Q&A Session on the DORA Information Register

1 Q&A Session on the DORA Information Register These are the questions and answers from a Q&A session on the information register in March 2026. My question is not listed here, how can I contact the AFM? If your question is not answered in the Q&A below, please contact dora@afm.nl. Many answers can also be found on the EBA website in the FAQ and the Key Common Issues Identified. What is the purpose of submitting the information registers / what do you do with the data? The AFM forwards the submitted information registers unchanged to the European supervisors. The aggregated information registers provide insight into chain and concentration risks in the financial sector. This data is subsequently used, among other things, for the designation of critical ICT service providers (CTPPs). In November 2025, the ESAs published the first list of 19 critical ICT service providers; they fall under the DORA oversight framework. Additionally, the AFM uses the submitted data for its data-driven and risk-based supervision. How does the process for submitting information registers to the AFM work? Companies can submit their information registers via the reporting obligation in the AFM portal. We will then forward them to the EBA, which checks whether the file meets all requirements. If errors are identified, we will relay the EBA's feedback to the company via the AFM portal (you can find the feedback as a .txt file in the reporting obligation). The reporting obligation will be reopened once the feedback has been uploaded. How quickly can I expect feedback? From March 2026, feedback will normally be available in the AFM portal within 1 working day; in exceptional cases, it takes 2 days. If it takes longer, please contact dora@afm.nl. How often may I submit? You may submit as often as you wish. After the register is uploaded to the AFM portal, it may take a few days before we receive feedback from the EBA. Once we have received the feedback, we will reopen the submission process so that a new submission can be made. When resubmitting the information register, it is important that the file has a different name than your previous submissions. You can do this by adjusting the last digits of the filename (timestamp). What is the final submission deadline for the information register? The initial submission must be completed in the AFM portal by 31 March 2026 at the latest. Corrections to submitted information registers to improve data quality (resubmissions) are welcome until 30 April.

2 Can't this be much more efficient? The AFM is aware of the impact of this European legislation on the market and, together with DNB, is striving to limit the supervisory burden. We support proposals that reduce the workload for the sector. Can I also submit via Excel? No. In 2026, information registers must be submitted to the AFM in the xBRL-CSV format. Excel is not accepted. In 2025, the AFM provided one-time (service-oriented) conversion, but this was explicitly temporary. In preparing for the 2026 submission, the AFM carefully weighed the need to support the market again against controlling supervisory costs. Which converter does the AFM recommend? The AFM is neutral and does not recommend specific suppliers. We see both paid and (free) open-source variants available on the market. We recommend using tooling that immediately performs good data quality checks. Additionally, we advise validating what the provider does with the data. Furthermore, it is important to pay attention to the following points: • not all XBRL converters are suitable for the information register. It is important that the converter can convert your register to xBRL-CSV (not iXBRL!); • check whether the converter supports the EBA taxonomy; • the xBRL-CSV file must meet several requirements; examples of what the file should look like are available on the EBA website. Can I resubmit last year's submission? Submitting the 2025 data will most likely result in error messages. However, you can use the 2025 submission as a basis for the 2026 submission. Which error codes do you see most frequently? Naming, folder structure, keys, mandatory fields, technical values for dropdown fields Naming European supervisors expect the file to follow this naming convention: DUMMYLEI123456789012.IND_NL_DORA010100_DORA_2025-12-31_YYYYMMDDHHMMSSsss. Files that do not comply with this naming convention will not be accepted in the AFM portal. Additionally, files must be delivered in a zipped folder. Both the name of the ZIP file and the underlying folder must comply with this naming convention. Key Fields The most common rejection is FK violation (error 807): you are referencing a key that does not exist in the source table (including self-references). Therefore, check referential integrity before uploading. Tooling can assist with this. Use exactly the key values (primary keys) prescribed by the data model (see annotated layout + DPM dictionary).

3 Dropdown Fields Always enter the technical codes in the CSV tables (e.g., eba_CO:x1 for arrangement type, or codes for currency/countries), not the readable label text. Check the “List of possible values for all data fields with drop downs” and the annotated table layout for this. How should we handle subcontractors / intra-group outsourcing? Intra-group outsourcing must be included in the register in the same way as any other outsourcing. For subcontractors, it must be assessed whether the security or continuity of service delivery is jeopardized if the subcontractor is removed. If the answer to this question is yes, it must also be included in the information register. Which contracting parties must be included in the information register? All contractual agreements with third-party ICT service providers must be included in the information register. The definition of ICT services in DORA is very broad, meaning something is quickly classified as an ICT service. Which validation rules apply? Validation is performed by the EBA. It uses the DORA Data Point Model (DPM) for this. Additionally, there is a Q&A containing certain rules. How should we handle it if a party does not have a LEI code? If your ICT service provider does not yet have a LEI or EUID, you must fill in another available identification number. You can choose from: • LEI or EUID for legal entities; • KVK or related number/tax number/passport number for natural persons; • For legal entities without a LEI or EUID, you may use another identification number. This will subsequently be flagged as a data quality issue, but the register will not be rejected. In table B.02.02, a location must be entered for data storage and processing (data storage location and data processing location). Can I enter “EU” here if no location is specified in the contract with the ICT service provider? No, it is not possible to enter anything other than one of the available options. If it is unknown in which country the data is stored/processed, the country that is closest can be entered for these fields. As long as one of the available options is selected for these fields, it will not impact the acceptance of the information register. Leaving the field blank will result in a rejection; if no data storage takes place, “not applicable” can be selected.

4 I cannot explain the feedback I received based on the ITS. How is that possible? Information registers are validated by the EBA. The starting point is that the FAQ is leading, followed by the DORA Data Point Model, and finally the ITS. It may occur that the FAQ and the Data Model do not align with the ITS; in such cases, the first two are leading. DORA's third-party ICT risk management framework and the Register of Information apply to ICT services that support the execution of a financial entity's core business functions. Digital advertising platforms, such as Meta Ads, Google Ads, LinkedIn Campaign Manager, and TikTok for Business, are primarily used by many financial entities for marketing and customer acquisition purposes. Question: Can the AFM clarify whether contractual arrangements with such advertising platforms fall within the scope of DORA’s ICT third-party risk framework? And specifically: does the answer change when the financial entity has a deeper technical integration with these platforms, for example via conversion-tracking APIs, uploading customer data for audience targeting, or tracking pixels embedded in the entity's own digital channels? Financial entities must include all third-party ICT service providers with whom a contract has been concluded in the information register. Digital advertising platforms fall under this as well. B_06.01: it is not possible to repeat the function identifier for different licensed activities. If the function is used for different activities, how should we indicate this? In that case, a new function identifier must be created. For each combination of LEI (B_06.01.0040), function (B_06.01.0030), and licensed activity (B_06.01.0020), a unique function identifier must be created. How should we handle suppliers that, according to our assessment, no longer fall within the scope of DORA? What end date should we indicate? If only active contracts must be included, why is there a field for the contract end date? ICT service providers no longer need to be included once the contract has ended. The end date field in table B_02.02.0080 must be filled in if the contract has a predetermined end date. If the contract does not have a predetermined end date, 9999-12-31 must be entered here. Regarding field B03.01.0030, last year this field had to be empty in the AFM Excel file, but in the EBA example file I see 'true'. I assume the EBA example file can be followed in this regard? The field B_03.01.0030 was created last year for the conversion from Excel to xBRL-csv by the AFM. This field is not a requirement from the ITS, FAQ, or the DORA data model and therefore does not need to be reported with the 2026 submission.

5 We are missing a certain materiality threshold in the DORA legislation regarding the inclusion of ICT service providers, partly given that the definition of ICT service is very broad (e.g., the ICT service does not necessarily have to relate to regulated activities). Does the AFM see possibilities (now or in the future) to exclude very small, immaterial parties from the register? The AFM (together with DNB) participates in various European working groups where, among other things, the annual call for the information register is evaluated. During these working groups, we share the signals we receive from the market (including questions regarding proportionality). Are the technical requirements according to the EBA website leading? When my report 100% complies with the framework and the example XBRL-CSV on the EBA website, can I assume that the AFM will accept my report? The AFM is not the supervisor that accepts the report. The European supervisors validate and accept the information register. The technical requirements of the EBA website are leading here. The only validation the AFM performs upon submission is whether the reporting entity's LEI code matches what is in our system and a check on the naming convention. If the LEI code does not match, we ask you to contact DORA@afm.nl Is it correct that no adjustments have been made to the Data Point Model (DPM) based on any evaluation of last year's information registers? Yes, no changes have been made to the DPM compared to last year. Is it correct that free services do not need to be included in the information register? All contractual agreements with third-party ICT service providers must be included in the information register. If you do not have a contractual agreement (because it concerns a free service), this does not need to be included in the register.