Blog

2026 DORA Register of Information: A Comprehensive Guide to CSSF Submission

1. Introduction: The Strategic Role of the Register of Information (RoI)

Under Article 28(3) of Regulation (EU) 2022/2554 (DORA), financial entities are strictly mandated to maintain and update a Register of Information (RoI) detailing all contractual arrangements with ICT third-party service providers. For the Regulatory Compliance lead, the RoI is far more than a reporting obligation; it is a fundamental strategic asset for mapping ICT dependencies, managing concentration risk, and ensuring the systemic operational resilience of the European financial landscape.

In accordance with Circular CSSF 25/882, the scope of this requirement is comprehensive. Reporting must be executed at the individual, sub-consolidated, and consolidated levels, where applicable. Successful submission is predicated on absolute technical adherence to the European Supervisory Authorities (ESA) reporting framework 4.0 and the specific eDesk portal requirements. Failure to treat this as a high-priority technical exercise will result in immediate regulatory friction.

2. Critical Milestones: The 2026 Submission Timeframe

Timing is a core compliance risk. The 2026 submission window operates under a rigid schedule where even minor deviations in file naming or reference dates will trigger automated technical rejections.

  • Portal Opening: The CSSF eDesk Portal will open for RoI submissions on 11 February 2026.
  • Mandatory Reference Date: All reports must reflect the reference date of 31/12/2025. Any deviation from this date (Error ICTO006) will cause the system to reject the filing.
  • Timestamp Uniqueness (Error ICTO005): Every submission must have a unique filename. Compliance leads must ensure that the timestamp within the naming convention has not been used in any previous submission. Re-using a timestamp from a rejected or prior filing will trigger an immediate conflict.

Dora Register Of Information – Export RoI with 1 click

3. Pre-Submission Prerequisites: Entity-Level Onboarding

Administrative readiness must be finalized well before the submission window opens to prevent “Day 1” technical blockers that cannot be resolved in real-time.

  1. LEI Code Synchronization (The “Day 1” Threat): The entity’s Legal Entity Identifier (LEI) must be communicated to and synchronized with the CSSF database. This is a non-negotiable prerequisite. Because synchronization between internal CSSF databases and the eDesk platform occurs overnight, an LEI discrepancy identified on the deadline day is a fatal error that cannot be remediated until the following business day.
  2. Assignment of the “DORA Reporting” Role (The Compliance Bottleneck): At least one dedicated employee must be assigned the “DORA Reporting” role within eDesk. Without this specific permission, the submission interface is entirely inaccessible. Organizations must treat this role assignment as a point of failure; the absence of the designated individual during the filing window can paralyze the entity’s compliance status.

DORA CSSF 2026 infography

4. Technical Architecture: The Filing Package Structure

The CSSF utilizes high-precision automated XBRL/JSON parsers. Any structural deviation from the ESA reporting framework 4.0 will trigger a rejection.

  • Compressed Format: Submissions must be in .zip format. Formats like .rar or .7z are strictly prohibited (Error ICTO003).
  • Size Constraints (Error ICTO004): The file must not exceed 20MB. In the event that a large financial group’s RoI exceeds this limit, the entity is strictly required to contact [email protected] for a specific technical workaround.
  • Folder Hierarchy: The ZIP file must contain exactly one folder, and that folder’s name must be identical to the ZIP filename (Error ICTO010). This folder must contain exactly two subfolders: META-INF and reports (Error ICTO012).
  • The Parsing Layer (Error CSSF_0): The system validates the parsing logic through reportPackage.json (within META-INF) and report.json (within reports). Any syntax error in either file will render the package unparsable.

5. Decoding Validation Logic: Errors vs. Warnings

The CSSF feedback system categorizes issues by severity. Compliance teams must prioritize “Errors” to ensure the RoI is accepted, while “Warnings” must be remediated to avoid qualitative regulatory scrutiny.

Feature Errors (Blocking) Warnings (Non-Blocking)
Impact Immediate rejection; RoI is not integrated. RoI is accepted but requires remediation and resubmission.
Typical Causes Duplicate keys, incorrect JSON URLs, missing mandatory headers. Trailing spaces in fields, LEIs not found in GLEIF database.
Requirement Mandatory immediate correction. Correction expected to maintain data quality standards.

The Dimension Concept Unlike a simple table key, a “Dimension” (e.g., qCDF Name of entity) groups linked data fields across multiple tables (B.01.01, B.01.02, B.01.03, and B.05.01). If an error is flagged at the dimension level, the strategist must conduct a cross-table audit of all fields within that logical group to locate the discrepancy.

6. Troubleshooting Guide: Resolving Common Submission Messages

Technical leads should interpret the CSSF feedback file (available in .xlsx via eDesk) as a roadmap for data cleaning.

Expert Insight: The Row Mapping Logic When identifying the location of an error using the r_x.cxxxx notation, note that the row count in the error message (e.g., “Row 2”) refers to the data row. If opening the CSV in a text editor like Notepad under Windows 11, “Row 2” actually corresponds to Line 3 due to the header row.

  • Case Sensitivity in Filing Indicators: Within FilingIndicators.csv, the text string ‘true’ must be in lowercase. Using ‘TRUE’ or ‘True’ is a high-frequency failure point that will trigger rejection.
  • Parsing and EntryPoints (Error CSSF_1): The report.json must reference the exact, case-sensitive URL for the DORA 4.0 framework: http://www.eba.europa.eu/eu/fr/xbrl/crr/fws/dora/4.0/mod/dora.json. Even a single character casing error (e.g., EU vs eu) will cause a rejection.
  • Reference Period Syntax (Error oime:missingPeriodDimension): Ensure the parameters.csv file uses dashes, not slashes. The entry must read refPeriod,2025-12-31. Using 2025/12/31 will trigger a period dimension error.
  • Decimal and Monetary Logic (Error xbrlce:invalidDecimalsValue): Automated systems often default to an “INF” value for monetary decimals. For the DORA RoI, the decimalsMonetary parameter in parameters.csv must be set to -3.
  • Data Integrity (EBA.2.16, EBA.805): Key columns (indices) must never be empty. Every key must be unique across the 15 mandatory tables. Even if an entity has no data for a specific table (e.g., no branches for B.01.03), the CSV must be provided with the header intact and no data rows.
  • Formatting Cleanliness (EBA.3.11, err:FORG0001): Remove all leading or trailing spaces. Integer values must be “clean”—symbols like “$”, “%”, or thousands-separator commas (e.g., 1,500,000) will cause parsing failures. Use plain integers (e.g., 1500000).

7. Conclusion: Maintaining Compliance Readiness

The successful submission of a “clean” RoI is a critical indicator of an entity’s operational maturity. High-quality data is the foundation of digital operational resilience, and the CSSF expects entities to use the validation feedback to improve the integrity of their ICT risk reporting over time.

For unresolved technical or content-related queries, use the following specialized channels:

  • Technical & Portal Issues: [email protected] (onboarding, file size workarounds, upload failures).
  • Content & Validation Queries: [email protected] (data field interpretation, complex error codes).

When corresponding with the CSSF helpdesk, always include your eDesk Tracing Code to ensure efficient resolution and tracking of your compliance efforts.

 

CSSF DORA website : https://www.cssf.lu/en/2026/02/dora-submission-timeframe-for-register-of-information-edesk-portal-open-as-of-11-february-2026