DORA – Submission timeframe for register of information for third-country branches of credit institutions having their head office in a third country

AI Analysis

The CSSF has published a communication specifying the submission timeframe for a key DORA requirement. It mandates that third-country branches of credit institutions, whose head office is outside the EU, must submit their register of information on contractual arrangements with ICT third-party service providers. This register is a core DORA obligation for managing ICT third-party risk.

This change directly affects all credit institutions operating in the EU via a branch structure, where the parent entity is headquartered in a non-EU third country. These branches fall under the direct supervisory remit of the CSSF for DORA compliance.

Compliance teams at affected branches must now prepare to submit this register to the CSSF within the specified timeframe. They should immediately verify that their register is fully populated and accurate, encompassing all required contractual details with ICT providers, to ensure timely submission and adherence to this clarified deadline.