DORA – Délai de soumission du registre d’information – Portail eDesk ouvert à partir du 11 février 2026 (uniquement en anglais)

In accordance with Article 28(3) of Regulation (EU) 2022/2554 (DORA), financial entities subject to DORA shall maintain and update at entity level, and at sub-consolidated and consolidated levels, a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers.

As requested in Circular CSSF 25/882, financial entities are required to submit annually their register of information to the CSSF, at individual or consolidated level as relevant.

Financial entities are required to submit their register of information to the CSSF between 11 February 2026 and 31 March 2026 via eDesk. It is strongly recommended to submit it as soon as possible and not to wait until the end of the submission period to ensure potential issues can be addressed before end of March.

Following the publication of the Q&A #102 (Link) by the ESA, third country branches of financial entity types falling in the DORA remit and under the supervision of the CSSF now have to submit a register of information to the CSSF. For these entities the same submission window applies.

For 2026, the reference date of the register of information is set to 31 December 2025, i.e. the register of information shall contain all contractual arrangements contracted until 31 December 2025.

The validation checks defined by the ESA and last updated in April 2025 have not changed (Link) but will be applied to more data fields in order to increase the quality of the received data. Therefore, in certain cases, a register of information which was accepted last year, may be rejected this year. This is why it is important for financial entities to submit their register of information as soon as possible so that they have sufficient time to make any necessary corrections.

To be able to upload the register of information via the eDesk Portal, the Legal Entity Identifier (LEI) of the financial entity submitting the register of information has to be communicated beforehand to the CSSF. In addition, the role “DORA Reporting” needs to be assigned by a financial entity to at least one dedicated employee.

When the role “DORA Reporting” has been granted, the eDesk procedure “Submission of the Register of Information” can be selected starting as from 11 February.

Further details on how to assign this role can be found in the eDesk Portal user guide.

During the upload and validation processes, certain messages will be generated and communicated to the financial entity. Please note that those messages will only be addressed to the person having effectively uploaded the register of information and not to all employees to whom the “DORA Reporting” role may have been granted.

The CSSF highlights that the register of information must be submitted in plain-csv files, enclosed in a .zip-file following a predefined folder structure and file naming convention, as defined by the ESAs.

As a reminder, the CSSF highly recommends financial entities to follow closely the ESAs’ practical information and instructions available on the EBA website for the preparation and submission of the register of information (Link).

Further details on how to submit the register to the CSSF can be found in the User Guide for DORA – Submission of the Register of Information in the eDesk Portal.

Uploaded registers of information will be subject to validation checks by the CSSF in due time. In case errors are detected, the submitting financial entity will be invited to fix them and re-submit its register of information before 31 March 2026.

Registers of information accepted by the CSSF may be submitted on request to the ESA which will perform additional validation checks. Should the ESAs detect additional errors and consequently refuse the register of information on their side, the submitting financial entity must fix the detected errors and re-submit its register of information to the CSSF which will then forward it again to the ESAs.

In case financial entities will be assisted by third parties in the submission of their register of information, the CSSF would like to draw attention to the following. Providing access, even with a specific role, to the eDesk Portal to a third party entails the risk that such third party may have access to other eDesk reporting procedures, i.e. data of your entity that go beyond the data that are strictly linked to the submission of the register of information, including potentially sensitive data. Please ensure that any third party with access to the eDesk Portal confirms strict compliance with the confidentiality obligations relating to the data that may be accessed. Note that you remain solely responsible for the protection of your sensitive data in line with applicable regulations.

For any technical question related to the on-boarding or the use of the eDesk Portal, please contact: edesk@cssf.lu.

For any question related to the content of the register of information or the raised error messages during the analysis of the submitted register of information, please contact: ictrisksupervision@cssf.lu.

In case a question is related to a register of information that has already been submitted, financial entities shall provide the corresponding eDesk tracing code when contacting the helpdesk of the CSSF.

The CSSF has published a set of documents in order to help financial entities to submit their register of information.

The guidance published by the CSSF may be updated if required during this year’s submission exercise. The CSSF advises financial entities to consult the latest version of the relevant document(s) according to their specific question(s) before contacting our helpdesks.