← All posts

DORA Register of Information 2026: What Regulators Are Telling Firms After the March Deadline

DORA Register of Information 2026: What Regulators Are Telling Firms After the March Deadline

For many firms, the process did not go smoothly. A significant share of submissions have been rejected, returned for correction, or flagged with validation errors. National regulators in Norway, Sweden, Denmark, and Germany have all published specific guidance in recent weeks addressing what went wrong, what firms need to check, and what happens next.

This post brings that guidance together in one place.

Background: What the RoI Is and Why It Matters

The DORA Register of Information is not simply an updated outsourcing register. It is a structured, machine-readable dataset compiled across 15 interdependent templates and 105 defined data points, submitted in xBRL-CSV format under EBA ITS 2024/2956. Every contractual arrangement with an ICT third-party service provider — whether supporting a critical or important function or not — must be documented, and the relationships between arrangements, functions, service providers, and subcontractors must be made explicit.

The ESAs use the aggregated data to identify Critical Third-Party Providers (CTPPs) for EU-level oversight under DORA Article 31. NCAs use it to supervise third-party concentration risk at the entity level. The quality of the data directly affects both of those supervisory objectives.

Norway: Finanstilsynet's Post-Deadline Guidance

Finanstilsynet's deadline for Norwegian firms was 13 March 2026. Submissions were forwarded on to the EBA for validation, and several were rejected and returned.

Finanstilsynet has published specific operational guidance for firms to follow:

Checking your submission status in e-Reg:
  • Log into the e-Reg production environment
  • A green DOR symbol means your submission has been accepted by the EBA
  • A red DOR symbol means your submission has not been accepted
If your submission was rejected:
  • Click the red symbol to access error details
  • Navigate to the "Ticket" tab
  • Download the instance-status file
  • Review the fields feedbackText and Business validation rules triggered
  • Correct the identified errors in your register
  • Resubmit through e-Reg
  • Monitor again until the status turns green

Finanstilsynet also points firms to EBA's published guidance documents on common rejection causes, including the observations document from the 2024 dry-run exercise, the technical checks and validation rules spreadsheet (XLSX), and the Data Model documentation (PDF). Firms with outstanding questions should use the communication module within e-Reg.

What the ESAs Are Saying: EBA, ESMA, and EIOPA

The joint European Supervisory Authorities — EBA, ESMA, and EIOPA — have been consistent in their messaging since the 2024 dry-run exercise.

The dry-run baseline

In 2024, nearly 1,000 EU financial entities participated in a voluntary dry-run exercise ahead of the mandatory 2026 submission. The headline finding: only 6.5% of registers passed all 116 data quality checks. Around half of the remaining registers failed fewer than five checks — a sign that the problems were often concentrated and correctable — but the overall pass rate made clear that most firms were not ready.

The ESAs said the quality was "in line with expectations" for a first exercise and expressed confidence that sufficient quality was achievable, contingent on additional effort from industry. That framing should not be read as lenient. The 2026 exercise is mandatory and subject to supervisory consequences.

Four layers of validation

Every submission is tested against four distinct validation types:

  • Technical checks — format compliance, date validity, file structure
  • Business checks — logical consistency, mandatory field completion
  • Foreign key constraint violations — relationships between templates must be internally consistent
  • Primary key validations — no duplicate identifiers across the 15 templates

A register that passes technical checks may still fail on business or foreign key checks. The interdependency of the 15 templates means an error in one can cascade into failures elsewhere.

Strengthened rules in 2026

The ESAs have explicitly stated that validation rules applied in 2026 are stricter than those used during the 2024 dry-run. A register that was accepted in 2025 may be rejected in 2026. This is not a system error — it reflects deliberate tightening of the quality standards that ESAs expect from the live reporting cycle.

For technical questions, the EBA operates dedicated support channels:

Sweden: Finansinspektionen's 13-Point Clarification

FI's submission deadline was 28 February 2026, earlier than most other NCAs, with data reflecting 31 December 2025. Submissions were made via the FIDAC platform, with a test environment available for validation before production deployment.

Ahead of the deadline, Finansinspektionen published 13 specific clarifications addressing the most common points of confusion:

  • Template B_07.01 — only report contracts with ICT third-party providers where the service supports a critical or important function; do not include all ICT contracts
  • Legal entity names must be registered as they appear in company registers (Bolagsverket), the GLEIF database, or BRIS — not trading names or abbreviations
  • Cost amounts should be specified for standalone agreements and framework agreements; costs defined only in call-off agreements may be omitted from the parent record
  • Intra-group arrangements must be included — report them in templates B_02.03 and B_02.01
  • Subcontractors needed to support critical or important functions should be listed in template B_05.02
  • Function identification codes must be entered in template B_06.01
  • Total assets figures for 2026 reporting should reflect the firm's 2025 annual report
  • State authorities cannot be classified as ICT third-party service providers and must not appear as such in the register
  • LEI codes must be validated against current GLEIF records — expired or inactive LEIs will cause rejections
  • Currency amounts must use the approved format: iso4217:SEK or iso4217:EUR
  • The parameters.csv file must include entityID with the correct consolidation suffix (.IND for individual, .CON for consolidated)
  • refPeriod in parameters.csv must be set to 2025-03-31 for this cycle
  • Do not modify the structure of any template files — changes to column headers or sheet structure will cause the entire submission to fail validation

Firms with system or format questions can contact FI at [email protected].

Denmark: Finanstilsynet on the Correction Window

Denmark's submission window ran from 2 February to 13 March 2026, with a consolidated forwarding deadline to the ESAs of 31 March. Finanstilsynet has communicated directly that several Danish submissions have been rejected and returned.

Key points from Danish guidance:

  • A correction window runs from 31 March to 30 April 2026 — Finanstilsynet has specifically requested that firms set aside resources for this period, acknowledging that corrections are expected to be widespread
  • The RoI represents a completely new reporting format and level of granularity with no direct predecessor in Danish supervisory reporting — firms should not assume existing outsourcing registers map cleanly onto it
  • Questions about uniform interpretation and data structuring remain unresolved at EU level in some areas; Finanstilsynet is monitoring for guidance from the ESAs
  • For supervisory follow-up, systemically important financial institutions are prioritised first
  • In inspections, Finanstilsynet is assessing whether firms have actively engaged with risk thinking or merely copied a generic template structure; a register that looks complete on the surface but lacks substantive analysis of criticality and concentration will not satisfy the supervisory expectation

Germany: BaFin's Rigorous Approach

BaFin's submission window was 9–30 March 2026, using the MVP reporting and publication platform. Firms could submit either an xBRL-CSV package compliant with the ESA taxonomy, or a BaFin-provided Excel template — though the Excel template is compatible only with Windows and tested only in Microsoft Excel.

BaFin has been particularly direct about what it will be scrutinising:

Supervisory focus areas

  • BaFin is conducting a rigorous, data-driven review of submitted registers for completeness, consistency, and auditability
  • A specific area of attention is dependencies on US hyperscaler providers — cloud infrastructure concentration with a small number of large non-EU providers is on BaFin's watch list, and firms with significant hyperscaler exposure should expect questions about exit strategies
  • BaFin has reported that over 600 serious ICT incidents were filed by German financial firms in the first year of DORA application — a figure that reinforces the urgency of third-party risk visibility

Common errors BaFin has identified

  • Using free text in fields that require approved codes from the DORA data model
  • Missing mandatory fields, particularly in subcontractor linkages
  • Duplicated contract reference numbers or function identifiers across records
  • Modifying the structural format of template files, which breaks automated validation
  • Typographical errors in LEI codes or entity names
  • Not allowing adequate buffer time before the deadline — submissions received close to the cut-off left no time to resolve NCA processing issues

Double reporting concern

BaFin has acknowledged a practical concern: ICT services supporting critical functions are likely to also qualify as material outsourcing under existing German supervisory expectations, creating potential duplication between the DORA RoI submission and the existing MVP outsourcing notification process. BaFin intends to update the MVP outsourcing notification form to add a DORA-specific checkbox, expected in Q2 2025 (now overdue). Until that update is released, firms should continue both reporting streams separately.

What the Numbers Tell Us

Across all jurisdictions the same figure keeps appearing: 6.5% of firms in the 2024 dry-run passed all 116 data quality checks. That is the benchmark against which the 2026 mandatory exercise is being measured.

The reasons for failure cluster around a few root causes:

Data fragmentation. Most firms do not maintain a single authoritative source of ICT third-party data. Procurement holds contract data. Legal holds agreement terms. ICT risk teams hold criticality assessments. None of these sources is complete on its own, and the RoI requires them to be integrated. LEI coverage gaps. Legal Entity Identifiers are mandatory for all service providers and subcontractors appearing in the register. Many firms discovered that their vendor records did not systematically capture LEIs — or that LEIs on file had expired without renewal. The register is not a spreadsheet exercise. The 15-template xBRL-CSV structure requires data engineering, not document management. Firms that approached it as an extension of their existing outsourcing register found that the mapping and validation complexity was far greater than expected. Treating it as a year-end exercise. The register reflects a point-in-time snapshot, but maintaining data quality throughout the year — capturing new contracts, updating criticality assessments when functions change, recording termination dates immediately — is the only way to avoid a scramble at the next reporting deadline.

What to Do Right Now

If you are in scope for DORA and submitted before your NCA's March deadline, work through this checklist:

  • [ ] Check your submission status in e-Reg or your NCA's reporting platform — green means accepted, anything else requires action
  • [ ] If rejected, download the instance-status file and read every feedbackText entry and triggered business validation rule
  • [ ] Map each error to the relevant template and data point using EBA's validation rules spreadsheet
  • [ ] Correct and resubmit within the correction window (31 March–30 April 2026 for most jurisdictions)
  • [ ] Validate locally before resubmission using EBA's technical checks documentation — do not submit blind
  • [ ] Review LEI coverage across all providers and subcontractors; renew any expired LEIs before resubmission
  • [ ] Check template B_05.02 subcontractor linkages — this is one of the most commonly incomplete templates
  • [ ] Do not modify template file structure — if you are using the EBA taxonomy or a national Excel template, keep headers and column structure exactly as provided

For the longer term, the correction window is a forcing function to address the underlying data management issues. If your firm scrambled to compile the 2026 submission, it will scramble again in 2027 unless the data infrastructure changes. The register needs to be maintained as a live operational record, not assembled once a year.

For a full breakdown of DORA's third-party requirements — including the contractual obligations under Article 30, exit plan requirements, and concentration risk assessment — see the DORA third-party risk management guide. The DORA Register of Information overview covers the 15-template structure and data model in detail. If you want to assess your broader DORA readiness across all five pillars, the free DORA gap analysis takes about three minutes and gives a pillar-by-pillar score.

Ready to simplify DORA compliance?

Purpose-built platform for EU financial entities. Start your free trial today.

Get Started →