DORA Information Register 2026: BaFin reporting deadline is running - What financial companies have to do now

Monday morning, March 10, 2026. Your head of compliance is standing in the door: "The BaFin reporting period for the information register started yesterday. We have 20 days." You look at your ICT service provider list - and see an Excel chaos from three departments, missing subcontractor chains and not a single xBRL export. A validated, complete register must be available on the BaFin platform within 20 days.

This exact scenario is currently playing out in hundreds of financial companies. The annual submission deadline for the DORA information register has been running since March 9, 2026 - and ends on March 30. No extension, no goodwill.

This article explains what the information register specifically requires, which errors BaFin saw most frequently last year and how you can complete the submission in the remaining weeks.

What is the DORA Information Register?

Article 28(3) of DORA requires every financial entity within the scope of the Regulation to keep a complete register of all contractual agreements with third-party ICT service providers. That sounds like a table - but it is a complex reporting system with clear technical specifications.

The register records:

• All ICT service providers who provide services to the company - internally and externally
• Any contractual agreements that support critical or important functions
• The full subcontracting chain, at least up to the first external subcontractor
• Risk classification, contract terms, notice periods and exit plans
• Information on the data location and the legal location of the service provider

Important:The register goes far beyond classic swap directories. Other ICT services must also be recorded - i.e. services that do not constitute formal outsourcing but still support operational functions.

BaFin reporting deadline 2026: March 9th to 30th

BaFin has set the submission period for 2026: From March 9th to 30th, all financial companies must submit their updated information register via the reporting and publication platform (MVP).

The most important key data:

• Deadline: The register must reflect the status as of December 31, 2025
• Format: Exclusively as a structured xBRL file (ESA taxonomy) or via the BaFin Excel template
• Portal: Submission only via the “Digital Operational Resilience Act (DORA)” specialist procedure in the BaFin-MVP
• Validation: After submission, companies receive an error log - errors must be corrected at short notice and the register resubmitted
• Test procedure: Test submissions can be made in advance using the specialist procedure “TEST: DORA”.

No technical changes to the taxonomy:The ESAs have not made any changes to the xBRL taxonomy for the 2026 submission process. If you already had your data in the right format in 2025, you don't have to adjust the structure - just update the content.

600 incidents in 12 months: Why the register is so important now

The numbers speak for themselves: Since January 2025, BaFinover 600 serious ICT incidentsregistered in the German financial sector. 63 percent of these incidents were directly related to external third-party ICT service providers.

The information register is not a bureaucratic end in itself. It is the central instrument that supervisors use to identify systemic dependencies in the financial sector. Based on the registers submitted in 2025, the European Supervisory Authorities (ESAs) have for the first time named 19 critical third-party ICT service providers - including Amazon, Microsoft and Google. These are now under direct surveillance.

Three insights from the submissions so far:

1. Concentration risk is real: The top 10 critical ICT service providers hold over 85 percent of all contracts. An outage at a single provider can affect hundreds of institutions at the same time.
2. 75 percent of critical service providers are located in third countries: predominantly in the USA. The data location may be European, but the decision-making power often is not.
3. Lack of exit plans: Many financial companies do not have a documented exit plan for their key ICT contracts. The more difficult it is to replace, the less often a plan exists - exactly the opposite of what DORA demands.

What exactly needs to be included in the register?

The DORA information register is structured in several tables that follow the ESA taxonomy. Financial companies must provide comprehensive information for each ICT contract:

At the corporate level

• LEI (Legal Entity Identifier) of the reporting company
• Consolidation level: Individual message (.IND) or consolidated message (.CON) for groups
• Identification of all critical and important business functions

At the contract level

• Complete contract identification (contract type, term, notice periods)
• Mapping to supported business functions
• Risk Classification: Does the contract support a critical or important function?
• Costs and compensation structure
• Data location: Where is the data processed and stored?

At the service provider level

• LEI or comparable identification of the ICT third-party service provider
• Legal location and headquarters
• Subcontractor information — the entire chain for critical functions
• Substitutability: How easily can the service provider be replaced?

Special attention for subcontractors:If an intra-group ICT service provider uses subcontractors, the chain in the register must always include at least the first external subcontractor — even if the service does not support a critical function.

The most common errors when submitting

BaFin addressed the typical problem areas during its workshops on February 24 and 26, 2026. Experience from the first year of submissions in 2025 shows recurring sources of error:

1. Inconsistent foreign keys

The tables of the information register are linked to each other. The LEI in table B.01.02 must exactly match the LEI in the contract tables. Even one typing error leads to an automatic rejection by the validation system.

2. Incomplete subcontractor chains

Many institutions only record their direct service providers, but not their subcontractors. DORA requires the full chain — especially for services that support critical functions.

3. Incorrect file formats

BaFin only accepts xBRL files according to the ESA taxonomy or the official Excel template. Custom Excel formats, CSV exports or PDF uploads will be rejected.

4. Lack of risk classification

Not every ICT contract is equally critical. But the “supports critical/important function” assignment must be documented for each contract. Companies that make general classifications here risk questions.

5. Outdated contract data

The register must reflect the status as of December 31, 2025. Contracts concluded or terminated in 2025 must be recorded accordingly. A register based on the status of 2024 will not be accepted.

Practical guide: How to submit by March 30th

20 days is short. But doable. Here is the timetable:

Week 1 (March 9-16): Data collection and consolidation

• Merge existing contract registers from purchasing, IT, compliance and risk management
• Identify gaps: Which ICT service providers are missing? Which subcontractors are not included?
• Verify LEIs of all service providers
• Carry out test submission via the BaFin test procedure

Week 2 (March 17-23): Validation and Quality Assurance

• Evaluate and correct error log of test submission
• Check foreign keys and cross-references between tables
• Coordinate risk classification with the specialist departments
• Document exit plans for contracts with critical functions

Week 3 (March 24-30): Submission and re-editing

• Carry out final submission via BaFin-MVP
• Check the productive submission error log immediately
• Submit corrections within the deadline
• Secure internal documentation of the submission for audit purposes

What happens if you miss the deadline?

DORA is an EU regulation with direct application. BaFin has defined the submission of the information register as a supervisory obligation. Anyone who does not submit on time must expect:

• Supervisory inquiries and measures by BaFin
• Increased inspection intensity for upcoming on-site inspections
• Reputation risks in internal and external reporting
• In extreme cases: fines according to the Financial Market Digitization Act (FinmadiG)

BaFin made it clear in its workshop: Onehigh data qualityis expected. “Correctness and completeness” were the core messages. The days when you could submit a half-finished register are over.

The larger context: DORA 2026 goes far beyond the register

The information register is just one of the five DORA pillars. BaFin has set its audit priorities for 2026:

• ICT risk management framework: Is it documented, approved by management and embedded in operations?
• Incident Reporting: Can your company meet the 4-hour initial reporting deadline for serious ICT incidents?
• Resilience testing: BaFin expects the first evidence of basic tests carried out and - for systemically important institutions - threat-led penetration tests (TLPT) in 2026.
• Contract adjustment: Existing ICT contracts must be adapted to the DORA minimum contract contents. For institutes under BAIT/VAIT/KAIT/ZAIT, a transition period applies until January 1, 2027

Conclusion: The information register is the litmus test for your DORA readiness

Submitting the information register is not just a reporting requirement. It is the first real test by which BaFin recognizes how seriously an institution takes DORA. Anyone who submits a complete, validated register on time signals compliance maturity. Anyone who does not do so will be on the list for the next on-site inspection.

The deadline is running.Use the remaining days to consolidate, validate and submit your registry. BaFin assistance —Filling instructions,Excel templateandError codes— are solid. Use them.

If you need support with DORA implementation — from register preparation to the overall strategy —talk to our experts. ADVISORI has been supporting financial companies in regulatory transformation projects for years.

Frequently asked questions about the DORA information register

Which companies must submit the information register?

All financial companies within the scope of DORA - banks, insurance companies, payment service providers, investment firms, crypto service providers and other players in the financial sector.

In what format must the register be submitted?

As a structured xBRL file according to ESA taxonomy or via the official BaFin Excel template. Other formats are not accepted.

What happens after submission?

BaFin carries out an automatic validation and sends an error log. Incorrect submissions must be corrected and resubmitted within the deadline.

Do ICT service providers within the group also have to be recorded?

Yes. Internal ICT service providers and their external subcontractors must also be recorded in the register.

What is the difference between individual and consolidated reporting?

Sole proprietorships file an individual report (.IND). Financial groups can submit a consolidated report (.CON) at the group level, but must cover all individual companies in the group.