What is the DORA Register of Information?
The Register of Information is a mandatory record that every EU-regulated financial entity must maintain under Article 28(3) of the Digital Operational Resilience Act (DORA, EU Regulation 2022/2554). It documents all contractual arrangements with ICT third-party service providers — including which services are critical or important. Financial entities must submit a complete register to their national competent authority (NCA) at least once per year.
Who must submit it
DORA applies to virtually all regulated financial entities in the EU. The following entity types must maintain and submit the register:
- Credit institutions (banks)
- Payment institutions (PIs)
- Electronic money institutions (EMIs)
- Investment firms
- Crypto-asset service providers (CASPs)
- Insurance and reinsurance undertakings
- Central securities depositories
- Trading venues and data reporting service providers
- Crowdfunding service providers
- Fund managers (UCITS, AIFM)
Group reporting: For entities within a financial group, the register must be submitted at the highest consolidated level. Subsidiaries do not submit separately.
What the register contains
The register is structured into 15 templates organized in 8 groups, as defined by Commission Implementing Regulation (EU) 2024/2956 (the ITS):
| Group | Templates | Description |
|---|---|---|
| Entity Information | B_01.01, B_01.02, B_01.03 | Entity maintaining the register, entities in scope, branches |
| Contractual Arrangements | B_02.01, B_02.02, B_02.03 | General and specific contract information, intra-group arrangements |
| Signatories | B_03.01, B_03.02, B_03.03 | Entity and provider signatories, signatory details |
| ICT Services | B_04.01 | ICT services supporting critical/important functions |
| ICT Third-Party Providers | B_05.01, B_05.02 | Provider identification, provider chain (subcontracting) |
| Functions | B_06.01 | Functions supported by ICT services |
| Assessments | B_07.01 | Substitutability and criticality assessments |
| Entity-Specific | B_99.01 | Additional entity-specific information |
Templates are interlinked through foreign key references — for example, B_02.02 references arrangements from B_02.01, providers from B_05.01, and functions from B_06.01. This cross-template integrity is what makes manual Excel validation difficult.
When it's due
The reference date for the register is 31 December of the previous year. For 2026, entities report their register as of 31 December 2025.
Submission deadlines vary by country. NCAs set their own cut-off dates, typically between February and March. The ESA backstop deadline is 31 March — NCAs must forward all collected data to the European Supervisory Authorities by this date.
See the full country-by-country deadline table →
Submission format
The register must be submitted in xBRL-CSV format, following EBA Taxonomy 4.0 (validation package November 2024). The submission package is a ZIP file containing:
META-INF/reportPackage.json— metadatareports/*.csv— one CSV per templatereports/parameters.csv— reporting parametersreports/FilingIndicators.csv— which templates are included
Some NCAs also accept Excel workbooks, but xBRL-CSV is the standard format expected by the ESAs.
How it gets validated
Before submission reaches the ESAs, the register data is checked against multiple validation layers:
- Technical checks — mandatory fields present, correct data types, valid formats (LEI, dates, country codes)
- DPM rules — closed-list values match EBA taxonomy, foreign key integrity between templates, key uniqueness
- DORA business rules — arrangement type logic, branch codes, signatory requirements, cross-template references
- EBA-specific rules — 91+ validation rules from ITS 2024/2956 covering existence checks, conditional mandatory fields, and value range constraints
In the 2024 ESAs dry-run exercise, only 6.5% of submitted registers passed all data quality checks.
Read the full validation methodology →
What happens if you don't submit
DORA Article 50 delegates penalty authority to national regulators. Most Member States impose:
- Entity-level fines based on annual turnover
- Personal liability for individuals who approve submissions
- Mandatory rework cycles if the submission is rejected
Beyond fines, a rejected or incomplete register triggers internal rework — re-collecting data from contract owners, re-validating, and re-submitting under board scrutiny.
How to prepare your register
Three approaches are common:
- Excel + manual review — Fill EBA templates in Excel, review manually. Risk: no cross-template validation, format errors surface only after submission.
- Enterprise GRC platform — Full compliance lifecycle management. Effective but requires months of implementation and significant budget.
- Browser-based validator — Import existing Excel data, run the same 4-layer validation your authority applies, fix issues, export xBRL-CSV. Same-day result, no data upload.
DORA RoI is a free browser-based tool that runs all four validation layers on your register data. Your data never leaves your browser. Try the validator →
For a detailed comparison of validation tools, see DORA Register Validation Tools Compared.
Regulatory references
- EU Regulation 2022/2554 (DORA) — Article 28(3): obligation to maintain the register
- Commission Implementing Regulation (EU) 2024/2956 — ITS defining template structure
- EBA Taxonomy 4.0 (November 2024) — validation rules and xBRL-CSV format specification
- Joint ESA Guidelines on the Register of Information — reporting guidance