.svg)
As provided in Article 28(3) of Regulation (EU) 2022/2554 (Digital Operational Resilience Act – DORA), as part of a financial entity's ICT risk management framework, they must maintain and update at entity level, and at sub-consolidated and consolidated levels, a register of information (ROI) in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers. Furthermore, these reports must be submitted, at least yearly, to the competent authorities.
The European Supervisory Authorities (ESAs) have provided resources to assist financial entities with the reporting of such registers. As a baseline, Commission Implementing Regulation (EU) 2024/2956 provides implementing technical standards (ITS) with regard to standard templates for the register of information. That regulation specifies:
- Financial entities must assign a rank to each ICT third-party service provider. The rank must be any natural number higher or equal to “1” where the lower the natural number assigned to the rank, the closer the arrangement is to the financial entity (see Article 2).
- The register should include all of the following information:
- The relevant information in relation to all the ICT services provided by direct ICT third-party providers.
- Information on all subcontractors that effectively underpin ICT services supporting critical or important functions or material parts thereof.
- Specific information which must be included in the register, in accordance with the instructions set out in Annex I:
- General information on the financial entity maintaining and updating the register of information at entity, sub-consolidated and consolidated level, respectively, as specified in template B_01.01 of Annex I.
- General information on the entities in the consolidation as specified in template B_01.02 of Annex I.
- Identification of the branches of financial entities located outside the home country listed in template B_01.02, where applicable, as specified in template B_01.03 of Annex I.
- General information on the contractual arrangements as specified in template B_02.01 of Annex I.
- Specific information on the contractual arrangements as specified in template B_02.02 of Annex I.
- Information on the links between intra-group contractual arrangements and contractual arrangements with ICT third-party service providers which are not part of the group using the contractual reference numbers when part of the ICT service supply chain is intra-group as specified in template B_02.03 of Annex I.
- Information on the entities signing the contractual arrangements with the direct ICT third-party service providers for receiving ICT services or on behalf of the entities using the ICT services as specified in template B_03.01 of Annex I.
- Identification of the ICT third-party service providers signing the contractual arrangements for providing ICT services as specified in template B_03.02 of Annex I.
- Identification of the entities signing the contractual arrangements for providing ICT services to other entities in the consolidation as specified in template B_03.03 of Annex I.
- Information on the entities making use of the ICT services provided by the ICT third-party service providers as specified in template B_04.01 of Annex I.
- Information on the direct ICT third-party service providers and subcontractors, as specified in template B_05.01 of Annex I.
- Information on the ICT service supply chain, as specified in template B_05.02 of Annex I.
- Information on the identification of functions as specified in template B_06.01 of Annex I.
- Information on the assessment of the ICT services provided by ICT third-party service providers supporting a critical or important function or material parts thereof as specified in template B_07.01 of Annex I.
- Information on the terminology used by financial entities and the terms included in the closed lists and classification systems used when filling in the templates as specified in template B_99.01 of Annex I.
Furthermore, the regulation provides several annexes:
- Annex I – instructions for completing the register of information.
- Annex II – a list of activities by entity type.
- Annex III – the types of ICT services.
- Annex IV – instructions to report the value of total assets.
In 2026, regulators are making it clear that the implementation grace period is over. For example, the Central Bank of Ireland has explicitly stated that “all firms should, by now, have a good understanding of the requirements ... steps taken to address any gaps in firms’ existing frameworks, policies, and processes should be substantially complete at this stage”.
Furthermore, the threshold for data quality has been raised. Luxembourg’s Commission de Surveillance du Secteur Financier (CSSF) recently noted that although ESA validation checks remain fundamentally unchanged, they will be applied to a much broader range of data fields this cycle. The CSSF warned that registers deemed acceptable last year may face outright rejection this year. Equally, Germany’s Federal Financial Supervisory Authority (BaFin) has stated that high data quality, particularly regarding the accuracy and completeness of the information, is expected.
Compounding the pressure of this heightened scrutiny is the reality that many of the compliance hurdles from 2025 remain unresolved. As outlined in the section below, competent authorities are still notably misaligned regarding submission deadlines, mandated file formats and the availability of clear guidance. Additionally, the ROI review processes remain opaque, with some authorities detailing their approach while others provide little to no transparency.
Given the fragmented landscape and the imminent threat of enforcement actions, early submission of the ROI is a critical operational necessity this year.
EU-Level Resources
In addition to the implementing regulation, the European Banking Authority (EBA) has provided several resources to help in the reporting process:
|
Item |
Description |
|
ESAs’ Decision on reporting of information for CTPP designation |
The decision outlines information that the ESAs need to receive from competent authorities to identify and designate critical ICT third-party service providers. It outlines:
Reporting timelines Competent authorities must submit the information in accordance with the following:
|
|
This document outlines the technical requirements for completion of the register. |
|
|
This package includes: |
|
|
This Excel file provides a list of all values for the register of information. |
|
|
Overview of technical checks, validation rules and other checks to be applied by the EBA |
This Excel file provides an overview of the checks that the European Banking Authority (EBA) will perform after receiving the register from the competent authority. |
|
An explanation of possible feedback received after register validations are completed. The checks include:
|
|
|
Slides which provide an overview of the most common issues identified to date in the reporting of the registers of information and provide explanations of the most common errors. |
|
|
This document provides answers to the frequently asked questions about the preparation and the reporting of the registers of information of contractual arrangements with the ICT third-party providers that financial entities need to maintain in accordance with Article 28(3) of Regulation (EU) 2022/2554. This includes:
|
Member State Level Information
While the ESAs, and particularly the EBA, have provided an abundance of information, as the registers of information must, generally, be submitted to national competent authorities, the timeline, submission format and review process can vary. Certain authorities also provide additional guidance on the submission of the register and the use of their submission platform. The following section therefore provides an overview of jurisdictional specific practices in a range of European jurisdictions.
|
Country |
Submission timeline |
Submission practices |
Review process |
Additional guidance |
|
Germany |
Entities can submit their registers from March 9, 2026 to March 30, 2026. |
Submissions must be made via the Federal Financial Supervisory’s (BaFin) MVP portal. For the format of the submissions, financial entities must use one of the following:
The registers must use the reference date of December 31, 2025. In addition, BaFin has made available a testing platform for financial entities to prepare for the 2026 submissions. |
Following the submission of the register, financial institutions will receive an error report. Any errors highlighted in that report must be promptly corrected and the register must be resubmitted. The register will only be considered to be submitted in accordance with the requirements once it has also been successfully submitted in accordance with the ESA’s validation rules. |
Instructions for the Excel template Example of completed Excel template |
|
Luxembourg |
Entities can submit their register from February 11, 2026 to March 31, 2026. |
Submissions must be made via eDesk. The Commission de Surveillance du Secteur Financier (CSSF) has also confirmed that, following Q&A 102, published by EIOPA, third country branches of financial entities subject to DORA, and under the supervision of the CSSF, must submit the ROI to the CSSF. For the 2026 submission, the reference date of the register is set to December 31, 2025. To upload the ROI via the eDesk portal, the legal entity identifier (LEI) of the financial entity must be communicated to the CSSF beforehand. Additionally, the role “DORA reporting” must be assigned by a financial entity to at least one specific employee. The register must be submitted in plain CSV. format, enclosed in a zip file following a predefined folder structure and file naming convention, as defined by the ESAs. For any queries relating to the content of the register or errors related to its submission, the CSSF invites entities to contact ictrisksupervision@cssf.lu. |
Submitted registers will be subjected to validation checks by the CSSF. Where errors are detected, the submitted financial entity will be invited to correct and resubmit their register before March 31, 2026. Accepted registers may be submitted on request to the ESAs who will perform additional validation checks. Should the ESAs detect additional errors, the submitting entity must correct and resubmit the register via the eDesk portal. |
CSSF guide concerning the submission of DORA register of information CSSF guide for the interpretation and resolution of error messages CSSF guide for the interpretation and resolution of CSSF error messages |
|
Ireland |
Entities can submit their register from March 1, 2026 to March 31, 2026. |
Submissions must be made through the Central Bank of Ireland’s (CBI) portal. However, the CBI has stressed that it is aware that the register may fail to upload successfully if key preparation steps are not followed. The CBI has enhanced the error messaging on its portal. Once the register passes basic structure checks, multiple errors will be displayed at once. Financial entities must submit the file in the XBRL OIM-CSV format. When the file has been fully prepared, it should be saved as a .zip file. Note: The CBI has explained that the EBA announced, in the week commencing February 16, 2026, that there will be an additional review step to be performed on the content of the data submitted in the registers for the upcoming submission. This step is to address issues that are uncovered in terms of the quality of the data content within the files. Vixio has, however, been unable to find information relating to this from the EBA directly. |
The CBI has not provided any information on its review processes. |
Guide to Submitting DORA Registers of Information on the Central Bank of Ireland Portal |
|
Malta |
Entities can submit their register between January 1, 2026 and March 21, 2026. |
Submissions must be made through the Malta Financial Services Authority (MFSA) LH portal. Access to the dedicated submission page requires a PH portal account linked to an authorised person. Failure to submit a fully validated and DORA compliant register with final acceptance confirmed on the LH portal by March 21, 2026 may result in regulatory action. Financial entities are expected to upload one zip file which contains three files. The individual files should be in the CSV format except for a single report.json file. |
A register submission is only considered to be DORA compliant once it attains the status of accepted on the LH portal. If the status shows rejected, the authorised person should review the feedback provided in the portal or email and address the identified issues. |
|
|
Poland - Not provided an update since 2025 |
In 2025, financial entities had until April 28, 2025 to submit their registers of information. Entities could, therefore,expect a similar deadline for 2026. |
For 2025, submission was expected to be made through the Polish Financial Supervisory Authority’s (KNF) DORA reporting system (SSD) using the SPR-PF-18 form. The register must contain current data as of March 31, 2025. |
The KNF will forward the obtained reporting files to the EBA for validation. Should errors be discovered by the EBA, the KNF will contact the financial entity in question. |
KNF position on DORA regulation KNF guidance on DORA reporting obligations Additional guidance is available on the SSD platform. |
|
Italy |
Entities must submit their register by March 15, 2026. |
Submissions must be made through the Bank of Italy’s (BoI) INFOSTAT1 platform. The register must have a reference date of December 31, 2025. |
The BoI will conduct data quality checks. If anomalies are found, the BoI will ask financial entities to correct the errors and proceed with a new submission. |
|
|
Finland |
Deadline passed – Entities must submit their register by March 2, 2026. |
Submissions must be made via the Finnish Financial Supervisory Authority’s (FSA) reporting portal. |
To the best of Vixio’s knowledge, the FSA has not provided any information on the review process. |
|
|
Cyprus |
Deadline passed – Entities must submit their register by February 28, 2026. |
Submissions must be made through the Cyprus Securities and Exchange Commission (CySEC) XBRL portal. The formally available Build in Excel file submission option is no longer available. Entities must submit the register in the XBRL-CSV format. Additionally, entities must use XBRL compatible software that supports mapping and validation against EBA rules and enables the generation of fully compliant XBRL files. The XBRL files shall be compressed (zipped). |
To the best of Vixio’s knowledge, CySEC has not provided any information on the review process. |
To the best of Vixio’s knowledge, Cyprus has not published a dedicated DORA guide. |
In addition to the above, DORA contains several empowerments for the European Commission to develop draft delegated and implementing acts, as well as guidelines. For more information, see Mapping EU Legislation: Regulation (EU) 2022/2554 (Digital Operational Resilience Act – DORA) (FS) (PC).
