The Digital Operational Resilience Act (DORA) has introduced a new level of regulatory scrutiny around ICT risk and third-party dependencies within financial institutions. While much of the discussion has focused on incident reporting and operational resilience frameworks, a critical milestone is approaching in 2026 that requires more immediate attention.
This is not a routine compliance exercise. It represents a structural shift in how regulators assess operational risk across the financial ecosystem.
Register of Information (RoI) under DORA
The Register of Information (RoI), mandated under Article 28 of DORA, is a comprehensive, standardized record of all ICT third-party arrangements maintained by a financial entity.
Unlike traditional vendor inventories, the RoI requires firms to present a granular, structured, and regulator-aligned dataset that captures:
- The full universe of ICT third-party providers
- Classification of providers as critical or important
- Details of services provided and supported business functions
- Contractual arrangements, including outsourcing and sub-outsourcing
- Risk exposure, including concentration and dependency risks
The objective is clear: to provide regulators with a transparent and comparable view of third-party risk across institutions.
Why 31 March 2026 matters
The date 31 March 2026 serves as the reference point for the first RoI submission cycle.
This means:
- Firms must ensure that their Register of Information reflects their ICT third-party landscape at the required reference date in Q1 2026, as defined by their national regulator.
- Submissions are then made within regulator-specific reporting windows during March 2026, after which authorities consolidate and transmit the data to the European Supervisory Authorities by the end of the month.
While technically a “reference date,” its practical implication is more significant.
By 31 March 2026, firms must have fully identified, validated, and structured their ICT third-party data in accordance with DORA requirements.
Any gaps at this stage will directly impact the quality and completeness of the submission.
A shift from documentation to data
One of the defining characteristics of the RoI requirement is its emphasis on structured data over narrative documentation.
Historically, third-party risk management has relied heavily on:
- Policy documents
- Contract repositories
- Internal risk assessments
Under DORA, this approach is no longer sufficient.
Firms are now required to:
- Translate contractual and operational information into standardized data fields
- Align with regulatory taxonomies defined under the ITS/RTS
- Ensure consistency, completeness, and auditability of the dataset
This transition from document-centric compliance to data-driven reporting is where many organizations face challenges.
Common challenges in RoI preparation
As firms begin preparing for the 2026 submission, several recurring issues are emerging:
1. Lack of a centralized vendor inventory
ICT vendor data is often fragmented across multiple functions, including procurement, IT, legal, and risk. Consolidating this into a single, reliable dataset requires significant coordination.
2. Inconsistent classification of critical providers
Determining whether a provider is “critical” or “important” requires a clear, defensible methodology. In many cases, firms either lack such frameworks or apply them inconsistently across business units.
3. Unstructured contractual data
Key information required for RoI reporting such as service scope, subcontracting arrangements, and exit strategies which is typically embedded in legal contracts and not readily extractable into structured formats.
4. Misalignment with regulatory templates
The European Supervisory Authorities (ESAs) have defined detailed technical standards for RoI reporting. Mapping internal data to these templates is a non-trivial exercise, particularly where data definitions do not align.
Regulatory implications
The RoI is not merely a reporting requirement; it is a supervisory tool.
By standardizing third-party data across financial entities, regulators can:
- Identify systemic concentration risks (e.g., reliance on specific cloud providers)
- Assess the resilience of critical financial services
- Benchmark firms against peers
- Detect weaknesses in third-party risk management frameworks
This level of visibility increases the importance of accuracy, completeness, and consistency in reporting.
Conclusion
The 31 March 2026 reference date for the Register of Information marks a significant milestone in the implementation of DORA.
It signals a transition toward greater transparency and data-driven supervision of ICT risk within the financial sector.
Organizations that approach this requirement as a simple reporting obligation may find themselves underprepared. Those that invest early in data consolidation, standardization, and governance will be better positioned not only for compliance but also for ongoing regulatory scrutiny.
DataTracks has supported several financial institutions across the EU in navigating DORA reporting requirements, from structuring Register of Information datasets to aligning with regulatory templates.
If you would like to understand how to streamline your DORA reporting process and ensure readiness, get in touch with our team today.
Write to us at: contact@datatracks.com
Or call us at: +31 20 225 3702
