# DORA Article 28 ICT third-party Register of Information tracker DORA Article 28 requires regulated EU/EEA financial entities to maintain a Register of Information on ICT third-party arrangements and submit it to their National Competent Authority. This quarterly-refreshed tracker maps 92 nodes and 347 edges across 51 EU/EEA NCAs plus the EBA/ESMA/EIOPA consolidation layer, with portal status, deadline and schema at the 2026-05-03 cut-off. - Source: https://finray.tech/intelligence/dora-article-28-roi-tracker/ - Cluster: Authority - Published: 2026-05-03 - Updated: 2026-05-03 - Publisher: Finray Technologies Ltd, Cyprus Companies Registry HE 445903 - Editorial principle: primary sources only; conflicts of interest disclosed inline --- The DORA Article 28 ICT third-party Register-of-Information tracker maps the supervisory pathway, not the underlying entity-level data. Every node on the canvas is a regulator — a National Competent Authority, an EEA non-EU competent authority, or one of the three European Supervisory Authorities — classified against the public state of its Register-of-Information submission portal at the 2026-05-03 cut-off. **Consolidations published by the ESAs are anonymised; entity-level RoI data is supervisory-confidential and is not on this page.** The page reports the surface a buyer, a supervisor, or an in-house resilience function would reach when looking up "where do I send my DORA register?" — it is not a directory of who has filed what. DORA — Regulation (EU) 2022/2554 — entered into application on 17 January 2025. Article 28(1) obliges every in-scope financial entity to manage ICT third-party risk; Article 28(3) obliges the entity to maintain a Register of Information of all contractual arrangements with ICT third-party service providers, at entity, sub-consolidated and consolidated levels, and to make it available to the competent authority on request. Article 28(9) delegates the standard templates to the European Supervisory Authorities as Implementing Technical Standards — Commission Implementing Regulation (EU) 2024/2956 — which define 15 interdependent xBRL-CSV templates and 105 data points. Article 28(10) delegates the policy on contractual arrangements to a separate Regulatory Technical Standard — Commission Delegated Regulation (EU) 2024/1773 — which governs what the entity's internal contracting policy must contain, distinct from what the entity reports. The first annual collection happened in April 2025 with reference date 31 March 2025; competent authorities were required to forward the consolidated registers to the ESAs by 30 April 2025. The second annual collection — the **2026 cycle** — uses reference date **31 December 2025** and an ESA forwarding deadline of **31 March 2026**, with NCA-side firm submission windows opening between mid-February and mid-March 2026 across the supervisors covered here. The 2026 cycle is, by ESA decision, a "limited update": entities with no material changes since their 2025 submission can confirm the situation remains unchanged rather than re-submit a full register. From 2027 onwards, the 31 March ESA forwarding deadline is fixed. The architecture went live against a known data-quality baseline. The 2024 ESAs dry-run exercise — the joint preparatory collection that preceded the 2025 first cycle — published its summary on 17 December 2024: nearly 1,000 financial entities participated, 6.5% of submitted registers passed all data-quality checks, and roughly half of the remainder failed fewer than five of 116 checks. The ESAs characterised the exercise as "best effort" and judged the 2025 quality target reachable subject to additional industry effort. The 2026 cycle inherits both the architecture and the unfinished data-quality work — which is why the regulator-side filing surface, not the entity-side template, is the load-bearing artefact of this tracker. ([ESAs joint statement on the dry-run exercise, 17 December 2024](https://www.esma.europa.eu/press-news/esma-news/esas-dry-run-exercise-shows-goal-reporting-registers-information-under-digital), accessed 2026-05-03) There is a structural distinction the tracker is rigorous about. The **entity-level RoI** is held by the regulated entity and submitted to its NCA — its contents identify named ICT third-party service providers, contract values, sub-contracting chains, and the locations of data processing. That data is supervisory-confidential. The **consolidated RoI** is the aggregated dataset the ESAs receive from NCAs via EUCLID; it is the input for designating critical ICT third-party service providers (CTPPs) under Article 31. On 18 November 2025, the ESAs jointly designated the first batch of 19 CTPPs from analysis of the 2025 consolidated RoI. The designation list is public; the underlying register data is not. **A reader who wants to know whether a specific vendor or buyer was named in the consolidated RoI cannot infer that from this page** — that data is not lawful for Finray to publish even if it were retrievable. The supervisory pathway has two horizontals. **Banking-sector** RoI flows are EBA-coordinated through EUCLID; **markets-sector** flows are coordinated by ESMA (with the MiCA grandfathering window for crypto-asset service providers ending on 30 June 2026, after which CASP RoI submissions become a steady-state obligation); **insurance and IORP** flows are coordinated by EIOPA. Cross-sectoral coordination — the joint reporting FAQs of March 2025, the joint methodology for CTPP designation, the joint November 2025 designation list — is signed by the Joint Committee of the ESAs. A buyer or vendor whose ICT services span sectors should expect to see the same contractual arrangement appear in three sectoral consolidations; the ESAs deduplicate at the Joint Committee level. National implementations vary in submission technology, deadline, and supplementary content but converge on the ITS xBRL-CSV format. France's ACPR uses OneGate with separate accreditations for the insurance (DRA) and banking (DRB) collections; Germany's BaFin uses the MVP under the dedicated DORA technical procedure with a 9–30 March 2026 window; Luxembourg's CSSF uses eDesk between 11 February and 31 March 2026; Italy's Banca d'Italia uses INFOSTAT with a 15 March 2026 deadline; Sweden's Finansinspektionen uses FIDAC with a 28 February 2026 deadline. Cyprus's CySEC, by Circular C751 of 19 January 2026, has confirmed that Excel-based submissions are no longer accepted from the 2026 cycle — only xBRL-CSV via the CySEC XBRL Portal. Lithuania's Bank of Lithuania has built a Regnology-supported reporting system that accepts JSON, CSV, xBRL and API integration. The Netherlands' DNB and AFM operate separate portals (MyDNB Reporting Service and AFM Portal) for prudential and conduct-supervised entities respectively. The full per-NCA portal URLs and submission windows, with primary-source citations and accessed-date 2026-05-03, are in the regulator reference table below. Where this v1 has not confirmed a specific live RoI submission portal page against the supervisor's own publication at the cut-off, the regulator carries the **needs-verification** status anchor and is cited to its DORA landing page or supervisor homepage. That posture is conservative by design: the absence of a confirmed portal in this iteration is a fact about Finray's evidence pass, not an editorial judgement on the supervisor's rigour. Every NCA in this graph operates at peer level under DORA. The tracker is **refreshed quarterly**; needs-verification classifications are the priority work item of the next refresh. A note on the United Kingdom comparator. The UK left the EU before DORA was adopted and has not transposed it. The Bank of England, PRA and FCA have built a parallel framework: PRA Policy Statement PS16/24 (November 2024) on critical-third-party oversight introduced an oversight regime for designated CTPs to the UK financial sector, broadly analogous to DORA's Article 31 designations. PRA Policy Statement PS7/26 and FCA Policy Statement PS26/2 (both 18 March 2026) introduced the UK Operational Incident and Third-Party Reporting framework, which takes effect on 18 March 2027 and is intended to be broadly aligned with DORA Article 28 — interoperable templates where possible — but is not a replication. UK firms with EU subsidiaries face a dual reporting obligation: the EU subsidiary submits a DORA RoI to its EU NCA; the UK parent reports its UK third-party arrangements under the UK rules. The two regimes share design principles but use different reporting channels and different deadlines, and the two consolidations do not share data. This is a regulator-tracker, not a forensic register. There are no licensed-entity nodes; there are no rankings; there are no league tables. The Authority cluster on the Intelligence index exists for artefacts of this kind — pages that monitor the supervisory perimeter rather than the supervised population — and Finray Technologies Ltd does not ship a product that competes with regulators, so no recusal applies. Click any regulator node for its primary-source URL, accessed-date and current portal status. Click the regulation diamonds — DORA itself, the ITS on the Register of Information, the RTS on ICT third-party policy, and the cross-referenced RTS on incident classification — for the EUR-Lex source. Pan with click-drag; zoom with the wheel; reset with double-click on background. The reference index below the graph mirrors every regulator and every regulation in plain HTML for crawlers and citation tools. --- ## Reference index ### Regulators (51) - **European Banking Authority (EBA)** — https://www.eba.europa.eu/activities/direct-supervision-and-oversight/digital-operational-resilience-act/preparation-dora-application — EU banking supervisor; DORA RoI consolidation hub for the banking sector via EUCLID; co-signatory of the November 2025 first batch of CTPP designations. - **European Securities and Markets Authority (ESMA)** — https://www.esma.europa.eu/esmas-activities/digital-finance-and-innovation/digital-operational-resilience-act-dora — EU securities and markets supervisor; DORA RoI consolidation hub for the markets sector; co-signatory of the November 2025 first batch of CTPP designations. - **European Insurance and Occupational Pensions Authority (EIOPA)** — https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en — EU insurance and pensions supervisor; DORA RoI consolidation hub for the insurance and IORP sector; co-signatory of the November 2025 first batch of CTPP designations. - **Joint Committee of the ESAs** — https://www.eba.europa.eu/sites/default/files/2025-03/31bb6e60-7d10-4405-a8c5-9f04934630ac/20250328%20-%20DORA%20RoI%20reporting%20FAQ%20(updated).pdf — Cross-sectoral coordination body of the three ESAs; signatory of the joint CTPP designation methodology and the joint DORA RoI FAQs. - **FMA Austria — Financial Market Authority** — https://www.fma.gv.at/en/cross-sectoral-topics/dora/dora-managing-of-ict-third-party-risk/ — Austrian single supervisor for banking, markets and insurance; DORA RoI submission portal: Incoming Platform; 2026 window 16 February to 13 March 2026. - **National Bank of Belgium (NBB)** — https://www.nbb.be/en/media/16801 — Belgian banking and payments supervisor; DORA RoI submission portal: OneGate (domain DOR). - **Financial Services and Markets Authority (FSMA Belgium)** — https://www.fsma.be/en/news/dora-register-information-third-party-ict-service-providers-limited-update-2026 — Belgian markets and conduct supervisor; DORA RoI scope confirmed for 2026 — limited update reporting cycle. - **Bulgarian National Bank (BNB)** — https://www.bnb.bg/RegistersAndServices/RSCIRegisters/BS_CI_REG_BANKSLIST_EN — Bulgarian banking and payments supervisor; DORA competent-authority status confirmed; submission portal not retrieved at cut-off. - **Financial Supervision Commission (FSC Bulgaria)** — https://www.fsc.bg/en/ — Bulgarian markets and insurance supervisor; DORA competent-authority status confirmed; submission portal not retrieved at cut-off. - **Central Bank of Cyprus (CBC)** — https://www.centralbank.cy/en/financial-stability/operational-resilience — Cypriot banking supervisor; DORA competent-authority status; RoI submission portal not retrieved at cut-off. - **Cyprus Securities and Exchange Commission (CySEC)** — https://www.cysec.gov.cy/en-gb/home/ — Cypriot markets and CASP supervisor; DORA RoI submission via the CySEC XBRL Portal; mandatory xBRL-CSV format from the 2026 cycle. - **Czech National Bank (CNB)** — https://www.cnb.cz/cs/statistika/sdat/dora/ — Czech single supervisor; DORA RoI submission via SDAT (Single Data Collection System); 2026 deadline 2 March 2026. - **BaFin — Federal Financial Supervisory Authority** — https://www.bafin.de/DE/Aufsicht/DORA/Informationsregister_und_Anzeigepflichten/Informationsregister_und_Anzeigepflichten_node.html — German single supervisor; DORA RoI submission via the MVP (Melde- und Veröffentlichungsplattform); 2026 window 9–30 March 2026. - **Finanstilsynet — Danish FSA (DFSA)** — https://www.dfsa.dk/reporting/new-reporting-system-for-eu-reports — Danish single supervisor; DORA RoI submission via e-Reg (replacing FIONA); 2026 window 2 February to 13 March 2026; correction window through 30 April 2026. - **Finantsinspektsioon — Estonian FSA** — https://fi.ee/en/news/finantsinspektsioon-holding-information-seminar-application-dora — Estonian single supervisor; DORA competent-authority status; RoI submission portal not retrieved at cut-off. - **Banco de España** — https://www.bde.es/wbe/en/supervisores-cooperacion-internacional/transferencia-funciones-supervisoras/digital-operational-resilience-act--dora-.html — Spanish banking supervisor; DORA competent-authority status; RoI submission portal page not retrieved at cut-off. - **CNMV — Comisión Nacional del Mercado de Valores** — https://www.cnmv.es/portal/ciberseguridad?lang=en — Spanish markets supervisor; supports xBRL-CSV submission and accepts Excel/JSON for the 2026 cycle. - **DGSFP — Directorate General for Insurance and Pensions Funds** — https://www.dgsfp.mineco.gob.es/en/index.aspx — Spanish insurance and pensions supervisor; DORA competent-authority status; submission portal not retrieved at cut-off. - **FIN-FSA — Finnish Financial Supervisory Authority** — https://www.finanssivalvonta.fi/en/publications-and-press-releases/Press-release/2025/application-of-dora-has-started--fin-fsa-to-focus-on-the-management-of-ict-risks-and-cyber-threats-in-its-supervision/ — Finnish single supervisor; DORA competent-authority status; RoI submission portal page not retrieved at cut-off. - **ACPR — Autorité de contrôle prudentiel et de résolution** — https://acpr.banque-france.fr/fr/actualites/remise-des-registres-dinformation — French banking and insurance supervisor; DORA RoI submission via OneGate (DRA for insurance, DRB for banks); 2026 deadline 31 March 2026. - **AMF — Autorité des marchés financiers** — https://www.amf-france.org/en — French markets supervisor; DORA competent-authority status for in-scope entities under AMF supervision; submission portal not retrieved at cut-off. - **Bank of Greece** — https://www.bankofgreece.gr/en/main-tasks/supervision/dora-digital-operational-resilience-act-for-the-financial-sector — Greek banking and insurance supervisor for less significant institutions; DORA competent-authority status; submission portal not retrieved at cut-off. - **HCMC — Hellenic Capital Market Commission** — http://www.hcmc.gr/en/web/portal/home — Greek markets supervisor; DORA competent-authority status; submission portal not retrieved at cut-off. - **HNB — Croatian National Bank** — https://www.hnb.hr/en/-/dora-uredba-o-digitalnoj-operativnoj-otpornosti-za-financijski-sektor-u-primjeni-iduce-godine — Croatian banking and payments supervisor; DORA competent-authority status; submission portal not retrieved at cut-off. - **HANFA — Croatian Financial Services Supervisory Agency** — https://www.hanfa.hr/en/ — Croatian markets, insurance and pensions supervisor; DORA competent-authority status; submission portal not retrieved at cut-off. - **MNB — Magyar Nemzeti Bank** — https://www.mnb.hu/en/supervision — Hungarian single supervisor; DORA competent-authority status; submission portal page not retrieved at cut-off. - **Central Bank of Ireland (CBI)** — https://www.centralbank.ie/regulation/digital-operational-resilience-act-dora/reporting-registers-of-information — Irish single supervisor; DORA RoI submission via the Central Bank of Ireland Portal; 2026 window 2–31 March 2026. - **Banca d'Italia** — https://www.bancaditalia.it/compiti/vigilanza/avvisi-pub/2026.02.13-regolamento-dora/index.html — Italian banking supervisor; DORA RoI submission via INFOSTAT; 2026 deadline 15 March 2026. - **CONSOB — Commissione Nazionale per le Società e la Borsa** — https://www.consob.it/web/consob-and-its-activities — Italian markets supervisor; DORA competent-authority status; submission portal not retrieved at cut-off. - **IVASS — Istituto per la Vigilanza sulle Assicurazioni** — https://www.ivass.it/index.html?com.dotmarketing.htmlpage.language=3 — Italian insurance supervisor; DORA competent-authority status; submission portal not retrieved at cut-off. - **Bank of Lithuania** — https://www.lb.lt/en/digital-operational-resilience-act-dora — Lithuanian single supervisor; DORA RoI submission via a Regnology-built reporting system supporting JSON, CSV, xBRL and API integration. - **CSSF — Commission de Surveillance du Secteur Financier** — https://www.cssf.lu/en/2026/02/dora-submission-timeframe-for-register-of-information-edesk-portal-open-as-of-11-february-2026/ — Luxembourg banking and markets supervisor; DORA RoI submission via eDesk; 2026 window 11 February to 31 March 2026. - **CAA — Commissariat aux Assurances** — https://www.caa.lu/en — Luxembourg insurance supervisor; DORA RoI submission deadline 1 March 2026 for insurers. - **Latvijas Banka** — https://www.bank.lv/en/operational-areas/financial-stability/dora — Latvian single supervisor; DORA RoI submission via the dedicated email channel dora@bank.lv; supplemented by the 2025 national Resilience of Digital Operations Law. - **MFSA — Malta Financial Services Authority** — https://www.mfsa.mt/wp-content/uploads/2025/11/Regulation-EU-20222554-on-Digital-Operational-Resilience-for-the-Financial-Sector-%E2%80%93-Register-of-Information-Reporting-Timelines-for-the-Year-2026-and-Onwards.pdf — Maltese single supervisor; DORA RoI submission via the LH Portal; 2026 deadline 21 March 2026. - **De Nederlandsche Bank (DNB)** — https://www.dnb.nl/en/sector-news/supervision-2026/dora-reporting-dora-registers-of-information-in-march-2026/ — Dutch prudential supervisor; DORA RoI submission via MyDNB Reporting Service; 2026 window 2–20 March 2026. - **AFM — Autoriteit Financiële Markten** — https://www.afm.nl/en/sector/themas/belangrijke-europese-wet--en-regelgeving/dora/informatieregister — Dutch markets supervisor; DORA RoI submission via the AFM Portal; 2026 deadline 22 March 2026. - **KNF — Polish Financial Supervision Authority** — https://www.knf.gov.pl/en/ — Polish single supervisor; first DORA RoI collection completed April 2025; 2026 cycle ongoing under the Polish DORA implementation framework. - **Banco de Portugal** — https://www.bportugal.pt/en — Portuguese banking supervisor; DORA competent-authority status; submission portal not retrieved at cut-off. - **CMVM — Comissão do Mercado de Valores Mobiliários** — https://www.cmvm.pt/en — Portuguese markets supervisor; DORA competent-authority status; submission portal not retrieved at cut-off. - **ASF — Autoridade de Supervisão de Seguros e Fundos de Pensões** — https://www.asf.com.pt/NR/exeres/E80B7EAB-FC42-4CA4-9097-DF7DA4ED5DBE.htm — Portuguese insurance and pensions supervisor; DORA competent-authority status; submission portal not retrieved at cut-off. - **BNR — Banca Naţională a României** — https://www.bnr.ro/Home.aspx — Romanian banking supervisor; DORA competent-authority status; submission portal not retrieved at cut-off. - **ASF — Autoritatea de Supraveghere Financiară** — https://asfromania.ro/en/ — Romanian markets, insurance and pensions supervisor; DORA competent-authority status; submission portal not retrieved at cut-off. - **Finansinspektionen — Swedish FSA** — https://www.fi.se/en/e-services-and-forms/reporting-to-fi/fidac/reporting-according-to-dora/ — Swedish single supervisor; DORA RoI submission via FIDAC; 2026 deadline 28 February 2026. - **Banka Slovenije** — https://www.bsi.si/en/ — Slovenian banking supervisor; DORA competent-authority status; submission portal not retrieved at cut-off. - **ATVP — Securities Market Agency of Slovenia** — https://www.a-tvp.si/eng/ — Slovenian markets supervisor; DORA competent-authority status; submission portal not retrieved at cut-off. - **AZN — Slovenian Insurance Supervision Agency** — https://www.a-zn.si/en/ — Slovenian insurance and pensions supervisor; DORA competent-authority status; submission portal not retrieved at cut-off. - **NBS — Národná banka Slovenska** — https://nbs.sk/en/financial-market-supervision1/ — Slovak single supervisor; DORA competent-authority status; submission portal not retrieved at cut-off. - **Finanstilsynet — Financial Supervisory Authority of Norway** — https://www.finanstilsynet.no/rapportering/fellesrapporteringer/dora-rapportering-av-register-over-ikt-tjenesteavtaler-roi/ — Norwegian single supervisor; DORA RoI submission via e-Reg; 2026 deadline 13 March 2026; submissions forwarded to the EBA for validation. - **Fjármálaeftirlitið (FME) — Central Bank of Iceland Financial Supervision** — https://en.fme.is/ — Icelandic single supervisor; DORA entered into force in Iceland on 1 November 2025 via the EEA Agreement; first reporting cycle Q1 2026. - **FMA Liechtenstein — Financial Market Authority Liechtenstein** — https://www.fma-li.li/en/supervision-regulation/dora/dora-reporting — Liechtenstein single supervisor; DORA RoI submission via the e-Service Portal for Financial Intermediaries. ### Regulations (4) - **DORA Regulation (EU) 2022/2554** — https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng — EU regulation establishing the digital operational resilience framework for the financial sector; applicable from 17 January 2025. - **ITS on the Register of Information (EU) 2024/2956** — https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj/eng — Commission Implementing Regulation establishing the standard templates for the Register of Information under DORA Article 28(9). - **RTS on ICT third-party policy (EU) 2024/1773** — https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj/eng — Commission Delegated Regulation specifying the policy on contractual arrangements with ICT third-party service providers supporting critical or important functions under DORA Article 28(10). - **RTS on ICT services supporting critical functions (EU) 2024/1772** — https://eur-lex.europa.eu/eli/reg_del/2024/1772/oj/eng — Commission Delegated Regulation on classification and reporting of major ICT-related incidents under DORA Articles 18 and 19.