DORA
The Digital Operational Resilience Act (DORA) is a European regulation aimed at increasing the digital operational resilience of the financial sector. We use this webpage to inform the various stakeholders on DORA-related topics.
Most recent update: 24 February 2026
DORA focuses on ICT risk management, ICT incidents, the periodic testing of digital operational resilience, the management of risks related to outsourcing to (critical) third parties and cooperation via information-sharing arrangements on cyber threats. DORA also introduces a framework for European supervision of critical third-party providers of ICT services.
Information on the reporting request for register of information can be found both in the Frequently Asked Questions section at the bottom of this page and in the News Releases section.
The regulation
DORA was published in the Official Journal of the European Union on 27 December 2022. DORA includes a regulation (NL / EN) and a directive (NL / EN). The regulation entered into force on 17 January 2023 and is applicable per 17 January 2025. For the Netherlands, Annex 35 of the Decree implementing EU Regulations on Financial Markets contains the designation of the competent authority for DORA. The decree also regulates which articles from DORA can be enforced in the event of violation with an administrative fine or order subject to penalty.
Technical standards
The three European Supervisory Authorities (ESAs) were jointly responsible for the development of the technical standards for DORA.
All technical standards have been published in the Official Journal of the European Union. It concerns
- RTS on ICT risk management framework and RTS on simplified ICT risk management framework (NL / ENG)
- RTS on criteria for the classification of ICT-related incidents (NL / ENG)
- RTS on content, timelines and templates on incident reporting (NL / ENG)
- ITS on content, timelines and templates on incident reporting (NL / ENG)
- RTS to specify the policy on ICT services performed by ICT third-party providers (NL / ENG)
- ITS to establish the templates for the register of information (NL / ENG)
- RTS on threat-led penetration testing (TLPT) (NL / ENG)
- RTS on subcontracting of critical or important functions (NL / ENG)
- RTS on oversight harmonization (NL / ENG)
- GL on aggregated costs and losses from major incidents (NL / ENG)
- GL on oversight cooperation between ESAs and competent authorities (NL / ENG)
The European process for Question & Answer (Q&A)
The three ESAs together facilitate the process which allows financial entities to ask questions and receive answers. The objective of the process is to ensure consistent and effective application of European regulation and to foster supervisory convergence. Existing Q&As on DORA can be found here.
For more information on the Q&A process, please visit the websites of either EBA, EIOPA or ESMA.
The EU oversight of critical ICT third-party service providers (CTTPs)
To manage systemic risks arising from the increased outsourcing of ICT services and concentration of that outsourcing among a dozen large external providers, DORA introduces an oversight framework. The oversight framework contributes to the stability and integrity of the financial system.
The ESAs designated 19 CTPPs under DORA for the EU oversight. To provide an overview of the oversight processes, the ESAs published a guide. The guide provides high-level explanations regarding the oversight framework. Furthermore, it provides an overview of the governance structure, the oversight processes, the founding principles and the tools available to the overseers.
Reporting and notifications
DORA includes several obligations for ad hoc reports and notifications. Below you can read how to submit each report or notification.
|
Report or notification |
Explanation |
|---|---|
| Reporting of major ICT-related incidents (art. 19 sub 1 and art. 23) |
Reporting via Mijn DNB – Supervision applications – Start application/notification - DORA major ICT-incident reporting. Please note: - Financial institutions within scope of the NIS2 directive, also need to report the incident to the NCSC (please see NCSC.nl for more information about the NIS2 registration obligation and reporting). - Validation rules apply. These rules can be found here.
|
|
Voluntary notification of significant cyber threats (art. 19 sub 2) |
Notification via: Mijn DNB – Supervision applications – Start application/notification – Form for other applications and notifications. Please note: Validation rules apply. These rules can be found here. |
|
Notification of (planned) contractual arrangements on the use of ICT services supporting critical or important functions. (art. 28 sub 3, 5th paragraph) |
Notification via: Mijn DNB – Notification outsourcing and ICT third-party services. |
|
Notification of validation or cessation of membership in an information-sharing arrangement (art. 45 sub 3) |
Notification via: Mijn DNB - Requests and notifications – Form for other applications and notifications..
|
Reports requested by DNB, for example the information register or the exchange of files for the purpose of TLPT, have a different character. If DNB requests these, DNB will at the same time indicate how DNB expects to receive them.
FAQ reporting request for register of information 2026
- Conversion: When using the Excel template, it is important not to change the order of the tabs. Adding, removing or moving tabs will lead to errors in the conversion.
- Link column: Tabs B_02.03, B_03.01 and B_03.03 include the 'link’ column. This column is not part of the technical standard, but it is crucial for correct conversion to xBRL-CSV. The value true (in lower case) must always be entered here.
- Recipient of the subcontracted services (variable B_05.02.0060): In the B_05.02 tab, the identifier of the receiver of ICT services from a subcontractor must be entered in column D. See also FAQ 65.
- Licenced activity (variable B_06.01.0020): Tab B_06.01 includes the 'licenced activity' column. The dropdown shows the different options in line with the ESAs' reporting standard. If you undertake activities covered by the Solvency II classes of non-life insurance miscellaneous financial loss, legal expenses or assistance, you must select the option Non-Life Insurance: All classes, at the choice of the Member States, which shall notify the other Member States and the Commission of their choice.
- More information: a more comprehensive overview of points to keep in mind can be found here.
An overview of points to keep in mind can be found here.
If your pension fund has outsourced all or part of the pension administration to a pension administration organisation (PUO), you should include the outsourced ICT services separately in the register of information.
An aggregated entry under a single generic heading (function) such as "data exchange" does not provide sufficient insight into the nature and scope of the outsourced work and the underlying risks.
When using the Excel template, it is important not to change the order of the tabs. Adding, removing or moving tabs will lead to errors in the conversion.
Every European ICT service provider has an EUID. The EUID can be found, for example, in the European business registers (link). If the ICT service provider does not have an LEI or EUID (because it is registered in a third country), you must still enter a value. You can use another relevant identifier for this purpose. It will be flagged during the data quality check, but the file will not be rejected for this reason.
The Excel template contains the "TOC" tab. This is a crucial tab for a correct conversion to xBRL-CSV. It contains several variables.
- Period start: This date should be set to 2025-01-01.
- Period end: This refers to the reference date, and must be set at 2025-12-31.
- Identifier: You must report at individual or consolidated level. This is indicated in the name of the reporting request. In this field, enter the LEI code of the reporting financial institution, followed by .IND or .CON for individual or consolidated reporting, respectively. For example: DUMMYLEI123456789012.CON for consolidated or DUMMYLEI123456789012.IND for individual reporting.
- Scheme: The EBA requires https://eurofiling.info/eu/rs to be entered here. This field is already filled in. Please note that this is not a working hyperlink, but a scheme for the purpose of the EBA XBRL Filing Rules.
- Currency: The default monetary unit for reporting is entered here. In most cases this will be EUR.
- Language: This refers to the language of the template, which is en by default. You do not have to change this.
- Table of contents, cells D14-D28: here you specify whether a table is reported or not. Because the reporting requirement specifies that all templates must be reported, even when empty (e.g. form B_01.03 when there are no branches), these cells must all be set to positive.
For further details, see the filing rules.
The reporting request will be available from 2 March 2026 in MyDNB (via the Reporting Service).
DNB uses cookies
We use cookies to optimise the user-friendliness of our website.
Read more about the cookies we use and the data they collect in our cookie notice.