Last updated

CSSF DORA ICT Third-Party Register of Information in Luxembourg: 2026 Submission and Control Guide

Direct answer

CSSF DORA ICT Third-Party Register of Information in Luxembourg: 2026 Submission and Control Guide helps compliance teams, directors, risk owners, and advisers translate a Luxembourg supervisory topic into owners, evidence, and escalation points. It explains understanding the Luxembourg regulatory obligation, supervisory evidence, internal ownership, and escalation points in CSSF DORA ICT Third-Party Register of Information in Luxembourg: 2026 Submission and Control Guide, then shows how to map the controlling rule, prepare board or compliance evidence, and know when a CSSF-facing specialist should review the file. Read it before assigning owners or responding to a supervisory request, so the evidence file matches the regulatory question.

The register is not only a compliance spreadsheet. It is the supervisory data backbone for ICT third-party dependency, critical or important functions, contractual arrangements, provider chains and concentration risk. A weak register can be rejected by validation checks, create supervisory follow-up and expose the entity's lack of control over its technology dependencies.

This guide is for Luxembourg DORA entities, ICT risk teams, compliance, vendor management, procurement, legal, data teams, management bodies and internal audit. It is not legal advice. Source check date: 20 May 2026.

Control point Why it matters Evidence to keep
Register scope Covers contractual arrangements on the use of ICT services provided by ICT third-party service providers Contract inventory, ICT service taxonomy, provider list
2026 timing CSSF opened eDesk from 11 February 2026 and set 31 March 2026 for the general collection Submission confirmation, eDesk evidence, validation report
Reference date CSSF stated 31 December 2025 as the 2026 reference date for contractual arrangements Cut-off inventory, contract status and renewal evidence
Data quality Validation checks can reject a register even if a previous version was accepted Pre-validation log, owner sign-off and correction tracker

Official sources used

This article uses official CSSF DORA and ICT third-party sources, including the DORA entity page, Circular CSSF 25/882 and 2026 CSSF communications on the register of information submission timeframe and collection update.

Treat the register as an operating record

The DORA register of information should not be treated as a year-end regulatory upload prepared by one person in compliance. It should be the controlled record of ICT service dependencies used by the entity. If the register is assembled only at submission time, data quality problems are almost inevitable.

A usable register needs inputs from procurement, ICT, security, risk, legal, finance, business owners and group functions. Contracts may sit in legal repositories, provider names in procurement systems, service descriptions in IT architecture files and criticality assessments in risk tools.

The operating model should define who owns each field, who validates changes, who signs off the full register and how errors are corrected before submission.

The best register process is continuous. Annual submission then becomes a controlled extract rather than a discovery project.

Control point Why it matters Evidence to keep
Data owner Treat the register as an operating record needs accountable field ownership Owner matrix, source system and sign-off
Validation The register can fail because of data quality, not only legal interpretation Pre-validation, error log and correction evidence
Governance DORA ICT third-party risk is a management topic Management reporting, risk acceptance and remediation tracking

Confirm DORA scope before preparing the file

DORA applies broadly to financial entities in the EU, but the precise local submission duties depend on entity type, supervision, group structure, ECB direct supervision and CSSF communications. Scope should be confirmed before data work begins.

The CSSF DORA page explains that DORA applies since 17 January 2025 and covers numerous financial-entity types. The 2026 CSSF communication excludes entities under direct ECB supervision from the described CSSF submission perimeter and adds third-country branch clarifications.

A scope memo should identify the legal entity, DORA category, CSSF supervisory status, ECB direct-supervision status where relevant, consolidated or sub-consolidated reporting level, and branch considerations.

This memo prevents the register team from preparing the wrong submission or missing a required level.

Control point Why it matters Evidence to keep
Data owner Confirm DORA scope before preparing the file needs accountable field ownership Owner matrix, source system and sign-off
Validation The register can fail because of data quality, not only legal interpretation Pre-validation, error log and correction evidence
Governance DORA ICT third-party risk is a management topic Management reporting, risk acceptance and remediation tracking

Use the 31 December 2025 reference date properly

For 2026, the CSSF communication states that the reference date is 31 December 2025 and the register should contain contractual arrangements contracted until that date. This cut-off matters for data completeness.

The entity should decide how to treat contracts signed, terminated, amended or migrated around the reference date. It should keep evidence of status, effective dates and renewal terms.

A contract inventory freeze can help. Capture the population as at the reference date, then separately track changes after that date for future updates.

If the entity discovers after submission that the reference-date inventory was wrong, document the correction logic and remediation.

Control point Why it matters Evidence to keep
Data owner Use the 31 December 2025 reference date properly needs accountable field ownership Owner matrix, source system and sign-off
Validation The register can fail because of data quality, not only legal interpretation Pre-validation, error log and correction evidence
Governance DORA ICT third-party risk is a management topic Management reporting, risk acceptance and remediation tracking

Build a single contract population

A common register failure is fragmented contract population. ICT knows about platforms, procurement knows purchase orders, legal knows master agreements, finance knows invoices and business teams know tools used in practice. The register needs one reconciled population.

Reconciliation should compare procurement records, accounts payable, software inventories, cloud accounts, ICT asset registers, vendor-risk tools, outsourcing registers and business-owner declarations.

Differences should be investigated. A paid vendor with no contract record may indicate missing documentation. A contract with no current use may be terminated or dormant. A tool used by business with no procurement record may be shadow ICT.

The reconciled population is the base of data quality.

Control point Why it matters Evidence to keep
Data owner Build a single contract population needs accountable field ownership Owner matrix, source system and sign-off
Validation The register can fail because of data quality, not only legal interpretation Pre-validation, error log and correction evidence
Governance DORA ICT third-party risk is a management topic Management reporting, risk acceptance and remediation tracking

Classify ICT services consistently

The register depends on service classification. Teams should define a taxonomy that distinguishes cloud hosting, SaaS, data centers, network services, cybersecurity tools, core banking platforms, payment gateways, reporting tools, development tools, customer platforms, data analytics and support services.

Inconsistent service names create duplicate records and validation issues. One team may call the same service cloud platform, infrastructure hosting or production environment. The register needs controlled vocabulary.

Classification should also connect the ICT service to the business function it supports. A provider name alone is not enough.

A consistent taxonomy makes concentration analysis possible.

Control point Why it matters Evidence to keep
Data owner Classify ICT services consistently needs accountable field ownership Owner matrix, source system and sign-off
Validation The register can fail because of data quality, not only legal interpretation Pre-validation, error log and correction evidence
Governance DORA ICT third-party risk is a management topic Management reporting, risk acceptance and remediation tracking

Identify critical or important functions supported by ICT

DORA focuses heavily on ICT services supporting critical or important functions. The register should therefore connect provider arrangements to functions and business impact.

A critical function assessment should consider customer impact, regulatory deadlines, transaction processing, financial loss, market integrity, data availability, operational continuity and substitutability.

The service may not be critical by itself but may support a critical or important function. For example, identity access management, transaction monitoring, payment infrastructure, reporting tools or client portals can all support important operations.

Function mapping should be signed off by business and risk, not only ICT.

Control point Why it matters Evidence to keep
Data owner Identify critical or important functions supported by ICT needs accountable field ownership Owner matrix, source system and sign-off
Validation The register can fail because of data quality, not only legal interpretation Pre-validation, error log and correction evidence
Governance DORA ICT third-party risk is a management topic Management reporting, risk acceptance and remediation tracking

Document provider and group relationships

The register should distinguish legal provider, service brand, group entity, reseller, subcontractor and cloud infrastructure provider. Confusing these relationships can create wrong entries.

A SaaS service may be contracted with one legal entity, hosted by another cloud provider and supported by group affiliates. The entity needs enough information to populate the register accurately and understand dependency chains.

Legal entity names, identifiers, addresses, countries and contract references should be verified against documents. Do not rely on marketing names alone.

Provider hierarchy matters for concentration and supervisory analysis.

Control point Why it matters Evidence to keep
Data owner Document provider and group relationships needs accountable field ownership Owner matrix, source system and sign-off
Validation The register can fail because of data quality, not only legal interpretation Pre-validation, error log and correction evidence
Governance DORA ICT third-party risk is a management topic Management reporting, risk acceptance and remediation tracking

Control subcontracting data

ICT third-party services often involve subcontracting. DORA and related technical standards emphasize visibility of arrangements and dependencies. The register process should capture relevant subcontractors and chains where required by the template and guidance.

Vendor questionnaires, contract appendices, security documentation and provider portals may all contain subcontractor information. That data should be reconciled and updated when providers change subcontractors.

Subcontracting is not only a legal issue. It affects data location, resilience, incident handling, concentration and exit planning.

If subcontractor data is unavailable, escalate early. Waiting until submission week is too late.

Control point Why it matters Evidence to keep
Data owner Control subcontracting data needs accountable field ownership Owner matrix, source system and sign-off
Validation The register can fail because of data quality, not only legal interpretation Pre-validation, error log and correction evidence
Governance DORA ICT third-party risk is a management topic Management reporting, risk acceptance and remediation tracking

Prepare for validation errors

The CSSF March 2026 communication warned that validation checks would be applied to more data fields and that a register accepted in a previous year might be rejected. This is a practical warning about data quality.

Entities should run pre-validation as early as possible, maintain an error log and assign owners for corrections. Common issues can include missing mandatory fields, inconsistent identifiers, invalid formats, mismatched dates, duplicate records or taxonomy errors.

Do not treat validation as a purely technical issue. A validation error may reveal a real governance gap, such as missing contract dates or unclear provider identity.

The correction process should preserve evidence of what changed and why.

Control point Why it matters Evidence to keep
Data owner Prepare for validation errors needs accountable field ownership Owner matrix, source system and sign-off
Validation The register can fail because of data quality, not only legal interpretation Pre-validation, error log and correction evidence
Governance DORA ICT third-party risk is a management topic Management reporting, risk acceptance and remediation tracking

Plan resources through April

The March 2026 CSSF communication advised entities to ensure availability of relevant resources throughout April because ESA additional quality controls could lead to refusal and re-submission before end-April. That is a resource-planning instruction, not just an administrative note.

The register team should keep business, ICT, procurement, legal and data owners available after initial CSSF submission. If the ESA refuses entries, the entity may need rapid corrections and resubmission.

A team that disbands after upload creates operational risk. Keep the correction tracker open until acceptance and post-submission follow-up are complete.

Resource planning should also include management awareness of possible late-stage issues.

Control point Why it matters Evidence to keep
Data owner Plan resources through April needs accountable field ownership Owner matrix, source system and sign-off
Validation The register can fail because of data quality, not only legal interpretation Pre-validation, error log and correction evidence
Governance DORA ICT third-party risk is a management topic Management reporting, risk acceptance and remediation tracking

Use eDesk evidence as part of the control file

Submission through eDesk creates evidence that should be retained: submission date, submitted file version, validation messages, confirmation, rejection notices, resubmission records and correspondence.

The control file should link the submitted file to the approved source data. If the entity later needs to explain what was submitted, it should not rely on a local user's downloads folder.

Version control matters. Label the pre-submission file, submitted file, corrected file and final accepted version. Preserve the error log between versions.

This evidence is useful for internal audit and next year's preparation.

Control point Why it matters Evidence to keep
Data owner Use eDesk evidence as part of the control file needs accountable field ownership Owner matrix, source system and sign-off
Validation The register can fail because of data quality, not only legal interpretation Pre-validation, error log and correction evidence
Governance DORA ICT third-party risk is a management topic Management reporting, risk acceptance and remediation tracking

Manage third-country branch considerations

The CSSF February 2026 communication about third-country branches of credit institutions having their head office in a third country set a 30 June 2026 best-effort deadline for these entities, following ESA clarification. Branches should treat this as a structured onboarding of the register requirement rather than a casual extension.

Branch teams may depend on head-office systems, global contracts and group vendor data. They should start early to map which ICT arrangements support the Luxembourg branch and which records sit outside Luxembourg.

The branch file should explain how global arrangements are used locally, who owns data, and how the branch obtains the information needed for the CSSF register.

Best effort still requires evidence of effort, testing and remediation.

Control point Why it matters Evidence to keep
Data owner Manage third-country branch considerations needs accountable field ownership Owner matrix, source system and sign-off
Validation The register can fail because of data quality, not only legal interpretation Pre-validation, error log and correction evidence
Governance DORA ICT third-party risk is a management topic Management reporting, risk acceptance and remediation tracking

Connect the register to notification of new critical ICT arrangements

Circular CSSF 25/882 and CSSF DORA materials describe notification requirements for planned ICT arrangements supporting critical or important functions for certain entities not under direct ECB supervision. The register process and notification process should share data.

A planned arrangement should enter the internal inventory before the contract takes effect. If it supports a critical or important function, the notification timeline should be assessed early.

The CSSF DORA page notes a three-month notice period before the planned contractual arrangement comes into effect, reduced to one month when resorting to a Luxembourg support PFS governed by Article 29-3 LFS, for the described cases. Teams should verify the current form and communication channel.

A register that only records live contracts may miss pre-contract notification duties.

Control point Why it matters Evidence to keep
Data owner Connect the register to notification of new critical ICT arrangements needs accountable field ownership Owner matrix, source system and sign-off
Validation The register can fail because of data quality, not only legal interpretation Pre-validation, error log and correction evidence
Governance DORA ICT third-party risk is a management topic Management reporting, risk acceptance and remediation tracking

Assign field ownership

Every register field should have an owner. Contract date may belong to legal, provider ID to procurement, service description to ICT, critical function mapping to risk and business, data location to security, and submission formatting to regulatory reporting.

Without field ownership, errors bounce between teams. With ownership, correction is faster and accountability clearer.

A field-owner matrix should also define evidence sources. If two systems disagree, the matrix should state which system is authoritative or how conflicts are resolved.

Field ownership is one of the simplest ways to improve register quality.

Control point Why it matters Evidence to keep
Data owner Assign field ownership needs accountable field ownership Owner matrix, source system and sign-off
Validation The register can fail because of data quality, not only legal interpretation Pre-validation, error log and correction evidence
Governance DORA ICT third-party risk is a management topic Management reporting, risk acceptance and remediation tracking

Reconcile register with outsourcing and procurement records

DORA ICT third-party registers and outsourcing registers are related but not identical. The entity should reconcile them to avoid missing dependencies or double counting.

Some business-process outsourcing arrangements may include ICT components. Some ICT third-party services may not be outsourcing under the amended Circular 22/806 perimeter. The entity needs mapping rather than assumption.

Procurement records can reveal paid ICT services not present in risk systems. Outsourcing registers can reveal critical functions supported by ICT providers. Architecture inventories can reveal technical dependencies not obvious from contracts.

A reconciliation report is strong evidence for supervisory and audit purposes.

Control point Why it matters Evidence to keep
Data owner Reconcile register with outsourcing and procurement records needs accountable field ownership Owner matrix, source system and sign-off
Validation The register can fail because of data quality, not only legal interpretation Pre-validation, error log and correction evidence
Governance DORA ICT third-party risk is a management topic Management reporting, risk acceptance and remediation tracking

Keep management body oversight practical

DORA emphasizes governance and management body accountability for ICT risk. The register should therefore feed meaningful oversight, not just technical reporting.

Management reporting should show material ICT dependencies, critical function support, concentration, unresolved data-quality issues, validation status, late owner responses and remediation progress.

The management body does not need every row of the register, but it needs decision-grade summaries and exceptions. It should know whether the entity can explain its ICT third-party risk.

Oversight evidence includes minutes, dashboards, challenge questions and remediation tracking.

Control point Why it matters Evidence to keep
Data owner Keep management body oversight practical needs accountable field ownership Owner matrix, source system and sign-off
Validation The register can fail because of data quality, not only legal interpretation Pre-validation, error log and correction evidence
Governance DORA ICT third-party risk is a management topic Management reporting, risk acceptance and remediation tracking

Handle cloud arrangements with service clarity

Cloud arrangements can be complex because one provider may support infrastructure, platform, software, storage, analytics, security or business applications. The register should describe the service accurately rather than merely saying cloud.

A cloud provider may be the direct contractual counterparty or an underlying subcontractor of a SaaS provider. The register should reflect the contractual reality and dependency chain required by the applicable template.

Service clarity affects criticality, data location, exit planning and concentration analysis. A vague cloud label is not enough for risk management.

The entity should also maintain architecture evidence that explains what the service does.

Control point Why it matters Evidence to keep
Data owner Handle cloud arrangements with service clarity needs accountable field ownership Owner matrix, source system and sign-off
Validation The register can fail because of data quality, not only legal interpretation Pre-validation, error log and correction evidence
Governance DORA ICT third-party risk is a management topic Management reporting, risk acceptance and remediation tracking

Prepare an annual improvement loop

After each submission, the entity should run a lessons-learned review. What errors occurred? Which fields were hardest? Which owners responded late? Which systems disagreed? Which contracts lacked data?

The review should create remediation actions before the next cycle. Examples include contract template changes, procurement intake changes, mandatory service classification, better provider master data or automated validation.

An annual loop turns the register from a stressful filing into a maturing control.

Internal audit can use the loop to test whether past problems were actually fixed.

Control point Why it matters Evidence to keep
Data owner Prepare an annual improvement loop needs accountable field ownership Owner matrix, source system and sign-off
Validation The register can fail because of data quality, not only legal interpretation Pre-validation, error log and correction evidence
Governance DORA ICT third-party risk is a management topic Management reporting, risk acceptance and remediation tracking

Avoid common anti-patterns

Common anti-patterns include treating the register as a compliance-only spreadsheet, relying on vendor marketing names, ignoring subcontractors, excluding intragroup ICT services, failing to map critical functions, waiting until submission week, and not preserving validation evidence.

Another anti-pattern is assuming that because a contract is small, the service is unimportant. A low-cost authentication, monitoring or reporting tool can support a critical process.

The opposite error is over-classifying everything as critical without analysis. That creates noise and weakens management focus.

The remedy is disciplined classification, evidence and review.

Control point Why it matters Evidence to keep
Data owner Avoid common anti-patterns needs accountable field ownership Owner matrix, source system and sign-off
Validation The register can fail because of data quality, not only legal interpretation Pre-validation, error log and correction evidence
Governance DORA ICT third-party risk is a management topic Management reporting, risk acceptance and remediation tracking

Build a register readiness calendar

A readiness calendar should begin months before submission. It should include population freeze, owner attestations, data-quality checks, management review, test upload where possible, correction window, submission, ESA follow-up window and lessons learned.

For the 2026 general CSSF collection, the window from 11 February to 31 March made early preparation especially important. Future cycles should not rely on last-minute assembly.

The calendar should also align with contract renewal and procurement cycles. New contracts should produce register-ready data at signature rather than at year end.

A calendar makes the register a planned control, not an emergency project.

Control point Why it matters Evidence to keep
Data owner Build a register readiness calendar needs accountable field ownership Owner matrix, source system and sign-off
Validation The register can fail because of data quality, not only legal interpretation Pre-validation, error log and correction evidence
Governance DORA ICT third-party risk is a management topic Management reporting, risk acceptance and remediation tracking

Create a data dictionary before validation starts

A register data dictionary explains each field in business language, identifies the source system, field owner, allowed values and evidence required. Without a dictionary, each team may interpret the same field differently.

The dictionary should define provider legal name, service type, contractual arrangement, critical function mapping, dates, entity level, location, subcontracting information and status. It should also explain how to handle unknown, not applicable and group-level values.

A data dictionary reduces validation errors and makes onboarding new contributors easier. It also helps internal audit test whether the same rule was applied across the register.

When ESA or CSSF validation expectations change, update the dictionary and communicate the change.

Control point Why it matters Evidence to keep
Data owner Create a data dictionary before validation starts needs accountable field ownership Owner matrix, source system and sign-off
Validation The register can fail because of data quality, not only legal interpretation Pre-validation, error log and correction evidence
Governance DORA ICT third-party risk is a management topic Management reporting, risk acceptance and remediation tracking

Use attestations for business-owner accountability

Business owners understand how services are used in practice. Their attestation should confirm that the listed arrangements are complete for their area, service descriptions are accurate, criticality mapping is reasonable and post-reference-date changes have been flagged.

Attestations should not be empty signatures. Give owners a clear extract, ask specific questions and require exceptions to be logged. The central register team should challenge inconsistent responses.

This process prevents the register from becoming a central compliance guess. It also gives management a stronger basis for submission confidence.

Attestations should be retained with the control file.

Control point Why it matters Evidence to keep
Data owner Use attestations for business-owner accountability needs accountable field ownership Owner matrix, source system and sign-off
Validation The register can fail because of data quality, not only legal interpretation Pre-validation, error log and correction evidence
Governance DORA ICT third-party risk is a management topic Management reporting, risk acceptance and remediation tracking

Track correction root causes

A validation error log should not end at fixing the cell. The team should identify why the error happened: missing contract field, inconsistent taxonomy, wrong owner, system limitation, unclear guidance, late provider data or manual transcription.

Root-cause tracking supports next-cycle improvement. If many errors come from provider identifiers, improve provider master data. If many errors come from criticality mapping, improve function-owner training.

This is how the register matures from manual rescue to controlled process.

A short post-submission root-cause report is useful for management and internal audit.

Control point Why it matters Evidence to keep
Data owner Track correction root causes needs accountable field ownership Owner matrix, source system and sign-off
Validation The register can fail because of data quality, not only legal interpretation Pre-validation, error log and correction evidence
Governance DORA ICT third-party risk is a management topic Management reporting, risk acceptance and remediation tracking

Protect continuity during register remediation

Register remediation can involve contract review, provider outreach and data clean-up. Teams should avoid disrupting live services while correcting records. The goal is better supervision and control, not operational confusion.

Where gaps are serious, such as missing contracts for critical services or unclear provider chains, the entity should escalate and remediate quickly. But even then, actions should be coordinated with service owners and continuity plans.

A remediation plan should prioritize high-risk gaps first, define interim controls and avoid overwhelming business teams with low-value data requests.

This keeps register work aligned with operational resilience.

Control point Why it matters Evidence to keep
Data owner Protect continuity during register remediation needs accountable field ownership Owner matrix, source system and sign-off
Validation The register can fail because of data quality, not only legal interpretation Pre-validation, error log and correction evidence
Governance DORA ICT third-party risk is a management topic Management reporting, risk acceptance and remediation tracking

Integrate the register with new-contract intake

The easiest way to improve next year's register is to capture register-ready data when new ICT contracts are created. Procurement intake should require service classification, legal entity, function mapping, criticality, data location, subcontracting information and owner before signature.

If this data is captured only after year end, the register team must reconstruct it from documents and interviews. That is slower and less reliable.

Contract templates and onboarding questionnaires can include register fields. Legal and procurement can reject incomplete intake for arrangements likely to fall within DORA ICT third-party scope.

This makes the register an upstream control rather than a downstream reporting burden.

Control point Why it matters Evidence to keep
Data owner Integrate the register with new-contract intake needs accountable field ownership Owner matrix, source system and sign-off
Validation The register can fail because of data quality, not only legal interpretation Pre-validation, error log and correction evidence
Governance DORA ICT third-party risk is a management topic Management reporting, risk acceptance and remediation tracking

Reconcile entity-level and group-level views

Many Luxembourg entities operate inside larger banking, fund, payment or investment groups. ICT contracts may be signed at group level, while the Luxembourg entity consumes the service locally. The register process must reconcile group-level arrangements with entity-level use.

The local entity should know which group contracts support its operations, which functions they affect, what data is processed, which provider legal entities are involved and whether the arrangement is included at the correct reporting level.

A group register can help, but local management still needs enough evidence to understand and defend the Luxembourg entity's dependency. Blind reliance on head-office data is weak if the local service use is not mapped.

This reconciliation is particularly important for consolidated or sub-consolidated reporting and for branch structures.

Control point Why it matters Evidence to keep
Data owner Reconcile entity-level and group-level views needs accountable field ownership Owner matrix, source system and sign-off
Validation The register can fail because of data quality, not only legal interpretation Pre-validation, error log and correction evidence
Governance DORA ICT third-party risk is a management topic Management reporting, risk acceptance and remediation tracking

Validate dates and lifecycle status

Dates create many register errors: signature date, start date, end date, renewal date, termination date, notice period and reference-date status. The entity should define which document proves each date and how to handle evergreen contracts or framework agreements.

A master agreement may have one date, a statement of work another, and a service activation date a third. The register team should not guess. It should record the date required by the template and preserve the source.

Lifecycle status should also be clear. Active, terminated, planned, dormant and migrated arrangements should not be mixed. The 31 December 2025 reference date requires a disciplined view of what was contracted by that date.

Date validation should be completed before submission week because missing dates often require legal or procurement research.

Control point Why it matters Evidence to keep
Data owner Validate dates and lifecycle status needs accountable field ownership Owner matrix, source system and sign-off
Validation The register can fail because of data quality, not only legal interpretation Pre-validation, error log and correction evidence
Governance DORA ICT third-party risk is a management topic Management reporting, risk acceptance and remediation tracking

Control manual transformations

Even where source systems are strong, register preparation often involves manual transformations into required templates. Manual steps create risk: copied rows, changed formats, broken identifiers, deleted leading zeros, wrong date formats or accidental overwrites.

The team should document the transformation steps, preserve input and output files, restrict editing rights and run checks after transformation. If spreadsheet formulas are used, lock them or save a reviewed version.

For material submissions, a four-eyes review should compare a sample from source records to final submission fields. This is not bureaucracy; it is a control over regulatory data.

Manual-transformation evidence makes later questions easier to answer.

Control point Why it matters Evidence to keep
Data owner Control manual transformations needs accountable field ownership Owner matrix, source system and sign-off
Validation The register can fail because of data quality, not only legal interpretation Pre-validation, error log and correction evidence
Governance DORA ICT third-party risk is a management topic Management reporting, risk acceptance and remediation tracking

Link register data to contractual evidence

A register field without evidence is fragile. Provider name should link to the contract or master data. Service description should link to the statement of work or architecture record. Criticality should link to function assessment. Subcontracting should link to contract appendix or provider notice.

This evidence mapping does not mean attaching every document to the register. It means the entity can retrieve proof for each material field if challenged.

A document-reference column in the working file can be useful even if not submitted. It helps reviewers understand where facts came from and speeds correction.

Evidence mapping also deters unsupported assumptions.

Control point Why it matters Evidence to keep
Data owner Link register data to contractual evidence needs accountable field ownership Owner matrix, source system and sign-off
Validation The register can fail because of data quality, not only legal interpretation Pre-validation, error log and correction evidence
Governance DORA ICT third-party risk is a management topic Management reporting, risk acceptance and remediation tracking

Run a management sign-off that addresses known weaknesses

Management sign-off should not simply say the register is submitted. It should disclose known limitations, remediation actions, late provider data, unresolved questions and whether the register has passed internal validation.

A transparent sign-off allows management to take responsibility with context. If quality is imperfect, the decision record should explain why submission is still appropriate and how issues will be remediated.

This is especially important in the first years of a new reporting requirement, when data models and validation checks are still maturing.

A good sign-off protects both governance quality and institutional memory.

Control point Why it matters Evidence to keep
Data owner Run a management sign-off that addresses known weaknesses needs accountable field ownership Owner matrix, source system and sign-off
Validation The register can fail because of data quality, not only legal interpretation Pre-validation, error log and correction evidence
Governance DORA ICT third-party risk is a management topic Management reporting, risk acceptance and remediation tracking

Turn CSSF or ESA feedback into permanent controls

If CSSF or ESA feedback identifies an error, the entity should not treat it as a one-off correction. It should ask whether the error reveals a systemic control weakness.

For example, a rejected provider identifier may indicate weak vendor master data. A rejected date field may indicate inconsistent contract lifecycle records. A missing critical-function link may indicate poor business-owner mapping.

The remediation should update the data dictionary, intake process, owner training or system controls so the same issue does not recur.

This converts supervisory feedback into continuous improvement.

Control point Why it matters Evidence to keep
Data owner Turn CSSF or ESA feedback into permanent controls needs accountable field ownership Owner matrix, source system and sign-off
Validation The register can fail because of data quality, not only legal interpretation Pre-validation, error log and correction evidence
Governance DORA ICT third-party risk is a management topic Management reporting, risk acceptance and remediation tracking

Register readiness checklist

A register readiness checklist should turn the CSSF submission into a controlled process. The checklist below focuses on what can be evidenced.

Control point Why it matters Evidence to keep
Scope memo Confirms entity-level and consolidated/sub-consolidated obligations DORA category, CSSF status, ECB exclusion where relevant
Contract population Prevents missing arrangements Procurement, legal, ICT, finance and architecture reconciliation
Critical function mapping Links ICT services to business impact Function owner sign-off and impact assessment
Data validation Reduces rejection risk Pre-validation report and error tracker
Submission evidence Proves timely filing eDesk confirmation, submitted file version and messages
Post-submission resources Supports April correction loop Availability plan and resubmission tracker

FAQ

What is the CSSF DORA register of information? It is the structured register of contractual arrangements on the use of ICT services provided by ICT third-party service providers, maintained and updated by DORA financial entities and submitted to the CSSF where required.

What was the 2026 CSSF submission window? The CSSF communication stated that entities required to submit should do so between 11 February 2026 and 31 March 2026 via eDesk, excluding entities under direct ECB supervision. Third-country branches of credit institutions with head office in a third country received a 30 June 2026 best-effort deadline.

Why can a register be rejected? Validation checks can detect missing, inconsistent or incorrectly formatted data. The CSSF March 2026 update warned that checks would apply to more data fields and that a register previously accepted might be rejected.

Who should own the register? No single function can own all facts. A central owner should coordinate, but procurement, ICT, legal, risk, security, business owners and management need defined field responsibilities.

Is the register separate from outsourcing governance? It is related but not identical. DORA ICT third-party services, Circular 25/882 and amended Circular 22/806 outsourcing records should be mapped and reconciled.

Source risk and update note

DORA reporting expectations, eDesk processes, ESA validation checks and CSSF communication channels can change. This article was checked against official CSSF sources on 20 May 2026 and should be used as operational publication guidance, not legal advice.