Free DORA Register of Information Starter (2026) — Excel
Published Jul 16, 2026
By Orbiq Team

Free DORA Register of Information Starter (2026) — Excel

Human-readable Art 28(3) working register mapped to the ITS fields — maintain year-round, convert at reporting time. Free XLSX, PDF and MD, no email gate.

dora
templates
register-of-information
third-party-risk
eu-regulation

Download this template

Version 1.0 · Updated Jul 16, 2026 · Free, no email required

Free DORA Register of Information Starter (2026) — Excel

Quick answer: This free DORA Register of Information starter is a downloadable XLSX (plus PDF field guide and machine-readable Markdown) that gives financial entities a human-readable working register for Article 28(3) of Regulation (EU) 2022/2554. Its eight data sheets mirror the field logic of the ESAs' official Register of Information templates in Commission Implementing Regulation (EU) 2024/2956 — entities and branches (B_01), contractual arrangements (B_02), signing and using entities (B_03–B_04), providers and supply chains (B_05), functions (B_06), and criticality assessments (B_07) — so the register you maintain year-round converts into the official xBRL-CSV reporting package instead of being rebuilt each spring.

One thing this template is honest about, because the ESAs are: there is no official Excel that passes submission validation, and there never will be. The EBA's RoI reporting FAQ states the ESAs cannot create an Excel solution respecting the data model's referential integrity "not the least due to the limitations of Excel." Submission is an xBRL-CSV package through your NCA's portal. What firms actually lack is the layer before that — a register a third-party-risk team can keep current between annual submissions. That is what this starter is.


Key Takeaways

  • A working register, not a submission file. Maintain it year-round in Excel; at your NCA's window, map it onto the official templates and convert to xBRL-CSV. The sheet structure makes that a mapping exercise, not re-research.
  • ITS-mapped by design. Every sheet corresponds to a template group of Implementing Regulation (EU) 2024/2956, and the closed lists are built in as dropdowns — including the S01–S19 ICT service taxonomy and the LEI/EUID identifier rules for B_05.01.
  • One relational key. The contract reference number joins contracts to providers, supply chains, signing/using entities, functions, and assessments — the same relational logic the 15 official templates use.
  • Built against the real failure data. Only 6.5% of registers passed all 116 checks in the ESAs' 2024 dry run; 86% of failures were missing mandatory information. A Pre-Submission Checks sheet turns those findings into a worklist.
  • 2026 cycle aware. Reference date 31 December 2025; entity windows set nationally in Q1 (DNB by 20 March, Central Bank of Ireland 1–31 March, CSSF eDesk from 11 February); NCAs forward to the ESAs by 31 March.

What's Inside the Template

The XLSX contains a How-to-Use sheet, seven ITS-mapped data sheets with worked example rows, and a pre-submission checklist.

1. Entity & Group (B_01)

FieldExampleRoI anchor
Entity legal name + LEINordbank SE · 529900T8BM49AURSDO55B_01.01–B_01.02
Role in registerRegister maintainer / Group entity in scope / BranchB_01.01–B_01.03
Type of financial entityCredit institutionB_01.02
Competent authorityBaFin / ECBB_01.01

2. Contractual Arrangements (B_02)

FieldExampleRoI anchor
Contract ref (relational key)CTR-2024-018B_02.01
Arrangement typeStandalone / Master / Subsequent / Intra-groupB_02.01
ICT service typeS17 — Infrastructure-as-a-service (dropdown, closed list)B_02.02, Annex III
Start / end / notice periods2024-03-01 → indefinite · 180 daysB_02.02
Supports critical or important function?Yes / No / Under assessmentArt. 28(2), Art. 3(22)
Data storage & processing locationsNL; IEB_02.02

3. ICT Providers (B_05.01) and Supply Chains (B_05.02)

Provider identification with the ITS identifier rules built in — LEI or EUID for EU legal persons, LEI only for third-country legal persons, country-code + CRN/VAT/PNR/NIN for natural persons — plus CTPP designation flag, and a rank-based supply-chain sheet (rank 1 = direct provider, rank 2+ = the subcontractors that effectively underpin the service per Article 29 and the subcontracting RTS).

4. Functions (B_06.01) and CIF Assessments (B_07.01)

Function register with the Article 3(22) criticality test and documented reasons, and a per-arrangement assessment sheet covering substitutability, last audit date, exit-plan documentation and test dates (Article 28(8)), reintegration possibility, and discontinuation impact.

5. Pre-Submission Checks

Eleven checks derived from the ESAs' dry-run and first-collection failure data: mandatory-field completeness, LEI format and GLEIF lapse status, closed-list discipline, ISO dates and country codes, relational-key integrity, conversion to xBRL-CSV, and EBA validation rules — each with a status dropdown.


How to Use This Starter

  1. Set up the entity layer once. Complete Entity & Group with the register maintainer, in-scope group entities, and branches (the register exists at entity, sub-consolidated, and consolidated level).
  2. Inventory every ICT arrangement. Article 28(3) covers all contractual arrangements on ICT services — not only cloud, not only critical. The contract reference number you assign here is the key everything else joins on.
  3. Deduplicate providers. Each provider appears once in B_05.01 with a valid identifier. Validate LEIs against GLEIF — lapsed LEIs from stale vendor databases are a top validation failure.
  4. Map chains, signatures, functions. Rank the supply chain behind each critical arrangement, record who signs versus who uses, and run the Article 3(22) criticality test per function.
  5. Assess what's critical. Every arrangement supporting a critical or important function gets a B_07 assessment row — substitutability, exit, reintegration, impact.
  6. Convert at reporting time. In your NCA's Q1 window, work the Pre-Submission Checks sheet, map to the official templates, convert to the xBRL-CSV package, and run the EBA validation rules before filing.

For the evidence you collect from each provider — certificates, assurance reports, resilience test results, exit-plan tests — use the companion DORA ICT provider evidence checklist; this starter tracks the register itself, that checklist tracks the proof per provider.


Legal Basis

  • Article 28(3), Regulation (EU) 2022/2554 (DORA) — financial entities shall maintain and update a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers, at entity, sub-consolidated, and consolidated level, and shall report it to the competent authority.
  • Commission Implementing Regulation (EU) 2024/2956 (29 November 2024) — the ITS establishing the standard templates: 15 templates in 8 groups linked by relational keys, with closed value lists including the S01–S19 ICT service taxonomy and the provider identifier rules.
  • EBA DORA RoI reporting FAQ (updated 28 March 2025) — submission format (plain-CSV / xBRL-CSV per the ESA taxonomy), the statement that no validation-passing Excel can be provided, and the from-2026 calendar: reference date 31 December, NCA-to-ESAs deadline 31 March.
  • ESAs 2024 Dry Run summary report — the data-quality baseline this starter's checks are built against.

For the full regulatory picture, see our DORA compliance guide; for why Articles 19, 28, and 30 outgrow a traditional ISMS, see the DORA Article 19, 28 and 30 analysis; if you are weighing DORA against NIS2 obligations elsewhere in your group, our DORA vs NIS2 comparison maps the differences.


UK, Norway, and the EEA

UK: no DORA, no register submission. UK firms follow the FCA/PRA operational resilience regime (FCA PS21/3, PRA SS1/21 — fully in force since 31 March 2025) plus the critical third parties regime under FSMA 2023. The mapping those rules require is a subset of the DORA field set, so pan-European groups can maintain this register once and reuse it for UK self-assessments.

Norway / EEA: DORA was incorporated into the EEA Agreement on 20 February 2025, and the Norwegian DORA Act has been in force since 1 July 2025. Finanstilsynet collects registers as competent authority — Norwegian entities use this starter exactly as EU peers do, with Finanstilsynet's windows substituted.


From Annual Scramble to Standing Register

The pattern supervisors flagged after the first collections is simple: registers rebuilt each spring fail; registers maintained continuously pass. New arrangements get recorded at signature, LEIs get re-validated before each cycle, criticality gets reassessed when functions change. Orbiq's Vendor Assurance Platform turns that maintenance into a workflow rather than a calendar reminder — structured provider records, evidence with expiry tracking, and continuous monitoring, built for European financial entities with EU data residency. The machine-readable Markdown variant of this starter is available at /downloads/templates/dora-register-of-information-starter.md for AI-agent workflows.


Sources & References

  1. Regulation (EU) 2022/2554 (DORA) — EUR-Lex — Article 28(3) register obligation; Articles 29–30 context
  2. Commission Implementing Regulation (EU) 2024/2956 — EUR-Lex — ITS on the standard RoI templates; Annex III service-type list
  3. EBA — Preparation for DORA application: RoI reporting resources and FAQ — submission format, Excel statement, from-2026 calendar
  4. ESAs — 2024 Dry Run exercise summary report (ESA 2024 35) — 6.5% pass rate; failure categories
  5. DNB — DORA Registers of Information in March 2026 — Dutch 2026 window (20 March) and xBRL-CSV format
  6. Central Bank of Ireland — Reporting of Registers of Information — Irish 2026 window (1–31 March)
  7. CSSF — DORA: submission timeframe for the Register of Information 2026 — Luxembourg eDesk portal open from 11 February 2026
  8. FCA PS21/3 — Building Operational Resilience — UK regime (no register submission)
  9. Finanstilsynet — Norwegian DORA Act in force 1 July 2025 — Norway / EEA implementation

Download this template

Version 1.0 · Updated Jul 16, 2026 · Free, no email required

Frequently Asked Questions

Is there an official Excel template for the DORA Register of Information?

No — and there will not be one. The ESAs state in the EBA's DORA RoI reporting FAQ that they are not in a position to create an Excel solution that would pass the technical and business validation rules, 'not the least due to the limitations of Excel.' The official submission format is a plain-CSV / xBRL-CSV package built on the ESA taxonomy and data point model, filed through your national competent authority's portal. Any Excel register — including this one — is a working layer that must be converted at reporting time.

What is the deadline for the DORA Register of Information in 2026?

There is no single EU deadline for firms. From 2026, the reference date is 31 December of the preceding year and national competent authorities must forward consolidated registers to the ESAs by 31 March each calendar year. Entities file earlier, in nationally-set Q1 windows — for 2026: DNB (Netherlands) required submission by 20 March, the Central Bank of Ireland collected registers between 1 and 31 March, and Luxembourg's CSSF opened its eDesk portal on 11 February. Always confirm the window with your own competent authority.

What are the 15 templates in the DORA Register of Information?

Commission Implementing Regulation (EU) 2024/2956 defines 15 templates in 8 groups, linked by relational keys: entity information (B_01.01 register maintainer, B_01.02 entities in scope, B_01.03 branches), contractual arrangements (B_02.01 general, B_02.02 specific, B_02.03 intra-group links), signing entities (B_03.01–B_03.03), entities using the services (B_04.01), ICT third-party providers (B_05.01) and supply chains (B_05.02), functions (B_06.01), assessments of ICT services (B_07.01), and definitions (B_99.01).

Why do Register of Information submissions fail validation?

In the ESAs' 2024 dry run across roughly 1,000 financial entities, only 6.5% of registers passed all 116 data-quality checks. 86% of failures were missing mandatory information; the rest were dominated by invalid or lapsed LEIs, values outside the closed lists (such as free text instead of the S01–S19 service-type codes), broken relational keys between templates, and non-ISO dates and country codes. The same rules now run against live annual submissions — applied to more fields, more strictly.

Does the UK require a Register of Information?

No. The UK has no DORA equivalent and no register submission. UK firms follow the FCA/PRA operational resilience regime (FCA PS21/3 and PRA SS1/21, fully in force since 31 March 2025), which requires internal mapping of important business services and a living self-assessment, plus the critical third parties regime under FSMA 2023. Groups spanning both markets can maintain one DORA-grade register and reuse it for UK mapping — the DORA field set is the superset.

Does Norway require a Register of Information?

Yes. DORA was incorporated into the EEA Agreement on 20 February 2025, and Norway's national DORA Act entered into force on 1 July 2025. Finanstilsynet is the competent authority and collects register information from Norwegian financial entities, so Norwegian firms maintain and file the same register as EU peers, on Finanstilsynet's windows.

Free DORA Register of Information Starter (2026) — Excel