Last reviewed · Version 1.0.0 · Evidence cutoff
The DORA Article 28 ICT third-party Register-of-Information tracker maps the supervisory pathway, not the underlying entity-level data. Every node on the canvas is a regulator — a National Competent Authority, an EEA non-EU competent authority, or one of the three European Supervisory Authorities — classified against the public state of its Register-of-Information submission portal at the 2026-05-03 cut-off. Consolidations published by the ESAs are anonymised; entity-level RoI data is supervisory-confidential and is not on this page. The page reports the surface a buyer, a supervisor, or an in-house resilience function would reach when looking up “where do I send my DORA register?” — it is not a directory of who has filed what.
DORA — Regulation (EU) 2022/2554 — entered into application on 17 January 2025. Article 28(1) obliges every in-scope financial entity to manage ICT third-party risk; Article 28(3) obliges the entity to maintain a Register of Information of all contractual arrangements with ICT third-party service providers, at entity, sub-consolidated and consolidated levels, and to make it available to the competent authority on request. Article 28(9) delegates the standard templates to the European Supervisory Authorities as Implementing Technical Standards — Commission Implementing Regulation (EU) 2024/2956 — which define 15 interdependent xBRL-CSV templates and 105 data points. Article 28(10) delegates the policy on contractual arrangements to a separate Regulatory Technical Standard — Commission Delegated Regulation (EU) 2024/1773 — which governs what the entity’s internal contracting policy must contain, distinct from what the entity reports.
The first annual collection happened in April 2025 with reference date 31 March 2025; competent authorities were required to forward the consolidated registers to the ESAs by 30 April 2025. The second annual collection — the 2026 cycle — uses reference date 31 December 2025 and an ESA forwarding deadline of 31 March 2026, with NCA-side firm submission windows opening between mid-February and mid-March 2026 across the supervisors covered here. The 2026 cycle is, by ESA decision, a “limited update”: entities with no material changes since their 2025 submission can confirm the situation remains unchanged rather than re-submit a full register. From 2027 onwards, the 31 March ESA forwarding deadline is fixed.
The architecture went live against a known data-quality baseline. The 2024 ESAs dry-run exercise — the joint preparatory collection that preceded the 2025 first cycle — published its summary on 17 December 2024: nearly 1,000 financial entities participated, 6.5% of submitted registers passed all data-quality checks, and roughly half of the remainder failed fewer than five of 116 checks. The ESAs characterised the exercise as “best effort” and judged the 2025 quality target reachable subject to additional industry effort. The 2026 cycle inherits both the architecture and the unfinished data-quality work — which is why the regulator-side filing surface, not the entity-side template, is the load-bearing artefact of this tracker. (ESAs joint statement on the dry-run exercise, 17 December 2024, accessed 2026-05-03)
There is a structural distinction the tracker is rigorous about. The entity-level RoI is held by the regulated entity and submitted to its NCA — its contents identify named ICT third-party service providers, contract values, sub-contracting chains, and the locations of data processing. That data is supervisory-confidential. The consolidated RoI is the aggregated dataset the ESAs receive from NCAs via EUCLID; it is the input for designating critical ICT third-party service providers (CTPPs) under Article 31. On 18 November 2025, the ESAs jointly designated the first batch of 19 CTPPs from analysis of the 2025 consolidated RoI. The designation list is public; the underlying register data is not. A reader who wants to know whether a specific vendor or buyer was named in the consolidated RoI cannot infer that from this page — that data is not lawful for Finray to publish even if it were retrievable.
The supervisory pathway has two horizontals. Banking-sector RoI flows are EBA-coordinated through EUCLID; markets-sector flows are coordinated by ESMA (with the MiCA grandfathering window for crypto-asset service providers ending on 30 June 2026, after which CASP RoI submissions become a steady-state obligation); insurance and IORP flows are coordinated by EIOPA. Cross-sectoral coordination — the joint reporting FAQs of March 2025, the joint methodology for CTPP designation, the joint November 2025 designation list — is signed by the Joint Committee of the ESAs. A buyer or vendor whose ICT services span sectors should expect to see the same contractual arrangement appear in three sectoral consolidations; the ESAs deduplicate at the Joint Committee level.
National implementations vary in submission technology, deadline, and supplementary content but converge on the ITS xBRL-CSV format. France’s ACPR uses OneGate with separate accreditations for the insurance (DRA) and banking (DRB) collections; Germany’s BaFin uses the MVP under the dedicated DORA technical procedure with a 9–30 March 2026 window; Luxembourg’s CSSF uses eDesk between 11 February and 31 March 2026; Italy’s Banca d’Italia uses INFOSTAT with a 15 March 2026 deadline; Sweden’s Finansinspektionen uses FIDAC with a 28 February 2026 deadline. Cyprus’s CySEC, by Circular C751 of 19 January 2026, has confirmed that Excel-based submissions are no longer accepted from the 2026 cycle — only xBRL-CSV via the CySEC XBRL Portal. Lithuania’s Bank of Lithuania has built a Regnology-supported reporting system that accepts JSON, CSV, xBRL and API integration. The Netherlands’ DNB and AFM operate separate portals (MyDNB Reporting Service and AFM Portal) for prudential and conduct-supervised entities respectively. The full per-NCA portal URLs and submission windows, with primary-source citations and accessed-date 2026-05-03, are in the regulator reference table below.
Where this v1 has not confirmed a specific live RoI submission portal page against the supervisor’s own publication at the cut-off, the regulator carries the needs-verification status anchor and is cited to its DORA landing page or supervisor homepage. That posture is conservative by design: the absence of a confirmed portal in this iteration is a fact about Finray’s evidence pass, not an editorial judgement on the supervisor’s rigour. Every NCA in this graph operates at peer level under DORA. The tracker is refreshed quarterly; needs-verification classifications are the priority work item of the next refresh.
A note on the United Kingdom comparator. The UK left the EU before DORA was adopted and has not transposed it. The Bank of England, PRA and FCA have built a parallel framework: PRA Policy Statement PS16/24 (November 2024) on critical-third-party oversight introduced an oversight regime for designated CTPs to the UK financial sector, broadly analogous to DORA’s Article 31 designations. PRA Policy Statement PS7/26 and FCA Policy Statement PS26/2 (both 18 March 2026) introduced the UK Operational Incident and Third-Party Reporting framework, which takes effect on 18 March 2027 and is intended to be broadly aligned with DORA Article 28 — interoperable templates where possible — but is not a replication. UK firms with EU subsidiaries face a dual reporting obligation: the EU subsidiary submits a DORA RoI to its EU NCA; the UK parent reports its UK third-party arrangements under the UK rules. The two regimes share design principles but use different reporting channels and different deadlines, and the two consolidations do not share data.
This is a regulator-tracker, not a forensic register. There are no licensed-entity nodes; there are no rankings; there are no league tables. The Authority cluster on the Intelligence index exists for artefacts of this kind — pages that monitor the supervisory perimeter rather than the supervised population — and Finray Technologies Ltd does not ship a product that competes with regulators, so no recusal applies. Click any regulator node for its primary-source URL, accessed-date and current portal status. Click the regulation diamonds — DORA itself, the ITS on the Register of Information, the RTS on ICT third-party policy, and the cross-referenced RTS on incident classification — for the EUR-Lex source. Pan with click-drag; zoom with the wheel; reset with double-click on background. The reference index below the graph mirrors every regulator and every regulation in plain HTML for crawlers and citation tools.