DORA – Délai de soumission du registre d’information – Portail eDesk ouvert à partir du 1er avril 2025 (uniquement en anglais)

In accordance with Article 28(3) of Regulation (EU) 2022/2554 (DORA), the financial entities subject to DORA shall maintain and update at entity level, and at sub-consolidated and consolidated levels, a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers.

The Joint ESA decision published on 08 November 2024 (Joint ESA decision) requires competent authorities to submit to the ESAs the registers of information in relation to financial entities for which they ensure compliance with in accordance with Article 46 of DORA, by 30 April 2025.

Therefore, financial entities are required to submit their register of information to the CSSF for further transmission to the ESAs. Financial entities shall provide their registers at individual or consolidated level in line with Article 3 of the Joint ESA decision and as further explained in the Frequently Asked Questions published by the ESAs.

As announced in a previous communiqué dated 15 January 2025, the financial entities are required to submit their register of information as relevant to the CSSF between 1 April 2025 and 15 April 2025 via eDesk. For 2025 (first year of submission), the reference date of the register of information is set to 31 March 2025, i.e. the register of information should contain all contractual arrangements contracted until 31 March 2025.

Additional information related to the eDesk procedure is provided below.

To be able to upload the register of information via the eDesk Portal, the role “DORA Reporting” needs to be assigned by a financial entity to at least one dedicated employee. Further details on how to assign this role can be found in the eDesk Portal user guide.

When the role “DORA Reporting” has been granted, the eDesk procedure « Submission of the Register of Information » can be selected starting as from 1 April.

During the upload and validation processes, certain messages will be generated and communicated to the financial entity. Please note that those messages will only be addressed to the person having effectively uploaded the register of information and not to all employees to whom the “DORA Reporting” role may have been granted.

The CSSF highlights that the register of information must be submitted in plain-csv files, enclosed in a .zip-file following a predefined folder structure and file naming convention, as defined by the ESAs. Please note that it will be the first check done by the CSSF: if the extension, folder structure or naming convention are not correct, the entity will not be able to upload the register on the eDesk platform.

As a reminder, the CSSF highly recommends financial entities to follow closely the ESAs’ practical information and instructions available on the EBA website for the preparation and submission of the register of information (Preparations for reporting of DORA registers of information).

Further details on how to submit the register to the CSSF can be found in the User Guide for DORA – Submission of the Register of Information in the eDesk Portal.

Uploaded registers of information will be subject to validation checks to be performed by the CSSF in due time. In case errors are detected, the submitting financial entity will be invited to fix them and re-submit its register of information before 30 April 2025.

During the month of May 2025, the ESAs will perform an additional second round of validation checks. Should the ESAs detect additional errors and consequently refuse the register of information on their side, the submitting financial entity must fix the detected errors and re-submit its register of information to the CSSF which will then forward it again to the ESAs.

In case financial entities will be assisted by third parties in the submission of their register of information, the CSSF would like to draw attention to the following. Providing access, even with a specific role, to the eDesk Portal to a third party entails the risk that such third party may have access to other eDesk reporting procedures, i.e. data of your entity that go beyond the data that are strictly linked to the submission of the register of information, including potentially sensitive data. Please ensure that any third party with access to the eDesk Portal confirms strict compliance with the confidentiality obligations relating to the data that may be accessed. Note that you remain solely responsible for the protection of your sensitive data in line with applicable regulations.

For any question related to the submission of the register of information, please contact: ictrisksupervision@cssf.lu.

For any technical question related to the use of the eDesk Portal, please contact:
edesk@cssf.lu.