Register of Information
The Digital Operational Resilience Act (DORA), which became applicable as of 17 January 2025, requires financial entities to maintain a register of information at entity level and at sub-consolidated and consolidated level for all contractual agreements with ICT third-party service providers. The register of information should be shared annually with national supervisory authorities, after which it will be shared with the European Supervisory Authorities (EBA, EIOPA and ESMA). European Supervisory Authorities will use the information from the registers to identify critical ICT third-party service providers.Where can you find the request?
The request will be available in the AFM Portal as of 7 March 2025.
What is the deadline for reporting?
You must report the register of information via the AFM Portal by 16 April 2025 at the latest.
In which format should the report be made?
You must report the register of information in the xBRL-CSV format. To support this, the ESAs have made available a website with relevant documents (see 'preparations for official reporting of registers'). Among other things, the validation rules that are used are published on the website. The validation rules are also integrated into the framework for reporting to the ESAs.
In order to support financial entities that are not yet able to provide the register of information in xBRL-CSV, we are offering the possibility this year (and this year only) to provide the register in Excel. If you wish to make use of this option, you must use the standardised Excel template provided by the AFM. We will then convert the Excel template to the standard xBRL-CSV. If you submit the register of information in Excel, you will remain responsible for the correct and timely delivery of the register at all times.
We have written an instruction for completing the template.
Which reference date should be used?
The reference date to be used is 31 March 2025. If you submit the register of information before the reference date, we ask you to include in the register all the contracts that you expect to have on 31 March 2025. If you submit the register after the reference date, all the contracts you had on 31 March 2025 must be included in the register.What is the process after 16 April 2025?
After an initial validation, the AFM will make the register of information available to the ESAs. The ESAs will check the data quality. In addition to our validation, the ESAs will implement the validation rules around the LEI codes and EUIDs. The AFM will provide you with feedback on these results. The AFM then expects that the errors identified will be corrected by means of a re-report.Consolidation level
Depending on the situation that applies to your company, you must provide the register of information at the following level of consolidation:- At the level of the financial entity, where the financial entity is not part of a group of financial entities.
- At the level of the financial entity, where the financial entity is part of a group of financial entities and the parent undertaking(s) is/are located outside the European Union.
- At the highest level of consolidation in the European Union, where the financial entity is part of a group of financial entities and the AFM has supervisory responsibility pursuant to the Union acts referred to in Article 46 of DORA.
Financial entities for which we are the competent supervisory authority and which are part of a group of financial entities in which the parent company at the consolidated level does not fall under the supervision of another competent authority in the European Union must submit the register of information at the level of the individual financial entity.
Learn more
The AFM regularly communicates about relevant developments concerning DORA. More information about DORA can be found at our webpages on DORA.