As the first official year of Digital Operational Resilience Act (DORA) reporting concludes, the lessons for financial entities are becoming clear. This blog revisits key takeaways from the 2025 Register of Information (RoI) reporting cycle and offers practical guidance to help financial entities avoid common pitfalls and approach the 2026 RoI submission deadline confidently.

 

Lessons learned from 2025 DORA reporting

During the 2024 European Supervisory Authorities’ (ESAs) dry-run exercise, only 6.5% of nearly 1,000 firms across the EU successfully passed all 116 data quality checks, highlighting both the complexity of DORA reportingand why preparation is critical for the 2026 submission.

As the 2026 submission deadline approaches, these findings emphasise the need for stronger governance, improved data management, and proactive engagement with ICT service providers.

Many firms that struggled during the 2025 cycle underestimated the effort required to map third-party relationships, validate contractual details, and ensure consistency throughout file submission. With regulators now demanding greater accuracy and timeliness, the margin for error is diminishing.

 

Common RoI reporting pitfalls

The first year of RoI reporting under DORA revealed significant gaps in firms’ readiness and execution. These shortcomings highlight the importance of taking a proactive, structured approach ahead of the 2026 submission deadline to avoid repeating past mistakes. As such, firms should avoid the following issues in their next submission.

  • Submitting the register in the wrong format: All RoI submissions must be submitted in xBRL-CSV format.
  • Not following the European Banking Authority’s (EBA) guidance on the data point model: Firms should avoid the use of free text entries and ensure that the allowed codes and drop-down values are utilised.
  • Omitting mandatory data fields: All fields classed as mandatory must be completed as part of the submission.
  • Leaving supply chain fields blank: Firms should populate subcontractor details, assign ranks and correctly link providers to avoid gaps in reporting.
  • Mismanaging unique identifiers: Unique identifiers such as contract reference numbers and function IDs must not be duplicated.
 
 

How firms can prepare for 2026

While reporting in 2025 proved challenging for many firms, it provided a clear set of lessons that can now be used to strengthen governance, validation and submission processes ahead of the 2026 RoI deadline. To support a smoother submission this time around, organisations should take a proactive, structured approach focused on the following actions:

  • Engage third-party vendors early to secure all required data and avoid last-minute gaps.
  • Follow the most up-to-date guidance, including recent FAQs and clarifications, to ensure alignment with current regulatory expectations.
  • Leverage EBA post-submission insights, such as “Observations from reporting of RoI to the ESAs: Key common issues identified”, to address known problem areas.
  • Ensure that the data in the register reflects the position at 31 December 2025.
  • Bring in specialist external support where needed to strengthen governance and streamline complex reporting processes.
 
 

Key dates for the 2026 reporting cycle

While DORA is mandated at the EU level, national regulators have set their own submission timelines to allow for validation before forwarding reports to the European Supervisory Authorities by the 31 March 2026 deadline. Below are the key dates across major European jurisdictions for the 2026 reporting cycle.

 

At fscom, we support firms with governance reviews, RoI validation, and end-to-end reporting support. Get in touch today to ensure your 2026 DORA submission is accurate, timely, and compliant.

 

This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where  appropriate.