DORA Article 28: the 'ICT dependencies register' expected by the CSSF

Excerpt — Since 17 January 2025, all financial entities subject to DORA must keep a structured register of their ICT contracts. The CSSF has clarified the timeline and submission modalities in Luxembourg. Here is what leaders should require.

The general rule

Regulation (EU) 2022/2554, known as “DORA”, requires under Article 28 that each financial entity keep and maintain an information register covering “all contractual arrangements concerning the use of ICT services provided by third-party providers,” with enhanced detail for “critical or important” functions. This register must exist at entity, sub‑consolidated and consolidated levels, and be submitted to the competent authority in harmonised formats set by implementing technical standards (ITS). Reference text: Regulation (EU) 2022/2554 (see Art. 28).

The ITS specifying the register templates have been adopted and published in the EU Official Journal; the EBA centralises preparatory documents (templates, validation rules, FAQs) on its DORA page. See EBA – Preparations for reporting of DORA registers of information. The EBA recalls that Article 28(9) empowers the ESAs (EBA, ESMA, EIOPA) to develop these ITS and details the fields expected for arrangements supporting critical or important functions. See also the EBA official Q&As on Article 28 (e.g., 2024_7098 and 2025_7309).

What the regulators say (Luxembourg and EU)

• CSSF. In Luxembourg, the CSSF confirmed DORA’s entry into application on 17 January 2025 and the primacy of DORA (and its RTS/ITS published in the OJEU) over overlapping elements of CSSF circulars. It also clarified the practical organisation of reporting (LEI, eDesk roles, submission windows). See the notice “Entry into application of DORA regulation on 17 January 2025” and preparation reminders published on 5 December 2024 and 15 January 2025 (CSSF – Entry into application; CSSF – Reminders and advice).
• 2025 submission window. For the first national submission to the ESAs, the CSSF opened the eDesk portal and set a submission window for the information register between 1 and 15 April 2025, in line with the ESAs’ joint decision (ESA 2024 22) on collecting information for the designation of “critical” ICT third‑party providers. See “DORA – Submission timeframe for register of information – eDesk Portal open as of 1 April 2025” (CSSF – Submission timeframe) and decision ESA 2024 22 (ESAs – Timeline; decision PDF ESA 2024 22).
• Templates/technical controls. The EBA publishes data models (xBRL‑CSV), validation rules and business checks for the register (updated 28 April 2025) on its “Preparations for reporting of DORA registers of information” page (EBA – Preparations).
• Links with CSSF circulars. The CSSF recalls that certain pre‑existing obligations (e.g., notifications under CSSF 22/806) continue to apply but that DORA prevails in case of overlap. See CSSF Circular 22/806 and the primacy reminder in the 17/01/2025 notice (CSSF).

How to apply it in practice

Managerial objective: maintain a reliable, reportable inventory of all ICT contractual dependencies, able to distinguish those supporting critical or important functions (CIF) and to evidence the clauses required by DORA.

Before (scoping and governance)

1. Define the internal notion of “critical or important function” aligned with DORA and supervisory practice (continuity criteria, client/system impact, substitutability). Document the classification method. Legal basis: Art. 28(2) DORA; see also the EBA preparation page (EBA).
2. Set a data model compliant with the ITS (entities, contracts, services, data locations, chain subcontractors, SLAs, audit rights, reversibility, testing/DRP, etc.). Reuse EBA templates to avoid later reconversions (EBA – Templates/validation).
3. Appoint a register owner (Risk/ICT TPRM) with data feeds from Procurement, Legal, IT, Security, Continuity. Plan for LEI identification of counterparties when available (CSSF reminder, 05/12/2024; CSSF).

During (build and data quality)

4. Map existing contracts with ICT providers, including “shadow IT” and free/trial services if they support a function. Capture for each arrangement: provider identifiers (legal name, LEI if available), service description, supported systems/functions, data location, extra‑EU transfers, essential clauses (availability, security, incident notification, audit/access, subcontracting, reversibility/exit), date/renewal. Basis: Art. 28(3) DORA; see EBA Q&A 2025_7388 on the absence of exemptions (EBA Q&A).
5. Identify CIFs and verify “DORA clauses”: proportionate audit rights, measurable KPIs/SLAs, security requirements, exit plans and periodic tests. Cross‑check with applicable RTS/ITS and CSSF expectations (DORA primacy confirmed on 17/01/2025; CSSF).
6. Prepare the eDesk export: comply with EBA validation checks (date formats, country/code lists, uniqueness of identifiers). Use EBA guides (overview of checks, updated 28/04/2025; EBA – Preparations).

After (use and lifecycle)

7. Keep it operational: integrate the register into supplier onboarding and annual review; any contractual or service scope change triggers an update. EBA Q&As indicate the maintenance obligation is continuous and ad hoc communications may be required by the authority (see EBA 2025_7309).
8. Group consistency: produce entity/sub‑consolidated/consolidated views. Extra‑EU scope questions are addressed in the EBA FAQ (ref. Art. 28(3); EBA 2024_7098).
9. “CTPP” interactions: the ESAs use these data (via national authorities) to designate and supervise “critical” ICT third‑party providers (CTPP) under Arts. 31 et seq. See decision ESA 2024 22 and ESMA/EIOPA communications (ESAs – Timeline).

Concrete example (retail bank in Luxembourg)

• Scope: core banking SaaS, card payments, open banking API gateway, KYC/AML cloud, outsourced SOC, hyperscaler IaaS.
• Steps:
  1. Classify CIF: core banking, cards, KYC/AML, API gateway.
  2. Remediate contractual gaps: add proportionate audit and chain‑subcontracting clauses; specify RTO/RPO; location and transfers; “early termination” terms if ordered by the authority (cf. suspension/termination powers under the CTPP oversight framework).
  3. Load data into EBA templates; test validation; generate the eDesk export; keep traceability of sources (contracts, annexes, DPIA/NIA where applicable). Refs: EBA – Templates; CSSF – eDesk.

Common pitfalls

1. Under‑scoping: only listing “critical” outsourcing under CSSF 22/806 and missing cloud services/DevOps tools/application support that indirectly support a CIF. Article 28(3) covers “all” ICT arrangements, with increased granularity for CIFs. Ref. EBA 2025_7388.
2. Incomplete/inconsistent data: missing identifiers (LEI), precise data location, subcontracting chain, or information on audit/exit clauses. EBA controls reject non‑compliant files. Ref. EBA – Validation rules.
3. Confusion with historic notifications: attempting to (re)submit under CSSF 22/806 contracts that are not “critical” within that circular. Since 17/01/2025, DORA and its ITS prevail for the register; existing CSSF notifications do not replace the DORA register. Ref. CSSF – Entry into application.
4. “One‑shot” governance: producing a one‑off inventory for the April 2025 window without establishing a continuous update process and group/consolidated alignment. The maintenance obligation is enduring. Ref. EBA 2025_7309.
5. Poor CIF identification: no decision methodology (impact, substitutability, cross‑dependencies). Result: critical contracts not tagged and missing DORA clauses, exposing the firm to orders/sanctions. Basis: Art. 28(2) DORA; see EBA resources.

Official sources

• Regulation (EU) 2022/2554 (DORA) – full text (Arts. 28, 31, etc.) — eur‑lex.europa.eu.
• EBA – Preparations for reporting of DORA registers of information (templates, validation rules, FAQ, 2025 updates) — eba.europa.eu.
• EBA Single Rulebook – Article 28 (official Q&A repository) — eba.europa.eu.
• CSSF – Entry into application of DORA regulation on 17 January 2025 — cssf.lu.
• CSSF – DORA Regulation: reminders and advice on preparedness (05/12/2024) — cssf.lu.
• CSSF – DORA: Submission timeframe for register of information; eDesk (April 2025) — cssf.lu.
• ESAs joint decision ESA 2024 22 – information collection for CTPP designation — esma.europa.eu and PDF text — eba.europa.eu.
• CSSF Circular 22/806 (outsourcing context; CSSF reminder of DORA primacy) — cssf.lu.

As of May 2026, the “DORA register” is no longer a one‑off exercise: it is a living part of your ICT risk governance. Executives must ensure the data are complete, verifiable and reusable at any time for CSSF/ESA submissions.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.