Executive Summary
This document outlines the process and timeline for the 2025 collection of the Register of Information (ROI) concerning third-party ICT service providers, as mandated by the Digital Operational Resilience Act (DORA). The communication, issued by Belgium’s Financial Services and Markets Authority (FSMA), details a multi-stage procedure involving financial entities, the FSMA, and the European Supervisory Authorities (ESAs).
The core process requires financial entities to submit their ROI to the FSMA via the FiMiS platform between April 1 and April 30, 2025. Submissions can be made through manual data entry or by uploading a file in xBRL-CSV format. The FSMA will then transmit these registers to the ESAs’ central data infrastructure, EUCLID. Following submission, the ESAs will conduct a series of validation checks. Financial entities will receive feedback reports on any identified issues and must submit corrected registers by May 15, 2025. The ultimate objective of this data collection is to enable the ESAs to analyze the information and designate critical third-party providers (CTPPs) for direct oversight, a process set to begin after June 1, 2025.
1. The Three-Stage Data Collection and Analysis Process
The collection and analysis of the DORA Register of Information (ROI) is structured into three primary stages, moving from data compilation by financial entities to final analysis and designation by European authorities.
Stage 1: Financial Entities Compile the Register of Information
Financial entities are responsible for documenting all data related to their third-party ICT service providers within the ROI. This forms the foundational data set for the entire oversight process.
Stage 2: FSMA Transmission and ESA Validation
The FSMA acts as the intermediary, collecting the completed ROIs from financial entities and transmitting them to the European Supervisory Authorities (ESAs) through the European Centralised Infrastructure of Data (EUCLID). Upon receipt, the ESAs perform validation checks at three distinct levels:
- Technical Controls (Automated): Verifies that the ROI was submitted using the correct format and naming conventions.
- Data Point Model Controls (Automated): Ensures the ROI has been completed consistently and that data entry formats have been correctly applied.
- EUID / LEI Controls (Manual): Confirms that the correct EUID (European Unique Identifier) and LEI (Legal Entity Identifier) codes have been used.
To enhance efficiency, national competent authorities, including the FSMA, have been asked to perform some of these validation checks at their level. Financial entities will receive a feedback report if any problems are detected during the ESAs’ validation process.
Stage 3: ESA Analysis and CTPP Designation
Once all registers have been received and validated, the ESAs will consolidate and analyze the aggregated data. The primary goal of this phase is to designate critical third-party ICT service providers (CTPPs). This designation will bring these providers under the direct supervision of the ESAs as stipulated in Articles 31 to 42 of the DORA regulation. During this analysis, the ESAs will also conduct content checks on the received registers.
2. Key Dates and Deadlines for 2025
The FSMA has established a detailed timeline for the entire 2025 reporting cycle, from initial submission to final analysis.
| Dates | Activity | Primary Party |
| April 1 – April 30, 2025 | ROI Submission to FSMA: Financial entities fill out or upload, save, and validate their ROI on the FiMiS platform. | Financial Entities |
| April 14, 2025 | EUCLID Opens: The ESAs’ platform opens for national authorities. The FSMA begins automatic transmission of submitted ROIs to EUCLID. | FSMA / ESAs |
| April 30, 2025 | Submission Deadline: Final day for financial entities to submit their initial ROI to the FSMA. | Financial Entities |
| April 14 – May 15, 2025 | Feedback and Correction Period: ESAs provide feedback on submissions. Financial entities correct and resubmit their ROIs as needed. | ESAs / Financial Entities |
| May 15, 2025 | Correction Deadline: Final day for financial entities to upload corrected ROIs. | Financial Entities |
| May 16 – May 31, 2025 | ESA Data Analysis: ESAs analyze the data. Further content-related errors may be identified and require correction. | ESAs |
| May 31, 2025 | Platform Closure: FiMiS and EUCLID platforms are closed for ROI modifications. | FSMA / ESAs |
| From June 1, 2025 | CTPP Designation: ESAs begin designating Critical Third-Party Providers based on their analysis. | ESAs |
3. Technical Submission Procedures via FiMiS
The FSMA’s FiMiS platform is the sole portal for the collection of the ROI from financial entities.
3.1 Platform Access and Contact Persons
Access to the FiMiS platform is granted to the same contact persons designated by the financial entity for reporting major ICT-related incidents and cyber threats (as per the DORA_INCIDENT and DORA_CYBERTHREAT surveys). The access procedure is identical to that for the aforementioned surveys.
Unlike incident reporting, financial entities will not need to create a new survey. A dedicated survey titled ‘DORA_ROI’ will be pre-established, allowing entities to begin the data submission process immediately.
3.2 Submission Methods
Financial entities have two options for submitting their ROI data:
- Manual Entry: Entities can fill in the required information directly into the DORA_ROI survey within the FiMiS platform.
- File Upload: Alternatively, entities can prepare and upload a complete ROI file in the specified xBRL-CSV format.
If an entity chooses the manual entry method, the FSMA will be responsible for converting the submitted data into the required xBRL-CSV format before transmitting it to EUCLID.
4. Validation and Correction Cycle
A structured feedback and correction mechanism is in place to ensure data quality.
- Feedback Reports: Upon receiving the ROIs, the ESAs will conduct their validation checks. Because the EUID validation is a manual process, feedback reports will be sent to the FSMA no earlier than the day after submission.
- Dissemination and Correction: The FSMA will share these feedback reports with the respective financial entities. The report will detail any identified “errors” or “warnings.”
- Correction Deadline: All registers requiring amendments must be corrected and resubmitted via FiMiS by the final deadline of May 15, 2025.
- Post-Deadline Analysis: From May 16, 2025, the ESAs will begin their deeper data analysis. It is possible that content errors not caught by the automated checks or initial manual EUID/LEI validation will be discovered. In such cases, the ESAs may contact the FSMA to request further corrections before the final platform closure on May 31, 2025.
5. Document Context and Additional Resources
This communication serves as a preliminary guide to allow financial entities to make the necessary preparations for the DORA ROI collection. It is noted that IT developments are still underway at both the ESA and FSMA levels, and the document will be updated in the coming weeks.
5.1 Document Version History
The communication document has undergone several revisions to incorporate new information and clarifications.
| Version Date | Summary of Changes |
| 05/03/2025 | First version published. |
| 24/03/2025 | Modifications made regarding manual filling, xBRL-CSV upload, validation reports, and the FAQ annex. |
| 15/04/2025 | Updates on specific ESA instructions for certain fields, uploading the reporting package Zip file, validation reports, EUCLID submission, and finding LEI codes. |
| 02/05/2025 | Addition of new sections on common errors during xBRL-CSV import and error types. Modification to the section on EUCLID submission and feedback. |
5.2 External Information and Regulations
For exhaustive technical details, financial entities are directed to the European Banking Authority (EBA) website.
- EBA Technical Information: The EBA site provides comprehensive details on data format requirements and validation controls:
Preparations for reporting of DORA registers of information | European Banking Authority. - EBA FAQ: A detailed FAQ document is also available:
20250214 - DORA RoI reporting FAQ.pdf.
The process is governed by the following key EU regulations:
- ITS on Register of Information: Commission Implementing Regulation (EU) 2024/2956.
- RTS on Third-Party ICT Services Policy: Commission Delegated Regulation (EU) 2024/1773.
FSMA Website : https://www.fsma.be/sites/default/files/media/files/2025-03/fsma_2025_02_fr.pdf
