DORA Art. 28: CSSF turns up the heat on the ICT dependencies register

CSSF opened the eDesk collection of the information register required by Article 28(3) of Regulation (EU) 2022/2554 (DORA) and, in mid‑March 2026, noted that only 40% of entities had filed, with ESAs’ quality checks in April and a risk of rejections requiring swift fixes. For a recap of the framework, see DORA and operational resilience.

The case

On 11 February 2026, Luxembourg’s Commission de Surveillance du Secteur Financier (CSSF) opened, via eDesk, the collection of the information register required under Article 28(3) of Regulation (EU) 2022/2554 (DORA), with a submission window from 11 February to 31 March 2026. CSSF specified the register must cover “all contractual arrangements on the use of ICT services provided by third‑party providers,” at individual, sub‑consolidated and consolidated levels, in line with Circular CSSF 25/882. It also warned about excessive access risks when delegating eDesk to third parties and urged operational caution in managing internal and external access rights [CSSF release 11/02/2026]. See: CSSF, “DORA – Deadline for submission of the information register – eDesk open as of 11 February 2026.” https://www.cssf.lu/fr/2026/02/dora-delai-de-soumission-du-registre-dinformation-portail-edesk-ouvert-a-partir-du-11-fevrier-2026/.

On 17 March 2026, CSSF updated that “as of 16 March, only 40% of in‑scope entities have submitted their register” and, given additional April checks by the European Supervisory Authorities (ESAs), rejections may occur and require corrections and re‑submission before end‑April. It also confirmed a 30 June 2026 deadline “on a best effort basis” for branches of credit institutions from third countries, following ESAs’ clarification DORA102‑3097 on DORA applicability to third‑country branches [CSSF 17/03/2026; EIOPA Q&A DORA102‑3097]. See: CSSF, “DORA – Collection of the information register – Update (English only).” https://www.cssf.lu/fr/2026/03/dora-collecte-du-registre-dinformation-mise-a-jour/ and EIOPA, Q&A DORA102‑3097. https://www.eiopa.europa.eu/qa-regulation/questions-and-answers-database/dora102-3097_en.

Legal reasoning

• Basis. Article 28(3) DORA requires every “financial entity” (banks, IFMs, PSFs, insurers, managers, etc.) to maintain a register of all third‑party ICT service contracts, updated at individual, sub‑consolidated and consolidated levels. The same Article mandates ESAs to develop standardized templates (ITS) for this register. Official text: Regulation (EU) 2022/2554, Art. 28. https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32022R2554.
• Required formats and fields. The Commission’s ITS, Implementing Regulation (EU) 2024/2956 of 29 November 2024, sets the standard models (mandatory valid LEI, parameter tables, standardized identifiers for providers and critical/important functions). Reference: 2024/2956. http://data.europa.eu/eli/reg_impl/2024/2956/oj.
• Third‑country branches. The ESAs’ joint clarification (Q&A DORA102‑3097) confirms that branches of credit institutions headquartered outside the EU must submit a register to the competent authority of the host Member State – in Luxembourg, the CSSF. https://www.eiopa.europa.eu/qa-regulation/questions-and-answers-database/dora102-3097_en.
• Interplay with NIS 2 in Luxembourg (ILR). DORA is a “lex specialis” sectoral act under Article 4 of Directive (EU) 2022/2555 (NIS 2). The Commission recalled that for financial entities deemed “essential” or “important” under NIS 2, DORA prevails for ICT and third‑party risk management (Chapter V, including Art. 28). Commission Communication on Article 4(1)-(2) NIS 2. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX%3A52023XC0918%2801%29. For local rollout aspects, see the Luxembourg DORA implementation.
• Supervisory expectations (CSSF). The 2026 collection is not a mere upload: CSSF announces ESAs’ quality checks in April (post‑transmission) and the need for resources to fix rejections under tight timelines. https://www.cssf.lu/fr/2026/03/dora-collecte-du-registre-dinformation-mise-a-jour/.

What changes in practice

• All Luxembourg financial entities (banks, PSFs, IFMs, insurers, managers, regulated crypto‑asset service providers, etc.) must map their entire set of third‑party ICT contracts—not only those deemed “critical/important”—and submit them per ITS 2024/2956. Critical/important functions must be flagged, with full technical, legal and operational dependencies. For exit and continuity planning, operational support can leverage business continuity and DORA resilience.
• Branches in Luxembourg of third‑country credit institutions are in scope and, per CSSF, must provide the register by 30 June 2026 on a “best effort” basis (specific deadline stemming from clarification DORA102‑3097). https://www.cssf.lu/fr/2026/02/dora-delai-de-soumission-du-registre-dinformation-pour-les-succursales-detablissements-de-credit-ayant-leur-siege-social-dans-un-pays-tiers/.
• Data quality is not cosmetic: CSSF indicated that the ESAs (EBA, ESMA, EIOPA) run automated checks; format or identifier errors (LEI, standardized provider/function codes) trigger rejections, iterations and documentary non‑compliance risks if fixes are not completed before end‑April. https://www.cssf.lu/fr/2026/03/dora-collecte-du-registre-dinformation-mise-a-jour/ ; CSSF “error messages” guidance. https://www.cssf.lu/en/Document/guidance-for-interpretation-and-resolution-of-cssf-error-messages-related-to-the-submission-of-the-dora-register/.
• Where NIS 2/ILR and DORA/CSSF overlap, the DORA third‑party ICT inventory becomes the “source of truth” to evidence supply‑chain security measures required by Article 21(2)(d) NIS 2, with ILR explicitly referring to supply chain security. https://www.ilr.lu/en/sectors/niss/nis-2/security-measures-and-supervision-under-nis2/. For governance support, consider external CISO leadership.

Concrete examples

• An asset manager with OMS/EMS in SaaS and an outsourced SOC must link each contract to the services provided, indicate whether it supports a “critical/important” function (e.g., trading/order routing) and reference the provider’s LEI.
• A bank using a multi‑region PaaS/IaaS cloud must break down by legal entity and include downstream subcontractors (support, monitoring, managed backups), as well as exit/portability clauses required by DORA Art. 30, even though the Art. 28 ITS remains the core of the collection.

Common pitfalls

1. Incomplete inventory of “ICT services”. Many entities limit the register to “critical” providers. DORA Art. 28(3) requires a register covering “all” ICT arrangements; criticality is only an attribute. Text: DORA Art. 28(3). https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32022R2554.
2. Poor identification of critical/important functions. The attribute is missing, overly generic, or inconsistent across group entities, triggering ESAs’ validation errors and rejections. See CSSF’s 17/03/2026 update and the error guidance. https://www.cssf.lu/fr/2026/03/dora-collecte-du-registre-dinformation-mise-a-jour/ ; https://www.cssf.lu/en/Document/guidance-for-interpretation-and-resolution-of-cssf-error-messages-related-to-the-submission-of-the-dora-register/.
3. Identifiers and metadata not aligned with ITS 2024/2956. Expired LEI, free‑text names instead of standardized codes, incorrect dates/parameters (e.g., refPeriod). The ITS and ESAs’ FAQs define formats. ITS 2024/2956; EBA Single Rulebook/FAQs. http://data.europa.eu/eli/reg_impl/2024/2956/oj ; https://www.eba.europa.eu/regulation-and-policy/single-rulebook/interactive-single-rulebook/17753.
4. Overlooking third‑country branches and intra‑group inconsistencies. EU branches of non‑EU banks must submit their own register to CSSF; a “lift‑and‑shift” consolidation from the non‑EU head office without considering DORA102‑3097 leads to gaps. https://www.eiopa.europa.eu/qa-regulation/questions-and-answers-database/dora102-3097_en.
5. Neglected eDesk governance. Over‑broad delegated access to an external provider (advisory, GRC) can expose other eDesk processes (CSSF 11/02/2026). CSSF recommends strict role segregation and oversight of entitlements. https://www.cssf.lu/fr/2026/02/dora-delai-de-soumission-du-registre-dinformation-portail-edesk-ouvert-a-partir-du-11-fevrier-2026/.

Official sources

• CSSF — DORA: Deadline for submission of the information register (11 February 2026). https://www.cssf.lu/fr/2026/02/dora-delai-de-soumission-du-registre-dinformation-portail-edesk-ouvert-a-partir-du-11-fevrier-2026/ ; “Collection of the information register” update (17 March 2026). https://www.cssf.lu/fr/2026/03/dora-collecte-du-registre-dinformation-mise-a-jour/ ; DORA – third‑country branches (17 February 2026). https://www.cssf.lu/fr/2026/02/dora-delai-de-soumission-du-registre-dinformation-pour-les-succursales-detablissements-de-credit-ayant-leur-siege-social-dans-un-pays-tiers/ ; “error messages” guidance (11 February 2026). https://www.cssf.lu/en/Document/guidance-for-interpretation-and-resolution-of-cssf-error-messages-related-to-the-submission-of-the-dora-register/.
• DORA (EU) 2022/2554 — EUR‑Lex text, Art. 28. https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32022R2554 ; EBA “Article 28” (Single Rulebook). https://www.eba.europa.eu/regulation-and-policy/single-rulebook/interactive-single-rulebook/17753.
• Implementing Regulation (EU) 2024/2956 — standard templates of the information register. http://data.europa.eu/eli/reg_impl/2024/2956/oj.
• EIOPA — Q&A DORA102‑3097 (applicability to third‑country branches). https://www.eiopa.europa.eu/qa-regulation/questions-and-answers-database/dora102-3097_en.
• European Commission — Communication (NIS 2 Art. 4): DORA as lex specialis for financial entities. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX%3A52023XC0918%2801%29.

Bottom line: the March 2026 CSSF development is not a sanction but a clear supervisory signal: the DORA Art. 28 register’s quality and exhaustiveness are now verifiable and enforceable, with strict timelines and ESAs’ technical checks. For executives and DPOs/CISOs in Luxembourg, this is a full‑fledged data and contractual‑governance workstream—treat it with the same rigor as prudential reporting. To engage with our team, visit the contact page.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.