What the Register of Information is, its legal basis (Article 28(3) + ITS 2024/2956), the 15 templates, the xBRL-CSV format, the Q1 2026 deadlines, and the mistakes that got submissions rejected in 2025 — a complete reference for EU financial entities.
Financial entities shall maintain and update at entity level, and at sub-consolidated and consolidated levels, a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers. They shall report at least yearly to the competent authorities the information on that register, and make it available to the competent authority upon its request. — Regulation (EU) 2022/2554 (DORA), Article 28(3), paraphrased. Template & format: Commission Implementing Regulation (EU) 2024/2956.
The Register of Information (RoI) is the single most operationally demanding deliverable in DORA's third-party chapter — a Deloitte survey found that 46% of financial entities rated it the hardest DORA requirement to satisfy. It is not a document; it is a machine-readable relational dataset that maps every ICT contractual arrangement your entity holds, who provides it, what it supports, and where the dependency chain leads.
Supervisors care about it for one reason: the RoI is the primary data source the European Supervisory Authorities (EBA, EIOPA, ESMA) use to designate Critical ICT Third-Party Providers (CTPPs) and to map systemic concentration risk across the EU financial system. Aggregated 2025 register data directly fed the designation of 19 CTPPs in November 2025.
The RoI serves four regulatory purposes that all cascade from the same dataset:
ITS (EU) 2024/2956 defines 15 inter-linked templates. They are not independent spreadsheets — they form a relational model where a change in one table propagates expectations into the others. That relational integrity is exactly what makes automated supervisory cross-checking possible, and why incomplete submissions are easy to detect. The templates group into six layers:
The entities maintaining the register and their branch information.
Third-party ICT service providers and intra-group ICT providers.
Contractual arrangements (one record per contract), annual costs, and exit strategies.
ICT services received per contract and their service-level objectives.
Functions supported (with CIF classification), ICT assets, and data classification.
Sub-contractors of critical/important arrangements and the sub-contracting chain.
Each submission is an xBRL-CSV report package containing a metadata JSON file (report-package.json), one CSV file per template named to ESA conventions, and references to the published ESA taxonomy. Coded fields will not accept free text — you must use:
Each financial entity submits its register to its national competent authority (NCA) by the national deadline; the NCA then consolidates and submits to the ESAs by 30 April. The first cycle's entity deadline was 30 April 2025. For the second annual cycle, most authorities set the entity deadline at the end of Q1 2026:
| Jurisdiction | Authority | Entity deadline |
|---|---|---|
| Netherlands | DNB | 22 March 2026 |
| Germany | BaFin | 31 March 2026 |
| France | ACPR / AMF | 31 March 2026 |
| Belgium | NBB / FSMA | 31 March 2026 |
| Ireland | CBI | 31 March 2026 |
| Luxembourg | CSSF | 31 March 2026 |
| Italy | Banca d'Italia / IVASS | 31 March 2026 |
| Spain | BdE / CNMV | 31 March 2026 |
| ESAs (consolidation) | EBA / EIOPA / ESMA | 30 April 2026 |
Always confirm your own NCA's exact date and channel. Deadlines and submission portals are set nationally and can differ from the dates above. The 2026 cycle is more proportionate than 2025: a subset of entities must submit full data, while entities with no material change can confirm their situation is unchanged — subject to NCA instructions.
List every contract for the use of ICT services, including intra-group arrangements. The golden rule: one register record per distinct contractual arrangement, never aggregated by provider.
Every legal entity and provider needs a valid 20-character LEI. Missing or invalid LEIs were behind roughly one third of the issues flagged in the 2025 cycle.
Tag each ICT service with whether it supports a Critical or Important Function (CIF). This single flag drives contractual obligations, sub-outsourcing rules and oversight intensity.
Document the full chain of sub-contractors for critical/important arrangements — empty sub-outsourcing templates for large cloud providers are an immediate red flag.
Fill all six layers using ESA controlled vocabularies. Keep reference dates consistent across templates — date mismatches were a common 2025 rejection cause.
Assemble the report package, validate it against the ESA taxonomy, and submit through your NCA portal before the deadline.
Supervisors reported that, in the first cycle, 35–50% of contracts in the majority of banks had at least one mandatory field missing or invalid. The recurring failure modes were:
For the 2026 cycle, NCAs run automated cross-referencing: inconsistencies between two entities reporting on the same provider, providers absent from registers, or sub-outsourcing chains that "don't exist" for major cloud providers are flagged immediately, with supervisory follow-up likely.
The register is the funnel into the EU oversight framework. The ESAs aggregate register data, identify providers that meet the Article 31 criticality criteria, and designate them as Critical ICT Third-Party Providers. In November 2025, 19 providers were designated, each assigned a Lead Overseer (EBA, EIOPA or ESMA). Designated CTPPs must report major ICT incidents to their Lead Overseer within 2 hours and can face periodic penalty payments of up to 1% of average daily worldwide turnover for each day of non-compliance (Article 35(6)).
If one of the 19 CTPPs appears in your register, you must: verify your contracts carry the mandatory Article 30 clauses, tag the concentration risk explicitly, keep a tested exit strategy, and report the relationship to your management body. See the full list and what it means in our CTPP designations guide and the third-party risk pillar.
A free interactive tool that surfaces concentration risk, missing clauses and CIF-flag gaps before your supervisor does.
Open the Third-Party Risk ScorerTake our free 5-minute assessment and get an instant DORA compliance score with personalised recommendations.