DORA — Third-country branches: ICT register due by June 30

The CSSF confirms that Luxembourg branches of credit institutions with their head office in a third country must submit their ICT third‑party register by June 30, 2026 (best effort), via the eDesk portal.

Key facts

In its February 17, 2026 notice, reiterated on March 21, 2026, the CSSF clarifies that these branches are subject to the ICT register filing and benefit from an extended deadline to June 30, 2026 (vs. March 31, 2026 for the general deadline).

Legal basis

• DORA, Art. 28(3): obligation to maintain a register covering all contractual arrangements with ICT third‑party providers at individual, sub‑consolidated and consolidated levels. Background and requirements are explained on our DORA register overview.
• ESA clarifications (Q&A DORA102 – 3097) endorsed by the CSSF apply to third‑country branches, with an extended submission deadline to June 30, 2026.

What changes for Luxembourg entities

• Scope: any Luxembourg branch of a non‑EU credit institution supervised by the CSSF must keep an exhaustive register covering the outsourcing chain (cloud, managed services, critical SaaS, SOC/MDR, connectivity, etc.). For local expectations, see DORA in Luxembourg and CSSF expectations.
• Risk: missing or incomplete submissions may trigger remediation by the CSSF, activity restrictions, or a mandated reduction of unmanaged ICT dependencies. The register directly feeds risk assessments, continuity and incident handling.
• Timeline: as of publication (June 26, 2026), there are 4 business days left to finalize and file via eDesk, ensuring consistency across individual/sub‑consolidated/consolidated levels.

Immediate actions for this week

1) Map and complete the register

• Consolidate all ICT arrangements (contracts, purchase orders, addenda), including cascading subcontractors.
• For each relationship: service scope, data/assets, locations, resilience/security/audit clauses, business criticality, term, and exit provisions.

2) Assess criticality and risks

• Classify potential impact (availability, integrity, confidentiality); record controls (encryption, backups, MFA, logging), continuity/recovery maturity, and audits/certifications (ISO 27001, SOC 2).
• Document risk analysis and compensating measures. For support on resilience, explore our business continuity and DORA resilience services.

3) Finalize governance and submit

• Have the register approved by the management body or designated committee.
• Check consistency across levels (entity/sub‑consolidated/consolidated) and submit via eDesk before June 30, 2026.
• Plan continuous updates (quarterly review) and keep evidence (contracts, DPIA, audit/incident notification clauses).

Bottom line

The DORA ICT register is now a cornerstone of third‑party governance for third‑country branches in Luxembourg. Exhaustiveness, traceability and group alignment are essential to meet CSSF expectations in time.

Article generated by Luxgap regulatory watch. For tailored guidance on this topic, contact us.