7 min Reading Time

By 30 March 2026, financial institutions in Germany must submit their complete ICT third-party register to the German Federal Financial Supervisory Authority (BaFin) for the first time. The EU’s Digital Operational Resilience Act (DORA) has been in force since January 2025 – and the first major reporting deadline is fast approaching. The cut-off date for reported data: 31 December 2025. Institutions using AWS, Azure, or Google Cloud must fully document their contracts, data storage locations, and subcontractors.

TL;DR

• 📋 BaFin deadline: 30 March 2026 – First submission of the ICT third-party register in xBRL-CSV format (ADVISORI).
• 📊 Only 50% of European financial institutions had achieved full DORA compliance by end-2025 (The Next Web).
• ☁️ Nineteen ICT third-party providers are designated Critical Third-Party Providers (CTPPs) under direct EU supervision – including AWS, Azure, and Google Cloud.
• ⚖️ Mandatory reporting fields: service type, data storage location, subcontractors, contract duration, and exit strategy.
• ⏰ 38% of financial institutions have postponed their compliance target to 2026 (The Next Web).

What DORA Requires from Financial Institutions

The Digital Operational Resilience Act (Regulation (EU) 2022/2554) has applied directly across all EU Member States since 17 January 2025. Unlike NIS2 – which requires national transposition laws – DORA is an EU regulation and thus immediately binding. It applies to banks, insurers, investment firms, payment service providers, crypto-asset service providers, and numerous other actors across the European financial sector.

DORA pursues a clear objective: strengthening the digital operational resilience of the financial sector. Its framework rests on five pillars: ICT risk management, incident reporting, resilience testing, third-party risk management, and information sharing. The third pillar – third-party risk management – is currently occupying IT teams most intensively.

Specifically, DORA mandates that every financial institution maintain a comprehensive register of all its ICT third-party providers. This register must be made available to the competent supervisory authority upon request – and now also submitted proactively for the first time. BaFin has set 30 March 2026 as the deadline for this initial submission.

What Must Be Included in the ICT Third-Party Register

This register is no simple spreadsheet. BaFin requires structured reporting in xBRL-CSV format, with specific mandatory fields for each ICT third-party provider.

Mandatory information per provider:

Provider’s name and LEI (Legal Entity Identifier). Type of service delivered (e.g., cloud infrastructure, SaaS, data processing). Data storage locations – including backup sites and disaster recovery regions. Subcontractors engaged by the provider (e.g., Azure using Equinix data centres). Contract duration and termination notice periods. Exit strategy: What happens if the provider fails – or must be replaced?

For cloud providers such as AWS, Azure, and Google Cloud, this means IT teams must not only document the primary contract but also map which subcontractors the cloud provider uses – and where. For hyperscalers operating hundreds of data centres and dozens of subcontractors, this represents a substantial documentation effort.

Critical Third-Party Providers: Why AWS, Azure, and Google Cloud Are Especially Significant

DORA introduces a new concept: Critical Third-Party Providers (CTPPs). These are ICT third-party providers deemed systemically important to the financial sector. Since November 2025, 19 providers have been officially designated as CTPPs, including AWS, Microsoft Azure, and Google Cloud.

What this means: CTPPs fall under direct EU supervision by the European Supervisory Authorities (ESAs). They must conduct their own resilience tests, submit incident reports to the ESAs, and grant audit rights to supervisors. For financial institutions using CTPPs, enhanced documentation obligations apply within the register.

Every contract with a CTPP must include specific clauses: audit rights, supervisory authority access, subcontractor transparency, and defined service levels. Existing contracts lacking these clauses must be renegotiated.

“Financial institutions must ensure their contracts with ICT third-party providers include audit rights for competent authorities and provisions permitting termination in case of non-compliance with requirements.”
– Article 30, DORA (EU) 2022/2554 (paraphrased)

The Compliance Gap: Why Half Are Still Not Ready

According to The Next Web, only 50% of European financial institutions had achieved full DORA compliance by end-2025. A further 38% have pushed their compliance target into 2026. Reasons vary widely:

Supply chain complexity. A mid-sized financial institution typically works with 40-80 ICT third-party providers. Documenting each one – including LEI, data storage location, subcontractor chain, and exit strategy – is a manual undertaking that can take months.

Contract amendments. Existing cloud contracts rarely contain the precise DORA clauses on audit rights and supervisory access. Renegotiating with hyperscalers is laborious – especially because AWS, Azure, and Google Cloud favour standardised, non-negotiable terms.

Lack of tooling infrastructure. The xBRL-CSV submission demands specialised software. Many institutions acquired such tools late – or still rely on manual processes. GRC platforms like ServiceNow, SAP GRC, or dedicated RegTech vendors offer DORA modules – but implementation takes time.

Checklist: Four Weeks to BaFin Submission

For IT leaders and compliance officers aiming to meet the 30 March deadline:

Week 1: Inventory. Identify all ICT third-party providers – not just cloud vendors, but also SaaS tools, managed service providers, and outsourcing partners. Sources: Procurement, IT asset management, contract registers.

Week 2: Complete data. Populate mandatory fields for each provider: LEI, service type, data storage location, subcontractors, contract duration. Use cloud providers’ Shared Responsibility documentation as a baseline.

Week 3: Exit strategies. Document an exit strategy for each critical provider. What happens during failure? How long would migration take? Is there a viable alternative provider?

Week 4: Generate and validate xBRL-CSV. Convert data into xBRL-CSV format. Validate against BaFin’s schema. Conduct a test submission before final transmission.

Cloud-Specific Challenges in the DORA Register

Documenting cloud providers in the DORA register is significantly more complex than documenting traditional IT service providers. Three factors make cloud contracts especially demanding.

Dynamic infrastructure. Cloud providers regularly change data centre locations, availability zones, and subcontractors. A register reflecting the status as of 31 December 2025 may already be outdated three months later. IT teams need a process that continuously captures infrastructure changes and updates the register accordingly.

Shared responsibility. With cloud services, responsibilities are split between provider and customer. Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS) each define distinct responsibility boundaries. The DORA register must clearly indicate which ICT functions the cloud provider performs – and which remain with the financial institution. That requires deep insight into the institution’s own cloud architecture.

Multi-cloud complexity. Financial institutions using multiple cloud providers must document each one separately. Interdependencies arise – for example, if a backup system runs on Google Cloud while the primary system resides on AWS, both providers must appear in the register – including the dependency relationship between the two systems.

What Happens After 30 March: Next Steps

The first BaFin submission is not the finish line – but the starting point of an ongoing process. DORA requires continuous updating of the ICT third-party register and regular submissions to the supervisory authority.

Two further developments are expected in 2026:

Threat-Led Penetration Testing (TLPT). DORA mandates periodic penetration tests for systemically important financial institutions – tests that cover the entire ICT supply chain. BaFin is expected to publish concrete TLPT requirements in the second half of 2026.

Incident reporting. Financial institutions must report severe ICT incidents to BaFin within four hours. If an incident occurs at a cloud provider delivering services to the institution, the reporting obligation lies with the financial institution – not the cloud provider. This necessitates contractual agreements on notification timelines and escalation pathways.

IT teams building the register today should already anticipate these follow-up requirements. A register built solely to satisfy the first submission will inevitably need expansion for TLPT and incident reporting.

DORA and NIS2: Double Burden for IT Teams

Many financial institutions fall under both DORA and NIS2. While the regulations overlap partially, they differ in focus: DORA targets digital operational resilience specifically within the financial sector; NIS2 addresses general cybersecurity across critical sectors.

For IT teams, this means: two separate registers (BaFin for DORA, BSI (Federal Office for Information Security) for NIS2), two incident reporting obligations, and two sets of documentation requirements. The good news: many measures overlap. A well-maintained ICT third-party register satisfies both DORA and NIS2 requirements for supply chain security.

Conclusion

The DORA reporting obligation on 30 March 2026 is not optional. Financial institutions failing to fully document their cloud service providers risk regulatory enforcement action. The effort is real – but manageable when IT teams adopt a structured approach. Those who simultaneously address NIS2 requirements avoid redundant work. The pragmatic path for IT leaders and compliance teams: build the inventory, populate the data, document exit strategies – and file on time.

Frequently Asked Questions

Does DORA apply to smaller financial institutions?

Yes – DORA applies proportionally. Smaller institutions face simplified requirements but must still maintain and report an ICT third-party register to BaFin. Documentation depth scales with the institution’s size and complexity.

What happens if I miss the 30 March deadline?

BaFin may initiate supervisory measures – from formal warnings and corrective orders to fines. Enforcement practice will become clearer after the first reporting deadline. Recommendation: Submitting even an incomplete report is far preferable to submitting nothing at all.

Do I need to report internal IT service providers?

No. DORA applies only to external ICT third-party providers. Internal IT entities within a corporate group generally fall outside the reporting scope – unless they provide services to multiple regulated entities within the same group.

How does DORA differ from NIS2 regarding cloud providers?

DORA requires a detailed register of all ICT third-party providers, with specific fields (LEI, data storage location, subcontractors). NIS2 mandates general supply chain security and risk management. DORA is granular and sector-specific; NIS2 is broader and cross-sectoral.

Can the register be populated automatically?

Partially. GRC platforms such as ServiceNow, SAP GRC, and specialist RegTech vendors offer DORA modules that auto-populate the register and export it in xBRL-CSV format. Cloud providers are increasingly offering DORA-specific compliance documentation that can serve as a data source.

Further Reading

• NIS2 and SaaS – Why the Supply Chain Is Becoming a Compliance Gap (cloudmagazin)
• Sovereignty-Washing – Why EU-Based Data Centres Don’t Guarantee Data Sovereignty (cloudmagazin)
• Confidential Computing – Azure Makes AI Workloads Hardware-Isolated (cloudmagazin)

More from the MBF Media Network

• DORA and NIS2 Simultaneously – How Financial Services Firms Manage Dual Compliance Pressure (SecurityToday)
• Cloud Repatriation 2026 – Why CIOs Are Bringing Workloads Back On-Premises (Digital Chiefs)

Header Image Source: Mikael Blomkvist / Pexels