Original publication date: March 10, 2025.
Since the publication of this blog post, BaFin has postponed the deadline for submission from April 11 to April 28, 2025.
More than 3,000 participants attended the two-hour online workshop hosted by the German Federal Financial Supervisory Authority (BaFin) on submitting the Register of Information (RoI).
A Brief Recap: The Register of Information
Since January 2025, the Digital Operational Resilience Act (DORA) has required companies in the financial sector to maintain a Register of Information. This register must contain all contractual agreements regarding the use of information and communication technology (ICT) services between a company and its third-party ICT providers.
The purpose of compiling this information in a standardized overview document is to give the European Supervisory Authorities (ESAs) insight into the contractual relationships and the dependencies of European financial institutions on third-party ICT providers. The goal is to identify potential concentration risks across Europe in order to limit or even prevent them in the future.
DORA mandates that the register must be kept available as of January 17, 2025, and provided to the relevant supervisory authority upon request. In addition to this ongoing availability, the Register of Information must also be submitted annually to the supervisory authority. The first submission must be made to BaFin by April 28, 2025 – or, in the case of significant credit institutions, to the European Central Bank (ECB).
To answer key questions about the submission process, BaFin held a workshop. Our financial security experts attended on your behalf and identified three key takeaways:
Excel or No Excel? That Is the Question.
The ESAs have specified XBRL as the required format for creating the Register of Information. Since this format poses challenges, particularly for small and medium-sized enterprises, BaFin has stepped in to help by providing an Excel template. After submission, BaFin will convert the Excel file into XBRL and forward it to the ESAs.
BaFin’s Excel template is fully aligned with the relevant ITS (Implementing Technical Standards) for the Register of Information, following the same numbering and terminology. The template is only available in English.
During the workshop, BaFin pointed out that the Excel template is primarily intended for small and medium-sized enterprises, as it reaches its limits when handling large data volumes.
Additionally, the template is only a beta version and currently available exclusively for Windows. Another key issue raised was that the template includes macro elements, which many IT departments prohibit for security reasons.
Don’t Wait Until April 28 to Upload!
We've all seen it happen – deadlines get stretched to the very last minute. However, in this case, an early submission is strongly advised, and here’s why:
- You can only upload your file once you are authorized for the DORA submission process. Register early – the BaFin website is already available.
- BaFin will activate the upload portal at the end of March.
- Submission is only considered complete once BaFin and the ESAs have reviewed and accepted your file. Processing may take a few days.
- No automatic notifications will be sent regarding the status of your submission. You will need to proactively check the portal for updates.
Our experts urgently recommend: Plan a sufficient buffer between submission and the April 28, 2025 deadline to allow for potential feedback or necessary corrections.
Subcontractors: Where Do You Draw the Line?
Another key question regarding the Register of Information remains: To what extent should subcontractors be listed?
One thing is clear: If an ICT service provider supports critical or important functions, then all subcontractors that significantly contribute to this service must be listed. In other words: If a disruption at a subcontractor could impact the security or continuity of the ICT service, it must be included in the register.
To provide guidance, BaFin shared the following key questions during the workshop:
- Is there a direct and explainable dependency between the ICT service and the subcontractor?
- Does the subcontractor ensure the provision of essential parts of the ICT service that support a critical or important function?
- Could a disruption at the subcontractor impact the security or continuity of the ICT service?
BaFin illustrated this with a concrete example:
If a financial institution lists the core banking system provider as an ICT third-party service provider, then at least the following subcontractors must also be listed:
- Cloud provider for the core banking system
- Firewall for the core banking system
- Load management services
Each of these subcontractors meets at least one of the criteria contained in the key questions.
However, the Customer Relationship Management (CRM) system of the core banking system does not need to be listed. It neither represents a critical component of the ICT service nor affects the security or continuity of the core banking system.
Important Note: This example is for illustrative purposes only and, as BaFin repeatedly emphasized, reflects their interpretation of the ITS. However, if the ESAs contradict BaFin’s interpretation, their position will take precedence.
Our experts recommend: Continue to follow the proportionality principle and the risk-based approach that you are already familiar with from previous financial regulations.
Do you have questions about DORA or need support with implementating it? Get in touch. We are happy to assist you.
