Under Article 28 of DORA, every financial entity must maintain a comprehensive register documenting all contractual arrangements with ICT third-party service providers. National competent authorities consolidate these registers and submit them to the ESAs by 31 March each year.

Why the Register Matters

The Register of Information (RoI) is not just a compliance checkbox. It is the primary tool regulators use to map digital dependencies across the European financial system, identify concentration risks, and designate Critical Third-Party Providers (CTPPs).

In a Deloitte survey, 46% of institutions identified the RoI as the single most challenging DORA requirement to fulfil.

Key Deadlines by Country

  • Netherlands (DNB): Financial entities must report by 20 March 2026
  • Austria (FMA): Submission window 16 February to 13 March 2026
  • Luxembourg (CAA): Deadline set for 1 March 2026 for insurers
  • All jurisdictions: ESA consolidation deadline is 31 March 2026

What Must Be Included

The register must be submitted as an xBRL-CSV file with a table-oriented layout. It must cover:

  • All contracts with ICT third-party service providers
  • For critical or important functions: the full subcontracting chain
  • Service descriptions, locations, and data processing details
  • Risk assessments and exit strategy documentation
  • Audit rights and incident reporting obligations

2026 Simplified Scope

Good news: in 2026, the exercise has a more limited scope compared to the initial 2025 submission. Only a subset of companies will need to submit full data. If nothing has changed since last year, entities can confirm that the situation remains unchanged.

However, regulators are now using automated cross-referencing tools to validate submissions. Inconsistencies between entities reporting on the same provider will be flagged immediately.

Common Pitfalls

  1. Incomplete subcontractor mapping — you must trace the full chain
  2. Inconsistent provider identification — use LEI codes where available
  3. Missing exit strategies — every critical contract needs one
  4. Late submissions — automated systems flag delays instantly