EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
Recent Searches
In recent communications, the CSSF has reiterated both the importance and urgency of the Register of Information obligation, reminding financial entities that the RoI is a cornerstone of DORA’s oversight framework and a key input for EU‑level supervision.
Fast‑approaching deadlines
Financial entities subject to DORA and required to submit a Register of Information at individual or consolidated level must take note of the following deadlines:
- 31 March 2026 for most financial entities
- 30 June 2026 for third‑country branches of credit institutions
Despite the regulatory clarity, supervisory data shows that, as of 16 March, only around 40% of entities required to submit an RoI have done so. With the deadline rapidly approaching, the CSSF has explicitly urged remaining entities to submit their registers as soon as possible, allowing sufficient time to identify and remediate potential issues.
Quality checks do not stop at submission
Submission to the CSSF is not the end of the process. As previously communicated, the CSSF will forward all registers to the ESAs. During April 2026, the ESAs will carry out additional quality and consistency checks. Where deficiencies or errors are detected, the ESAs may reject the register, triggering a remediation cycle:
- The financial entity is informed by the CSSF
- Identified issues must be corrected
- The RoI must be resubmitted to the CSSF, which will forward it again to the ESAs
This process must be completed before the end of April 2026.
For this reason, the CSSF strongly recommends that affected firms ensure the availability of relevant resources throughout April, to avoid delays, rejections, or supervisory friction during the validation phase. In practice, this means DORA compliance teams, IT, procurement, risk management and legal functions must remain mobilized well beyond the initial filing date.
Why the Register of Information is proving challenging
The RoI is not a simple inventory exercise. It requires financial entities to demonstrate a consistent, structured and risk‑based view of their ICT third‑party ecosystem, including:
- Mapping ICT service providers and subcontracting chains
- Classifying critical and important functions
- Aligning contractual data with DORA taxonomy and definitions
- Ensuring consistency across group entities and consolidation scopes
- Reconciling IT, operational risk and outsourcing records
For many organizations, this is the first time such information is being assembled in a single, supervisory‑ready dataset, exposing data gaps, inconsistencies and governance weaknesses.
The CSSF’s message is clear: firms that wait until the last moment risk facing avoidable operational pressure during the ESA validation phase. Early submission, robust quality assurance and adequate resourcing in April will be key to ensuring a smooth process.
Karim Bouaissi
EY Luxembourg Consulting Partner – Cyber & Digital Risk
How EY can help
We support financial entities across Luxembourg at every stage of the DORA journey, combining regulatory interpretation, data structuring and hands‑on implementation. In the context of the Register of Information, our support can include:
- Scoping and applicability assessments, including individual versus consolidated submissions
- Design and population of the RoI, aligned with DORA technical standards and CSSF expectations
- Data gap analysis and remediation, bringing together IT, outsourcing, procurement and risk data
- Criticality assessments for ICT services and third‑party providers
- Quality reviews and mock ESA checks, to reduce the risk of rejection during April validations
- Submission support and re‑submission management, including tight turnaround remediation where issues are identified
- Governance and operating model design, ensuring the RoI remains accurate, maintainable and audit‑ready over time
Beyond the immediate deadline, we also help firms embed the RoI into a sustainable DORA operating model, supporting ongoing updates, future supervisory requests, and alignment with incident reporting, resilience testing and third‑party risk management obligations.
If you would like to validate your current Register of Information, need support with completion or remediation, or wish to discuss how to operationalize DORA requirements more broadly, we would be pleased to exchange and support you through this critical phase.
The purpose of the Register of Information, and more broadly of ICT third-party risk management, goes beyond regulatory compliance. When applied through a risk-based approach, it enables financial entities to identify which ICT third-party dependencies truly support critical and important functions, and to align governance, controls, and remediation efforts accordingly.
Abdelhay Toudma
EY Luxembourg Technology Consulting Partner, Governance Risk and Compliance (GRC) Leader
Summary
In recent communications, the CSSF has reiterated both the importance and urgency of the Register of Information obligation, reminding financial entities that the RoI is a cornerstone of DORA’s oversight framework and a key input for EU‑level supervision.
Related articles
How the EU AML package is transforming compliance for financial firms
Discover how new EU anti-money laundering rules reshape compliance, onboarding and risk management for financial institutions.
Four regulatory shifts financial firms must watch in 2026
Our Global Financial Services Regulatory Outlook has four regulatory priorities to drive financial institutions' focus in 2026. Download the report.
AMLA’s approach takes shape: what the new EU AML standards mean for financial institutions
Europe’s long‑promised overhaul of anti‑money laundering supervision is moving from blueprint to reality.