DORA Register: Instructions for a First Submission Without Errors

As the April 30, 2025 deadline approaches, financial institutions subject to DORA must submit their first ICT information register. This document centralizes all contracts made with ICT service providers, including those considered critical or important. Here’s how to prepare a mistake-free submission.

1. Understand the expectations of the DORA register

The register must list all active contractual agreements with ICT providers. For each contract, it is essential to indicate the services provided, the associated critical function, the contractual terms, audit rights, termination clauses, and many other mandatory fields according to the implementing regulation (EU) 2024/2956.

2. Identify and classify your suppliers

• List all active suppliers

• Determine if the service provided is related to a critical or important function

• Assign a level of criticality to each supplier

3. Collect the missing data

• Contact suppliers to complete the mandatory fields

• Centralize all contracts and annexes in a single space

• Validate the information with the Purchasing, Legal, and IT teams

4. Choose the right technical format

The register must be submitted in CSV format, structured according to the templates provided by the authorities. Note: during the European dry run, 94% of submitted Excel files were rejected!

5. Conduct a cross-review

Have the register reviewed by the Risk Manager, DPO, and CISO to validate the completeness and compliance of the data.

6. Submit on time

• Deadline in France: April 15, 2025, via the ACPR OneGate portal

• Receipt by the AES: April 30, 2025

Conclusion

A well-prepared register ensures that you successfully cross the first step of DORA compliance with peace of mind. With Galink, you centralize, evaluate, and automatically export your register, compliant with the required format.