After the BaFin Deadline: What DORA-Obligated Companies Must Do Now

March 30, 2026 has passed. Your ICT third-party provider register is incomplete, three contract partners are still missing, and the compliance department only yesterday identified another provider that should have been reported. The deadline with BaFin is over. What now?

This situation is reality for many financial companies in Germany. The DORA ICT third-party provider reporting deadline on March 30, 2026 caught many institutions off guard — not because it was unknown, but because the operational complexity was underestimated. This article explains what happens after the reporting deadline, what consequences are looming, and how you can still close the gaps now.

⚠️ Deadline expired: The BaFin reporting deadline for the DORA ICT register has passed. Act now to avoid supervisory measures.

Brief Recap: What is the DORA ICT Third-Party Provider Register?

DORA — the Digital Operational Resilience Act — has been applicable in the EU since January 17, 2025. It obligates financial companies (banks, insurance companies, asset management companies, payment service providers, securities firms, etc.) to comprehensive management of their ICT third-party provider risks.

Core obligation: The information register. Every financial company must maintain a complete register of all ICT third-party providers — from cloud providers and data centers to Software-as-a-Service to Managed Security Services. The following must be reported: contract partners, type of ICT service, criticality for business operations, location of data storage, and subcontractors.

The first submission to BaFin was due on March 30, 2026. From 2026 onwards: BaFin forwards the registers to the European Supervisory Authorities (EBA, ESMA, EIOPA) — also by March 31 each year.

What Happens After March 30 — BaFin Consequences

BaFin is not known for ignoring deadlines. The authority has clearly communicated in advance: The information register is not a voluntary exercise. DORA Art. 28 obligates financial companies to maintain and submit the register. Violations can result in:

Supervisory measures: BaFin can set an extension deadline, order corrective measures, or initiate audits.

Fines: For financial companies up to 10 million euros or 5% of total net revenue according to DORA Art. 50.

Reputational risk: In case of serious violations, BaFin can publicly announce sanctions.

Personal liability: Similar to NIS2, DORA also provides for management-level responsibility — board members can be directly sanctioned.

Important: BaFin not only checks whether a register was submitted, but also whether it is complete and correct. An incomplete register is a violation — even if it was submitted on time.

Closing Gaps in the Register: Supplementary Submission vs. Fine

The pragmatic message: It is better to proactively approach BaFin now than to wait until the authority identifies gaps itself. In supervisory practice: Those who voluntarily submit supplementary information and communicate are evaluated more leniently than those who react to sanction pressure.

Practical approach for incomplete registers:

Gap analysis: Complete inventory of all ICT contractual relationships. Indirect providers (subcontractors of your direct contract partners) must also be captured.

Prioritization: Critical ICT services first — which providers are indispensable for business operations? These have priority in supplementary recording.

Documentation: For each provider: contractual basis, type of service, data storage location, subcontractors, criticality assessment.

Communication with BaFin: For significant gaps, proactive contact with BaFin is recommended, along with submission of a supplement to the register with explanatory notes.

DORA ICT Third-Party Risk Management: The Next Step

The information register is just one element of the DORA framework. In parallel — and with sometimes tighter deadlines — financial companies must build their entire ICT third-party provider risk management:

Risk classification: All providers must be classified by criticality. Critical ICT third-party providers are subject to stricter requirements.

Contractual minimum requirements: DORA Art. 30 prescribes specific minimum clauses for ICT contracts — exit strategies, audit rights, availability SLAs, data security, subcontractor transparency.

Exit strategies: For each critical provider, a documented exit plan must exist. Who can take over the service in an emergency?

Regular reviews: The register is not a one-time exercise — it must be continuously updated. Immediate recording for new contractual relationships.

Concentration risk: BaFin and ESAs monitor how many financial companies depend on the same critical providers (e.g., AWS, Microsoft Azure, Google Cloud). Excessive concentration can trigger supervisory measures.

Everything about the original reporting deadline and the details of the ICT register: DORA Information Register: BaFin Reporting Deadline March 2026.

Frequently Asked Questions About the DORA ICT Register After the Deadline

Is there an official extension from BaFin?

A formal automatic extension is not provided. BaFin can set an extension in individual cases — but that is a supervisory measure, not a regular option. Those who proactively make contact and communicate gaps significantly improve their position compared to passive waiting.

Do small payment service providers also need to submit a complete ICT register?

DORA generally applies to all financial companies within the meaning of the regulation — regardless of size. However, DORA contains simplified rules in Art. 16 for micro-enterprises (under 10 employees, under 2 million euros revenue). All others are fully obligated.

What is the difference between direct and indirect ICT third-party providers?

Direct providers: Companies with which you have a direct ICT contract. Indirect providers: Subcontractors of your direct providers who are essential for the ICT service. DORA requires transparency also at the subcontractor level — especially when a subcontractor fulfills a critical function.

How often must the ICT register be updated and submitted?

The register must be kept continuously up to date internally. The annual submission to BaFin (and from there to the ESAs) takes place by March 31 each year. For significant changes (new critical provider, contract termination), the register should be updated internally immediately.

ADVISORI Supports You with DORA Implementation

Whether incomplete register, missing contract clauses, or incomplete risk management: ADVISORI has specialized DORA consultants who support financial companies with complete compliance implementation. From gap analysis to communication with BaFin.

Contact us — the sooner you act, the better your starting position.