Our 3 Key Takeaways from the BaFin Workshop on the DORA Register of Information

31. March 2025

Original publication date: March 10, 2025.

Since the publication of this blog post, BaFin has postponed the deadline for submission from April 11 to April 28, 2025.


More than 3,000 participants attended the two-hour online workshop hosted by the German Federal Financial Supervisory Authority (BaFin) on submitting the Register of Information (RoI).

A Brief Recap: The Register of Information

Since January 2025, the Digital Operational Resilience Act (DORA) has required companies in the financial sector to maintain a Register of Information. This register must contain all contractual agreements regarding the use of information and communication technology (ICT) services between a company and its third-party ICT providers.

The purpose of compiling this information in a standardized overview document is to give the European Supervisory Authorities (ESAs) insight into the contractual relationships and the dependencies of European financial institutions on third-party ICT providers. The goal is to identify potential concentration risks across Europe in order to limit or even prevent them in the future.

DORA mandates that the register must be kept available as of January 17, 2025, and provided to the relevant supervisory authority upon request. In addition to this ongoing availability, the Register of Information must also be submitted annually to the supervisory authority. The first submission must be made to BaFin by April 28, 2025 – or, in the case of significant credit institutions, to the European Central Bank (ECB).

To answer key questions about the submission process, BaFin held a workshop. Our financial security experts attended on your behalf and identified three key takeaways:

Excel or No Excel? That Is the Question.

The ESAs have specified XBRL as the required format for creating the Register of Information. Since this format poses challenges, particularly for small and medium-sized enterprises, BaFin has stepped in to help by providing an Excel template. After submission, BaFin will convert the Excel file into XBRL and forward it to the ESAs.

BaFin’s Excel template is fully aligned with the relevant ITS (Implementing Technical Standards) for the Register of Information, following the same numbering and terminology. The template is only available in English.

During the workshop, BaFin pointed out that the Excel template is primarily intended for small and medium-sized enterprises, as it reaches its limits when handling large data volumes.

Additionally, the template is only a beta version and currently available exclusively for Windows. Another key issue raised was that the template includes macro elements, which many IT departments prohibit for security reasons.

Don’t Wait Until April 28 to Upload!

We've all seen it happen – deadlines get stretched to the very last minute. However, in this case, an early submission is strongly advised, and here’s why:

  • You can only upload your file once you are authorized for the DORA submission process. Register early – the BaFin website is already available.
  • BaFin will activate the upload portal at the end of March.
  • Submission is only considered complete once BaFin and the ESAs have reviewed and accepted your file. Processing may take a few days.
  • No automatic notifications will be sent regarding the status of your submission. You will need to proactively check the portal for updates.

Our experts urgently recommend: Plan a sufficient buffer between submission and the April 28, 2025 deadline to allow for potential feedback or necessary corrections.

Subcontractors: Where Do You Draw the Line?

Another key question regarding the Register of Information remains: To what extent should subcontractors be listed?

One thing is clear: If an ICT service provider supports critical or important functions, then all subcontractors that significantly contribute to this service must be listed. In other words: If a disruption at a subcontractor could impact the security or continuity of the ICT service, it must be included in the register.

To provide guidance, BaFin shared the following key questions during the workshop:

  • Is there a direct and explainable dependency between the ICT service and the subcontractor?
  • Does the subcontractor ensure the provision of essential parts of the ICT service that support a critical or important function?
  • Could a disruption at the subcontractor impact the security or continuity of the ICT service?

BaFin illustrated this with a concrete example:

If a financial institution lists the core banking system provider as an ICT third-party service provider, then at least the following subcontractors must also be listed:

  • Cloud provider for the core banking system
  • Firewall for the core banking system
  • Load management services

Each of these subcontractors meets at least one of the criteria contained in the key questions.

However, the Customer Relationship Management (CRM) system of the core banking system does not need to be listed. It neither represents a critical component of the ICT service nor affects the security or continuity of the core banking system.

Important Note: This example is for illustrative purposes only and, as BaFin repeatedly emphasized, reflects their interpretation of the ITS. However, if the ESAs contradict BaFin’s interpretation, their position will take precedence.

Our experts recommend: Continue to follow the proportionality principle and the risk-based approach that you are already familiar with from previous financial regulations.


Do you have questions about DORA or need support with implementating it? Get in touch. We are happy to assist you.

Also interesting:

AI Vulnerability Storm: When a Lack of Speed Becomes a Risk

AI Vulnerability Storm: When a Lack of Speed Becomes a Risk

Current developments in AI systems show that vulnerabilities are found more quickly, suitable exploits are developed more quickly, and attacks are increasingly implemented automatically. This significantly reduces the time between discovery and exploitation. What used...

Bafin Publishes 9th Amendment to MaRisk

Bafin Publishes 9th Amendment to MaRisk

On 30 June 2026, all credit institutions and financial services institutions in Germany received an important circular: Following the consultation phase, the German Federal Financial Supervisory Authority (Bafin) published the 9th amendment to its Minimum Requirements...

usd AG Listed as EPI Partner for Mobile Security Evaluations

usd AG Listed as EPI Partner for Mobile Security Evaluations

The popularity of mobile payments is growing, and with it, the demand for verified security. usd AG is expanding its activities in the EPI environment and will also conduct Mobile Security Evaluations in the future. This places us among the few EPI-listed Security...

Categories

Categories