Register of Information

Yes, the ESAs published a FAQ document on February 14, 2025, regarding the collection of registers of information. Additionally, the ESAs shared details on their website about how these information registers should be collected and reported.

No. The Dry Run was a test inquiry for supervisory authorities and market participants in 2024, and the requirements differ from the format used then. We have published a form that u can use.

If your ICT service provider does not yet have an LEI or EUID, you must provide another available identification number. See also question 40 of the ESAs' FAQ. To prevent your company from receiving a request to supplement the register of information, it is important that you do not use a dummy code and do not leave this field empty.

For this, we refer you to questions 26 and 27 of the ESA’s FAQ. 

We refer you to questions 26 and 27 of the ESA’s FAQ. You must include all ongoing contracts with ICT service providers in the register of information. If certain columns of the register of information are not yet available, you may enter 'not applicable' or follow any other instructions provided (see the question above). 

Yes. Based on the combined registers of information, the ESA’s aim to identify which ICT service providers should be classified as critical ICT service providers under supervision. The draft RTS on subcontracting and the ESA’s FAQ (including questions 70, 79, 84, and 85) can be used as a reference point.

We refer you to questions 4 to 9 of the ESA’s FAQ.

In addition, DNB will request the register of information at consolidated prudential level from (parent undertakings of) banks and insurers under its supervision. If this consolidated register of information also includes the registers of information for one or more other financial entities for which the AFM is the competent authority under DORA, submission of the register to DNB may be sufficient. In that case, the individual and (sub-)consolidated registers of information do not need to be submitted separately to the AFM, to avoid double reporting.

However, this is only permitted if the consolidated register of information clearly indicates the relevant parts of the register for each individual financial entity. In other words, it must be evident from the register which contractual agreement regarding the use of ICT services provided by third-party providers relates to which financial entity. If this is not possible, the AFM expects the register of information to be submitted to it at the level of the individual entity or at sub-consolidated level.

No, financial entities must always maintain an information register at both individual and (sub)consolidated levels.

A distinction must be made between the obligation to maintain and update (i.e., maintain) a register of information (ROI) on the one hand, and the obligation to provide the ROI to the competent authorities on the other.

The first obligation applies to all financial entities and means that they must maintain and update an ROI at the level of the entity, as well as at sub-consolidated and consolidated level. The second obligation entails that financial entities must make their full ROI, or specific parts thereof upon request, available to the competent authority.

The register of information is requested annually so that the ESA’s can determine which ICT service providers should be placed under supervision as critical ICT service providers. After we have received the registers, we will forward the registers of information to the ESA’s. Additionally, we may use the information for our supervision of the financial entities that fall under DORA.