DORA Register of Information: let’s review and convert!

With the entry into force of the Digital Operational Resilience Act (DORA – Regulation (EU) 2022/2554) on 17 January 2025, financial institutions are required to maintain an up-to-date and complete Register of Information. This register records information on all ICT contractual arrangements and ICT third-party service providers (ICT TPPs). The register must be reported annually to the competent authority.

Both the AFM and DNB have issued information requests requiring submission of the Register of Information. For institutions under AFM supervision, the submission deadline is Wednesday 22 March 2026, with a reference date of 31 December 2025. For institutions under DNB supervision, the deadline is Friday 20 March 2026, also with a reference date of 31 December 2025.

Where institutions previously submitted the AFM Excel template, the AFM now requires submission in accordance with the European reporting requirements in xBRL-CSV format. DNB continues to allow submission via its Excel template.

In practice, institutions are currently facing two key challenges:

1. How do I ensure that my Register of Information is substantively complete and internally consistent?
2. For AFM-licensed institutions: how do I ensure that the Register technically complies with the new xBRL-CSV format?

In this article, we explain how you can efficiently update your Register of Information, which fields require particular attention, and how Projective Group can support you in converting your register into the required xBRL-CSV format. References to tabs and columns relate to the AFM Excel template made available in 2025.

Starting point: critical or important functions

Relevant tab:
• B_06.01 – Function identification

A logical starting point when updating the Register of Information is the classification of business functions as critical or important functions. This classification has implications across several other tabs.

For example, in tab B_05.02, you must include material ICT subcontractors supporting a critical or important function. In tab B_07.01, you must complete additional information on ICT third-party service providers supporting such functions.

Practical tip:
Based on our experience, this classification should be integrated into the Business Impact Analysis (Article 11(5) DORA). This ensures alignment between your DORA framework, contractual arrangements and the Register of Information.

Which fields require additional attention?

• 0070: Verify when the assessment of whether a function is critical or important was last performed.
• 0080, 0090 and 0100: Confirm that the recovery objectives (Recovery Time Objective and Recovery Point Objective) and the impact of disruption remain aligned with:
  • the outcomes of the Business Impact Analysis (BIA);
  • contractual arrangements with ICT third-party service providers (in particular SLAs).
• Completeness of functions: Confirm that all relevant business functions are included and assess whether any changes have occurred during the past year.

ICT contractual arrangements and ICT services

Relevant tabs:

• B_02.01 – Contractual arrangements, general information
• B_02.02 – Contractual arrangements, specific information
• B_02.03 – Intra-group contractual arrangements (intra-group sourcing)
• B_03.01 – Financial entities signing the ICT contractual arrangements
• B_03.02 – ICT third-party service providers signing the ICT contractual arrangements
• B_04.01 – Financial entities using the ICT services

After updating the classification of business functions, ICT contractual arrangements can be revised in the relevant tabs.

A key point of attention is the consistent use of the contract reference number across all tabs. Inconsistent use of reference numbers is one of the most common errors identified in Registers of Information.

You should also conduct a completeness and currency check, including:

• Updating contract start and end dates
• Updating costs for the previous reporting period
• Including newly contracted ICT third-party service providers

Specific attention for tab B_02.02

Tab B_02.02 captures additional information about ICT contractual arrangements and the ICT services covered by those arrangements. When updating this tab, ensure alignment with:

• The classification of critical or important functions (tab B_06.01)
• The outcomes of the Business Impact Analysis

For ICT services supporting a critical or important function, particular attention should be given to:

• “Location of the data at rest (storage)”
• “Location of management of the data (processing)”
• “Country of provision of the ICT services”
• Fields 0100, 0110, 0120, 0140, 0170 and 0180

Where a single contract covers multiple services, these fields only need to be completed for services supporting critical or important functions.

Content validation

When submitting the Register of Information, the competent authority validates the technical format of the fields. However, a qualitative internal consistency check is equally important to ensure reliability.

For example, if field 0140 indicates that data is stored as part of the ICT service, the following fields must also be completed:

• “Location of the data at rest (storage)”
• 0170 – “Sensitiveness of the data stored by the ICT third-party service provider”

ICT third-party service providers and the ICT services chain

Relevant tabs:

• B_05.01
• B_05.02
• B_07.01 (for ICT TPPs supporting critical or important functions)

After updating contractual arrangements, information relating to ICT third-party service providers can be revised. A practical approach is to use tab B_05.01 as a single source of truth for identification data.

This ensures consistent use of identification codes such as LEI and EUID throughout the Register of Information. Inconsistent use of identification codes remains a frequent reporting error.

LEI code

If an ICT third-party service provider delivers services from within the EU, the identification code (tab B_02.02, column E) does not necessarily need to be an LEI. The European Unique Identifier (EUID) may also be used, retrievable via the relevant business register.

Use of a national company registration number alone is permitted only for an individual acting in a professional capacity. In such cases, a VAT number, passport number or national identity card number may suffice.

For legal entities established outside the Union, an LEI code is mandatory.

ICT services chain

Tab B_05.02 provides insight into the ICT third-party services chain and potential concentration risks.

Verify that:

• All direct ICT third-party service providers are included
• Material ICT subcontractors are included for critical or important functions

In the case of intra-group outsourcing, the first subcontractor outside of the group must always be included, regardless of classification.

Critical ICT third-party service providers (Tab B_07.01)

Tab B_07.01 contains fields that must align with the periodic risk assessment of ICT third-party service providers and the outcomes of the Business Impact Analysis. The competent authority will assess not only the correctness of completion, but also the internal consistency and alignment with your risk assessment framework.

The following columns are particularly relevant:

• 0050: What is the degree of substitutability of the ICT third-party service provider?
• 0070: When was the most recent audit of the ICT third-party service provider conducted?
• 0080: Do you have an up-to-date exit plan?
• 0090: Can the ICT services be brought back in-house (insourced)?
• 0100: What would be the impact in case of disruption or termination of the ICT service?
• 0110: Are alternative providers available to deliver the ICT services?

When updating this tab, it is essential to assess whether the responses logically align and reflect the actual risk profile.

Administrative update

Once the Register of Information has been updated with business functions, ICT contractual arrangements, ICT services, ICT third-party service providers and the ICT services chain, the following administrative updates must be completed:

• Header: “end of reporting period” → 31-12-2025
• B_01.01: “date of reporting” → submission date
• B_01.02: “date of last update” → date of most recent amendment
• B_01.02: “value of total assets of the financial entity” → value as at 31-12-2025 or latest approved annual accounts

If you are uncertain about specific fields, Annex I of Commission Implementing Regulation (EU) 2024/2956 provides detailed field-level guidance.

Finally: conversion from Excel to xBRL-CSV

If you use the AFM Excel template from 2025, we can convert it into the required xBRL-CSV format. Our conversion tool incorporates the validation rules published by the EBA. Where errors or warnings arise, we provide concrete remediation guidance.

You will receive a ZIP file containing the correct structure and files required for submission to the AFM.

For further information, please refer to our previous article or contact us.