Register of Information

Under DORA, financial institutions must maintain an information register for all contractual agreements with third-party ICT service providers at entity, sub-consolidated and consolidated level. The information register must be shared annually with the national supervisor, who will then share it with the European supervisors (EBA, EIOPA and ESMA).

The European supervisory authorities use the information from the registers to designate critical third-party ICT service providers. The information register is requested annually so the ESAs can determine which ICT service providers should be supervised as critical third-party ICT service providers (CTPPs). The first 19 parties will be designated in November 2025.

We can also use the information for our (risk-based) supervision of the financial entities covered by DORA.

Consolidation level

Depending on the situation that applies to your company, you must provide the register of information at the following level of consolidation:

At the level of the financial entity, where the financial entity is not part of a group of financial entities.
At the level of the financial entity, where the financial entity is part of a group of financial entities and the parent undertaking(s) is/are located outside the European Union.
At the highest level of consolidation in the European Union, where the financial entity is part of a group of financial entities and the AFM has supervisory responsibility pursuant to the Union acts referred to in Article 46 of DORA.

Financial entities for which we are the competent supervisory authority and which are part of a group of financial entities in which the parent company at the consolidated level does not fall under the supervision of another competent authority in the European Union must submit the register of information at the level of the individual financial entity.

Sharing your register of information

If you need to submit your register of information to us, a reporting requirement will be available for you in the AFM Portal. You can only upload the document to the AFM Portal in xBRL-CSV format as a zip file. Otherwise, please read the instructions for accessing the AFM Portal. The first submission must be completed in the AFM Portal by March 31, 2026. Corrections to submitted registers to improve data quality (resubmissions) are welcome until April 30.

Through this reporting requirement, you will also receive feedback from the EBA.

Submitting in xBRL-CSV

You can only submit your information register to us in xBRL-CSV, not in a standard Excel file. We facilitated the conversion to xBRL-CSV in 2025 as a one-time additional service to support companies in submitting their information registers.

If you use a converter to convert your information register to xBRL-CSV, it is important to note the following points:

Not all XBRL converters are suitable for information registers. It is important that the converter is capable of converting your register to xBRL-CSV (not iXBRL!);
Check whether the converter supports the EBA taxonomy;
The xBRL-CSV file must meet several requirements. Examples of the file's intended appearance can be found on the EBA website.

Furthermore, we recommend using tools that perform thorough data quality checks immediately. Additionally, we recommend validating what the provider does with the data.

Procedures at ESAs

The European Banking Authority (EBA) checks whether the file meets all requirements. If this reveals any errors, we will relay the EBA's feedback to the company via the AFM Portal. The reporting obligation will be reopened once the feedback has been uploaded.

From March 2026, feedback will normally be available in the AFM Portal within one business day; in exceptional cases, this may take two days. If it takes longer, please contact dora@afm.nl.

If you resubmit the information register, it is important that the file has a different name than your previous submissions. You can do this by adjusting the last digits of the file name (timestamp).

Questions and answers about the register of information

Below are several questions and answers from the AFM about the register of information . We also have a document with more detailed questions and answers (pdf, 300 kB) following a Q&A session. The ESAs themselves have also published information about the requests and a document with Q&As.

Frequently asked questions

My ICT service provider does not have a LEI or EUID. How do I fill in this field?

If your ICT service provider does not yet have an LEI or EUID, you must provide another available identification number. See also questions 39 and 40 of the ESAs' FAQ. To prevent your company from receiving a request to supplement the register of information, it is important that you do not use a dummy code and do not leave this field empty.

For some ICT contracts, certain data is still missing that needs to be entered into the register of information. How should we handle this?

For this, we refer you to questions 26 and 27 of the ESA’s FAQ.

Not all ICT contracts are DORA-compliant yet. Should we still include them?

We refer you to questions 26 and 27 of the ESA’s FAQ. You must include all ongoing contracts with ICT service providers in the register of information. If certain columns of the register of information are not yet available, you may enter 'not applicable' or follow any other instructions provided (see the question above).

Are there any specific naming conventions that the information register must comply with?

The European supervisors expect the file to follow the following naming convention:
DUMMYLEI123456789012.IND_NL_DORA010100_DORA_2025-12-31_YYYYMMDDHHMMSSsss

Files that do not meet this naming convention will not be accepted in the AFM portal. In addition, the files must be delivered in a zipped folder. Both the name of the ZIP file and the name of the folder inside must follow this same naming convention. More explanation can be found in the table below.

Example	Explanation
ExampleDUMMYLEI123456789012	ExplanationThe LEI of the reporting entity. In this example a dummy value.
Example.IND or .CON	Explanation.IND is used for an individual report. Only one financial institution reports. .CON is used for a consolidated report. Multiple financial institutions report within the same information register.
ExampleNL	ExplanationThis part is always the same. The country code does not change.
ExampleDORA010100	ExplanationThis part is always the same. It is the fixed code for the report type.
ExampleDORA	ExplanationThis part is always the same. The reporting framework.
Example2025-12-31	ExplanationThis part is always the same. The fixed reference date for the 2026 data request.
ExampleYYYYMMDDHHMMSSsss	ExplanationTimestamp of when the file was created. YYYY=year, MM=month, DD=day, HH=hour, MM=minute, SS=second, sss=millisecond.

Learn more

The AFM regularly communicates about relevant developments concerning DORA. More information about DORA can be found at our webpages on DORA.

Last modified: March 12, 2026