DORA's First Real Test: Register of Information Due March 2026
DORA has been applicable since January 2025, but March 2026 marks its first major operational test. Financial institutions across the EU must submit their Register of Information (ROI) to national supervisory authorities by March 20, 2026. This isn’t a future deadline — it’s happening now.
What Is the Register of Information?
Under DORA Article 28(3), financial entities must maintain a register documenting all contractual arrangements for ICT services provided by third-party providers. This register must be reported annually to national competent authorities, who then provide aggregated data to the European Supervisory Authorities (ESAs) to support the designation of critical ICT third-party service providers.
In plain terms: regulators want to see exactly which technology vendors your financial institution depends on, and how.
March 2026 Deadlines
| Country | Authority | Submission Deadline |
|---|---|---|
| Netherlands | DNB (De Nederlandsche Bank) | March 20, 2026 |
| Netherlands | AFM (Financial Markets Authority) | March 22, 2026 |
| Malta | MFSA | Q1 2026 |
| Belgium | NBB | Q1 2026 |
| Germany | BaFin | Q1 2026 |
| Luxembourg | CSSF | Q1 2026 |
| Austria/Liechtenstein | FMA | Q1 2026 |
| Croatia | HANFA | Q1 2026 |
All data must reflect the status as of December 31, 2025.
What Must Be Reported
The Register of Information must document every ICT third-party service provider arrangement, including:
- Provider identification — legal name, LEI, country of establishment
- Service details — what ICT services are provided, whether they support critical or important functions
- Contractual terms — start date, duration, notice period, termination conditions
- Data location — where data is stored and processed
- Subcontracting chains — which subcontractors are involved and their details
- Exit strategies — documented plans for transitioning away from each provider
- Risk assessment — evaluation of the provider’s criticality and substitutability
Submission Format
Institutions can submit via:
- xBRL-CSV file — following EBA validation rules (preferred format)
- Standardized Excel template — some authorities (like DNB) offer this as an alternative and convert it to xBRL-CSV
The reporting template remains unchanged from 2025, but regulators expect more mature submissions this year — with detailed documentation of subcontractors and evidence of ongoing risk mitigation, not just a basic vendor list.
Why This Matters Beyond Compliance
The Register of Information isn’t just a regulatory checkbox. It serves a critical purpose:
ICT Concentration Risk
The ESAs will use aggregated ROI data from across the EU to identify systemic ICT concentration risks. If thousands of financial institutions depend on the same three cloud providers, that’s a systemic risk the regulators need to understand and manage.
Critical Third-Party Provider Designation
Based on the submitted registers, the ESAs will designate critical ICT third-party service providers who will face direct EU-level oversight. This is the mechanism that brings major cloud providers, data center operators, and financial software vendors under direct regulatory supervision for the first time.
Your Own Risk Awareness
The exercise of compiling the register forces financial institutions to confront their own ICT dependencies. Many organizations discover during this process that they:
- Have more third-party ICT dependencies than they realized
- Lack exit strategies for critical providers
- Don’t know where their subcontractors’ data is stored
- Can’t identify single points of failure in their ICT supply chain
What To Do Now
If You Haven’t Started
You’re late, but not too late. Focus on:
- Identify all ICT service contracts — this includes cloud, SaaS, managed services, data feeds, market infrastructure, outsourced IT, and even API providers
- Gather subcontracting information — contact providers to document their subcontracting chains
- Document exit strategies — even basic plans are better than none
- Use the standardized template — download from your national authority’s website
If You’ve Submitted Before
2026 expectations are higher:
- Update subcontractor details — regulators expect complete subcontracting chains this year
- Strengthen exit strategy documentation — move from generic plans to actionable transition procedures
- Validate data quality — ensure LEIs are correct, service descriptions are specific, and no arrangements are missing
- Review risk assessments — update criticality and substitutability evaluations
What Comes Next
After March 2026 submissions:
- ESAs aggregate data by end of Q1 2026
- Critical ICT third-party provider designation follows in H2 2026
- Direct oversight begins for designated providers
- 2027 reporting will require even more granular data
Our Take
The ROI is DORA’s first tangible enforcement milestone, and it reveals whether financial institutions truly understand their ICT dependencies. The institutions that treat this as a governance exercise — not just a filing — will be better prepared for everything DORA brings next: resilience testing, incident reporting, and third-party risk management reviews.
Need to map your compliance posture across DORA and other frameworks? Start a free assessment on Metrica.uno.
Ready to assess your compliance?
Start your free assessment today and find out where you stand with GDPR, NIS2, DORA, ISO 27001, and more.
Written by
Metrica.uno Team
Content Team
Metrica.uno Team is part of the Metrica.uno team, helping organizations navigate AI compliance with practical insights and guidance.
Related Articles
EU AI Act Update: Digital Omnibus Proposes Delaying High-Risk Deadlines to 2027
The EU Digital Omnibus proposal would push most AI Act high-risk enforcement from August 2026 to late 2027. Here's what it means for your compliance timeline.
NIS2 in 2026: Cybersecurity Act 2 Arrives as Countries Race to Transpose
The EU's Cybersecurity Act 2 strengthens NIS2 while many member states are still transposing. Germany leads, others lag. Here's the current landscape.
Cyber Resilience Act (CRA) Explained: Who It Affects, Requirements & Penalties
Everything you need to know about the CRA: who it applies to, security requirements for digital products, SBOM obligations, and consequences of non-compliance.