Asset Management | Compliance – DORA: Norwegian asset managers must report their ICT register by 13 March 2026

Background

Financial entities falling within DORA’s scope — including fully authorised alternative investment fund managers (“AIFMs“) and UCITS management companies — are obliged to maintain a comprehensive register of all ICT service agreements (the “Information Register”). The Information Register must be submitted to Finanstilsynet on an annual basis, with the inaugural submission due on 13 March 2026.

For the avoidance of doubt, sub-threshold AIFMs that are registered but not authorised under the AIF Act, are exempt from the DORA Act and not subject to these requirements.

What must be reported?

The scope of the Information Register is broader than many asset managers may have anticipated. It is not simply a catalogue of ICT suppliers and contractual arrangements. Firms are required to separately identify and assess each distinct type of ICT service provided under any given agreement, mapped against 19 standardised service categories (S01–S19). These categories span cloud services (IaaS, PaaS and SaaS), software licensing, ICT security, data storage, helpdesk support, network infrastructure and hardware.

For each service type identified, entities must:

• Identify which internal functions are supported by that service.
• Where a function is deemed critical or important: assess provider substitutability, reintegration possibilities, the impact of discontinuation and the availability of alternative providers.
• Identify the relevant ICT service suppliers and subcontractors by Legal Entity Identifier (“LEI”) number and/or European Unique Identifier (“EUID”).

How to report?

Submissions are made via the e-Reg portal in XBRL-CSV format — which requires the use of a conversion tool — or alternatively through e-Reg’s webform interface for manual entry. The individual responsible for making the submission must be registered in Altinn as a “Filler/submitter” prior to filing.

Action checklist

• Compile the Information Register — encompassing all ICT agreements, including cloud services, software licences and IT support arrangements.
• Map services by type — identify every distinct service type (S01–S19) per agreement and assess each individually.
• Classify functions — determine which functions supported by each service are critical or important.
• Collect LEI/EUID numbers for all suppliers and relevant subcontractors.
• Register your submitter in Altinn as “Filler/submitter” ahead of the deadline.
• Submit by 13 March 2026 — and ring-fence capacity for post-submission corrections.

BAHR comments

Asset managers would be mistaken to underestimate the complexity involved. The Information Register is a highly structured document with strict field interdependencies and demanding technical requirements. In practice, a significant number of firms have encountered material difficulties in converting their data into the prescribed format.

On 6 March 2026, Finanstilsynet specifically advised entities to allocate resources for potential corrections following the submission of the Information Register. It highlights that meeting the deadline is not even the finish line.

Asset managers should approach the Information Register as a living compliance document. Finanstilsynet may request access to it at any time, and DORA is widely expected to remain a supervisory priority throughout 2026. Firms should anticipate heightened scrutiny of their ICT risk management frameworks and third-party arrangements, and must ensure that the register is kept current — supported by robust internal risk assessments and contractual documentation that satisfies DORA’s requirements, including the specifically mandated standard contractual clauses.

For further background, please refer to our previous newsletters on DORA, here.