess criticality, and maintain real-time accuracy.
He compared the shift to the early days of AML regulation. “At first, it seemed distant. Then one day, board members were expected to know how it all works. The same is now happening with cybersecurity. DORA is not just about IT – it’s about leadership readiness.”
About Blackcatcard
Blackcatcard, powered by Papaya Ltd., is a European fintech brand. It provides financial services for individuals and corporate customers, such as mobile and online banking with a personal European IBAN account, virtual and plastic payment cards, free intrabank money transfers, SEPA payments, cashback and bonuses*, and an integrated сrypto exchange** with custodial crypto wallets.
Papaya Ltd. is a fintech institution registered and headquartered in Malta. Registration number C55146. You can get more information about terms and conditions on the website blackcatcard.com. *The bonus payment is a part of the loyalty program provided by Baltic Technology Solutions OU. Detailed terms and conditions can be found here. **An integrated custodial crypto wallet and the crypto exchange are provided by the partner Manerio UAB. Find more information at maner.io.
