Frequently Asked Questions about DORA

No, if there is a complete overlap between the reportable situations, you only need to report the incident via the DORA app in the AFM Portal as an ICT-related incident, including the required attachments listed there.

No, in cases where there is a complete overlap between the reportable situations for DORA and the Wft, you only need to submit a notification via the DORA app in the AFM Portal.

No, there is a dual reporting obligation for DORA and NIS2 incidents. You can report a DORA incident via the DORA app in the AFM Portal, while NIS2 incidents must be reported to the National Cyber Security Center (NCSC). For more information, visit the NCSC website: Incident Reporting and Registration Requirements.

In addition to a notification obligation under DORA for contracts with ICT service providers that support a critical or important function, there is also a notification obligation in the case of proposed critical and important outsourcing under the Wft. These obligations may overlap, such as in some cases involving the outsourcing of KYC and administration. In cases where both a notifiable ICT service that must be reported under DORA and a notifiable outsourced non-ICT service that must be reported under the Wft are involved, notification via the DORA app in the AFM portal suffices. However, in that case, the Outsourcing notification form must be uploaded as an additional attachment to the notification.

You gain access if you have a licence from the AFM and your company are subject to DORA. Your company needs to manage access for the appropriate employees through the authorisation management system in the portal. If you have an AFM licence, are subject to DORA, and you are unable to assign access to employees through the authorisation management system, please contact the AFM Business Desk.

Yes, the ESAs published a FAQ document on February 14, 2025, regarding the collection of registers of information. Additionally, the ESAs shared details on their website about how these information registers should be collected and reported.

You can upload the document in the xBRL-CSV format as a zip file in the AFM Portal. This is also the format preferred by the ESAs.

This year, you can also submit the document in Excel. Since not everyone currently has the capability to provide the register in the xBRL-CSV format yet, we are offering the option to convert the registers from Excel to xBRL-CSV this year. We will handle the conversion of the data to xBRL-CSV before sending it to the ESAs. To facilitate this conversion for you, it is important that you use our Excel template. We will not convert other templates to xBRL-CSV. The instructions for the template can be downloaded from out site.

Submitting the register in any other format than xBRL-CSV or Excel is not possible.

No. The Dry Run was a test inquiry for supervisory authorities and market participants in 2024, and the requirements differ from the format used then. We have published a form that u can use.

If your ICT service provider does not yet have an LEI or EUID, you must provide another available identification number. See also question 40 of the ESAs' FAQ. To prevent your company from receiving a request to supplement the register of information, it is important that you do not use a dummy code and do not leave this field empty.

For this, we refer you to questions 26 and 27 of the ESA’s FAQ. 

We refer you to questions 26 and 27 of the ESA’s FAQ. You must include all ongoing contracts with ICT service providers in the register of information. If certain columns of the register of information are not yet available, you may enter 'not applicable' or follow any other instructions provided (see the question above). 

You must include all ongoing contracts with ICT service providers as of March 31, 2025, in the register of information. If you submit it earlier, the AFM expects a ‘best effort’ to approximate the status as of March 31, 2025, as closely as possible in the submitted register of information.

Yes. Based on the combined registers of information, the ESA’s aim to identify which ICT service providers should be classified as critical ICT service providers under supervision. The draft RTS on subcontracting and the ESA’s FAQ (including questions 70, 79, 84, and 85) can be used as a reference point.

We refer you to questions 4 to 9 of the ESA’s FAQ.

In addition, DNB will request the register of information at consolidated prudential level from (parent undertakings of) banks and insurers under its supervision. If this consolidated register of information also includes the registers of information for one or more other financial entities for which the AFM is the competent authority under DORA, submission of the register to DNB may be sufficient. In that case, the individual and (sub-)consolidated registers of information do not need to be submitted separately to the AFM, to avoid double reporting.

However, this is only permitted if the consolidated register of information clearly indicates the relevant parts of the register for each individual financial entity. In other words, it must be evident from the register which contractual agreement regarding the use of ICT services provided by third-party providers relates to which financial entity. If this is not possible, the AFM expects the register of information to be submitted to it at the level of the individual entity or at sub-consolidated level.

No, financial entities must always maintain an information register at both individual and (sub)consolidated levels.

A distinction must be made between the obligation to maintain and update (i.e., maintain) a register of information (ROI) on the one hand, and the obligation to provide the ROI to the competent authorities on the other.

The first obligation applies to all financial entities and means that they must maintain and update an ROI at the level of the entity, as well as at sub-consolidated and consolidated level. The second obligation entails that financial entities must make their full ROI, or specific parts thereof upon request, available to the competent authority.

The register of information should include all relevant subcontracting parties (see also question 79 of the ESA’s FAQ). In the case of intra-group outsourcing, you should also focus on the first external subcontracting party, if applicable, even if the respective ICT service does not support critical functions or significant components of those. See also, among others, question 70 of the ESA’s FAQ.

The register of information is requested annually so that the ESA’s can determine which ICT service providers should be placed under supervision as critical ICT service providers. After we have received the registers, we will forward the registers of information to the ESA’s. Additionally, we may use the information for our supervision of the financial entities that fall under DORA.

With the introduction of DORA, a new category of entities will come under supervision: critical ICT service providers. Which ICT service providers qualify must be determined based on specific criteria. The information from the register of information is particularly useful for this purpose. This information will be used to identify critical ICT service providers this year.

We have published a form that u can use for the register. We have written an instruction for filling in the template. 

To convert the template to xBRL-CSV, it is important that you do not change the order of the tabs. Adding, deleting, or moving tabs will result in errors during the conversion. We have written an instruction for filling in the template.

No, you do not need to. Pre-filled (drop-down) fields will only be included in the conversion when you fill in the other fields in the row. You can leave the pre-filled fields in the rows you do not use.

We have written an instruction for filling in the template. 

This column has been added for the xBRL-CSV format. You can leave this column empty. We have written an instruction for filling in the template.

Yes, based on common mistakes and questions we received, we have written an instruction outlining the key points to pay attention to when filling out the template.

This depends on several factors. The European regulators elaborate on this in the answer to question 2999 on the EIOPA website.

These entities fall under DORA if they are licensed for insurance mediation, have 250 or more FTEs, or fewer than 250 FTEs but generate more than €50 million in revenue and have a balance sheet total of more than €43 million. If the entity is part of a group of companies, the FTE, revenue, and total balance sheet of all financial entities (as mentioned in Article 2, paragraph 1 of DORA) should be added together.