Starting Tuesday 1 April 2025, financial entities in Luxembourg subject to the digital operational resilience act (Dora) will be required to submit their register of information to the grand duchy’s Financial Sector Supervisory Commission (CSSF) via the eDesk Portal. This register, which must detail all contractual arrangements related to ICT services provided by third-party service providers, is due by 15 April 2025.

The submission applies to both individual and consolidated levels, with the exception of entities directly supervised by the European Central Bank. The register must comply with EU regulations, which mandate that financial entities maintain and update their records at the entity, sub-consolidated and consolidated levels. These records must detail the contractual relationships with ICT service providers to ensure Dora compliance, emphasised the CSSF.

The deadline for submission is crucial, as a Joint European Supervisory Authorities (ESA) decision, published on 8 November 2024, stipulates that competent authorities must forward the registers to the ESAs by 30 April 2025. Financial entities must ensure their registers are complete and accurate before this deadline.

Once submitted, the CSSF will conduct validation checks. If errors are identified, entities will be required to correct and resubmit their registers by 30 April 2025. A second round of checks by the ESAs in May 2025 could lead to further corrections, with entities needing to resubmit the updated registers to the CSSF for transmission to the ESAs.

The CSSF also reminded financial entities to ensure that third parties accessing the eDesk Portal comply with confidentiality obligations regarding sensitive data. Entities will remain responsible for safeguarding their data in accordance with applicable regulations.

For the first year of submission, the reference date for the register is set to 31 March 2025, meaning the register should include all contractual arrangements entered into by that date.