The DORA Register of Information: 2026 Outlook and Guidance

Why the Register of Information matters  

Under Article 28 of the Digital Operational Resilience Act (DORA), financial entities must maintain a comprehensive register documenting all contractual arrangements with ICT third-party service providers. The Register of Information (RoI) provides ESAs with system‑wide visibility of ICT dependencies, supports the designation of critical ICT third‑party providers, and enables analysis of concentration and systemic risk.

2026 reporting timelines

While national competent authorities remain responsible for collecting RoIs, reporting timelines are increasingly aligned across the EU to enable onward transmission to the European Supervisory Authorities (ESAs) by the end of March each year.

Malta Financial Services Authority (MFSA)

• Reporting period: 1 January – 21 March 2026 (or next working day).
• Reference date: 31 December 2025.
• Submission channel: LH Portal.

AFM (Netherlands)

• AFM requested the RoI in December 2025 with a submission deadline of 22 March 2026.
• This aligns with DNB’s end-March forwarding to ESAs.  
• This time, companies are required to submit the register themselves in the correct xBRL-CSV format.

Beyond these regulators, other supervisors such as NBB (Belgium), FMA (Austria/Liechtenstein), BaFin (Germany), CSSF (Luxembourg), HANFA (Croatia), and others, are expected to follow a Q1 reporting cycle aligned with the ESA decision that requires supervisors to provide their aggregated RoIs to the ESAs by end of March each year.  

Managing changes to the RoI

Financial entities should embed RoI maintenance into business‑as‑usual processes:

• New suppliers – Capture LEI/EUID at onboarding and record expected service start dates.
• Contract changes – Update scope, services and criticality immediately following amendments.
• Supplier exits – Record termination dates, exit reasons and ensure alignment with exit plans.

Regular reconciliation with procurement, outsourcing registers, and ICT risk inventories, is critical to ensuring accuracy and supervisory defensibility.

Practical recommendations for Register of Information maintenance

As supervisory scrutiny intensifies, maintaining the RoI manually is no longer sustainable. Financial entities should move beyond spreadsheet-based approaches and focus on building a technology-enabled, scalable RoI capability:  

• Leverage technology for centralised RoI management: Implement solutions that consolidate ICT supplier, contract, and service data into a single source of truth. This reduces manual effort, avoids version-control issues, and enables real-time visibility of third party dependencies.
• Enable structured data collection across stakeholders: RoI data must be sourced from multiple internal stakeholders, including procurement, ICT, risk management, compliance, and legal teams. Clearly defined workflows, ownership, and escalation paths are essential to ensure timely updates and accountability.
• Design for xBRL-CSV readiness: RoI processes and tools should align with the ESAs’ taxonomy and validation rules, enabling automated generation of xBRL-CSV submissions. Early alignment significantly reduces last-minute remediation and reporting risk ahead of regulatory deadlines.
• Embed automated data quality controls: Use technology-driven validation checks, such as mandatory field completion, LEI/EUID format controls, duplicate detection, and consistency checks across contracts and services.
• Maintain the RoI as a living register: Periodical updates for new suppliers, contract amendments, and terminations dramatically reduces year-end reporting pressure and supports more effective third party risk management throughout the year.

Learn how Thomas Murray can support your RoI management here.