Yes, as a modern cloud platform, Leno allows for No-Code configuration. The solution is highly scalable and can be flexibly adapted to your internal structures, processes, and permission sets without any programming effort.

Leno eliminates manual errors through high-level automation and integrated AI. Structured workflows and built-in regulatory expertise replace tedious email-based coordination and static lists with a modern, digital process.

Yes, Leno eliminates fragmented data silos by seamlessly linking vendors directly to their corresponding contracts, risks, and mitigation measures. This seamless integration prevents redundant data entry and ensures full transparency.

Leno is a modular GRC platform designed to digitalize and automate Governance, Risk & Compliance. It serves as a central hub for Third-Party Risk Management (TPRM), Contract Lifecycle Management (CLM), Information Security (ISM), and BCM.

An outsourcing register or vendor repository is a structured overview of all outsourcing arrangements of a financial institution. It ensures transparency towards supervisory authorities and auditors and provides a reliable basis for identifying and managing concentration risks, including at EU level.

Thanks to pre-defined GRC templates and expert onboarding support, you can achieve a rapid "Go-Live". We guide you from initial data migration to full production to ensure a smooth transition.

The information register is a DORA-mandated register that contains detailed information on ICT services, ICT third-party providers, and critical functions across 15 tables. It allows supervisory authorities to gain a quick, consistent overview of an institution's ICT landscape, as well as concentration risks and dependencies at the EU level.

Yes, Leno supports English and German as standard. Additional languages for international GRC teams can be added upon request to support your global compliance operations.

Security is ensured through Single Sign-On (SSO) and role-based access control (RBAC). Leno provides hosting and support directly from Germany, adhering to the highest security standards and architectural requirements.

Leno generates outsourcing and information registers automatically based on a central, integrated data source. Information on outsourcing, ICT services, third parties, risks, and contracts is recorded once in a structured manner and then transferred in real time to the respective registers. Changes—such as updates to service providers, services, risk classifications, or approvals—are immediately applied and are visible in the outsourcing and information registers without manual maintenance.

‍

Leno is modular and fully integrated. We offer specialized modules: Leno TPRM (Third-Party Risk & Outsourcing), Leno CLM (Contract Management), and Leno ISM (Information Security & BCM). All modules work together to form a holistic GRC ecosystem.

Leno provides the register at any time in an audit-proof, consistent, and traceable manner as of a given date. Data states, changes, and histories can be made available at the push of a button - without manual preparation.

Under DORA, financial institutions are required to maintain an information register as soon as they enter into contractual arrangements for the use of ICT services with third-party providers. This register must be kept up to date on an ongoing basis and submitted to the competent supervisory authorities at least once a year or made available upon request.

‍

The information register must include detailed information on ICT service providers and their respective contracts, including service identification, contract details, supported functions, classification as critical or non-critical, information on risks, and any subcontractors.

The DORA information register goes beyond traditional outsourcing registers, as it must additionally include structured data on ICT services, third parties, and critical functions—often in predefined tables (15-table model)—and is specifically designed for use by supervisory authorities and ESAs.

Yes. Financial institutions must provide the register in full to the competent supervisory authority upon request and, in many jurisdictions, submit it annually. This includes information on new contracts, categories of service providers, and the type of ICT services provided.

The register serves internal ICT risk management but is also used externally by supervisory authorities to monitor systemic risks and support the identification of critical ICT third-party providers at the EU level.

‍

This depends on the criticality of the supported function. If an ICT service does not support a critical or important function of the financial institution, generally only the ICT third-party provider in a direct contractual relationship with the financial institution (Tier 1) needs to be recorded. Subcontractors at downstream levels do not need to be listed in this case.

‍

Yes, intra-group ICT services must also be recorded in the information register. DORA generally does not distinguish between external and intra-group ICT providers. What matters is that an ICT service is provided to a financial institution and may impact its ICT resilience. An exception exists for the use of intra-group ICT providers, where additional information may be required, particularly to map ICT service chains. The relevant requirements are outlined in Commission Implementing Regulation (EU) 2024/2956, Annex I, Part 2, including the specifications for completing Template B_05.02.