DORA: what it is and what the Register of Information really means

The Digital Operational Resilience Act (DORA) is a landmark EU regulation (EU 2022/2554) designed to strengthen the operational resilience of the financial sector against digital and ICT-related risks. Applicable since 17 January 2025, DORA harmonises rules on ICT risk management, incident reporting, digital operational resilience testing, and oversight of critical third-party providers. 

A core requirement under DORA is for each financial entity in scope to maintain a Register of Information (RoI), a detailed record of all contractual arrangements with ICT third-party service providers. This annual register provides national authorities with the data needed to assess digital dependencies, identify critical ICT providers, and inform regulatory oversight at both national and EU levels. The templates and data standards for the RoI are defined by the joint decision of the European Supervisory Authorities (ESAs), ensuring consistency across jurisdictions.  

2026 Reporting Schedule in Luxembourg: CSSF & CAA 

CSSF - Commission de Surveillance du Secteur Financier 
Luxembourg’s supervisory practice is now transitioning toward a regular annual cycle aligned with EU-wide expectations. Competent authorities in Europe are required to forward consolidated RoIs to the ESAs by 31 March each year, based on a 31 December reference date of the preceding year. Financial institutions should therefore prepare to integrate RoI reporting into an annual rhythm tied to year-end data and early-year submissions.  

For CSSF-supervised entities in 2026 and beyond, this means that the internal submission window is expected to be set before March 2026, enabling the CSSF to complete its own checks and transmit the consolidated RoI to the ESAs by the end of March. While an official CSSF timeframe for 2026 has not yet been confirmed publicly, market guidance suggests a reporting period typically between late February and March each year in line with standardised practice.  

CAA - Commissariat aux Assurances 

 For insurance and reinsurance undertakings subject to DORA and supervised by the CAA, the 2026 RoI deadline is set on 1 March 2026, according to the official 2026 reporting calendar published by the CAA. This submission via SOFiE / E-File using the “DORA Register of Information” template will be based on the 31 December 2025 reference date and reflects the shift toward an annual reporting cadence aligned with broader regulatory timelines.  

 Lessons Learned: Practical Insights From the First Reporting Cycle 

Through our work with clients at Spike Reply, the first cycle of DORA RoI submissions including extensions and validation rounds has already provided valuable insights for organisations preparing for 2026 and beyond: 

1. Data quality and ownership are critical 
Across our client engagements, we observed that many organisations underestimated the effort required to collect, validate, and structure contractual ICT data. Firms that approached the RoI as a static document faced significant challenges, while those that implemented queryable and automated inventories experienced smoother and more reliable submissions. 

2. Automation as a key enabler 
Manual, spreadsheet-driven processes do not scale effectively. At Spike Reply, we have seen that automating data capture and maintenance significantly reduces rework and enhances readiness for interim and mid-year updates. 

3. Cross-functional collaboration is essential 
RoI preparation cannot be owned by IT or Compliance alone. Our experience shows that early and structured collaboration between legal, procurement, risk, and operations teams is essential to ensure accurate coverage of contracts, SLAs, and third-party classifications. 

4. Establishing a sustainable annual process 
With national competent authorities increasingly aligning around annual reporting deadlines based on the previous calendar year, we see leading organisations embedding RoI maintenance into business-as-usual processes rather than treating it as a one-off regulatory exercise. 

5. Emerging feedback from competent authorities 
We are also seeing early feedback from competent authorities, particularly regarding data quality and data completeness. Recurring gaps have been identified in several submissions, notably around incomplete coverage of entities and their branches, reinforcing the need for a comprehensive and consistent view of the organisational perimeter in future reporting cycles. 

If you would like support, expert guidance, or a demonstration of our DORA Register tool, please do not hesitate to contact Spike Reply. We would be happy to help you strengthen your DORA RoI processes and prepare for upcoming reporting cycles. Get more information on the DORA RoI here.