DORA Register of Information: Only 6.5% Passed All Checks. What This Tells Us.

The 6.5%

In January 2025, DORA entered into force across the European Union, bringing with it — among other obligations — the Register of Information (RoI): the structured register of all contracts with third-party ICT service providers that every financial entity must maintain and transmit to its competent authority.

In 2024, the ESAs organised a dry run: 1,039 financial entities submitted their registers under live-like conditions. Only 6.5% passed all data quality checks. 92 submissions did not even reach the data analysis stage: rejected for structural issues before being read at all.

This is not a commitment problem. The entities that participated were actively trying to comply. The issue is a fundamental misunderstanding of what the Register of Information actually is.

It's not a register. It's a data submission.

The RoI is not an internal governance document, nor an Excel spreadsheet to hand over to the NCA. It is a machine-readable submission in xBRL-CSV format, governed by a formal Data Point Model, automatically validated by the ESAs on three distinct layers: technical package structure, mandatory field completeness, and identifier verification against external sources (GLEIF for LEIs, BRIS for EUIDs).

This distinction changes the nature of the problem. It is not about "filling in the right fields" — it is about producing verifiable data, consistent across multiple templates, with identifiers that are active at the time of submission. A ZIP package with the wrong structure does not enter the system. An expired LEI fails external verification. A key field left blank breaks the referential integrity of all linked templates.

Where the machine breaks down

Dry run failures cluster in three areas, all sharing a common trait: they require information that financial entities do not hold independently.

ICT provider identifiers.

The RoI requires the LEI or EUID of the ICT provider — not a trade name, not a VAT number: a standardised, active, verified identifier. Many ICT contracts signed years ago do not include this data. Obtaining it means going back to the provider.

Ultimate Parent Undertaking.

For each ICT provider, the register requires the identifier of the ultimate parent undertaking. This information is in no standard contract. It requires mapping the provider's corporate structure all the way to the top of the control chain — which may be a non-EU holding company with no public disclosure obligation.

Contractual reference numbers.

The same contracts must be identified with the same reference numbers across all register templates. An entity managing contracts on systems not designed for DORA discovers inconsistent, duplicate, or missing numbering.

In all three cases, the solution is not an internal technical fix: it requires active engagement with ICT providers, with enough lead time before the deadline.

What changes now

The RoI cycle is annual. The reference date is December 31, with transmission to the ESAs by April 30 of the following year. This is not a one-off exercise: it is a recurring process to be governed over time.

There is however a dimension that goes beyond formal compliance. The registers submitted by financial entities are the primary data source through which the ESAs identify and designate Critical Third-Party Providers (CTPPs) — the ICT providers whose resilience is considered systemic for European financial stability. The completeness and accuracy of your register directly feeds this sector-wide mapping. An incomplete register is not just an individual compliance problem: it is a missing data point in an analysis that concerns the entire market.

Three concrete actions

If you are preparing for the 2026 cycle, three areas deserve immediate attention.

Start engaging your providers now.

Identifiers, corporate structures and parent undertakings take time to obtain. This is not last-week-before-deadline work.

Separate register governance from file production.

The register is a continuous process — every new contract, every relevant change must be captured. The xBRL-CSV file is its periodic output. Conflating the two is the primary source of structural errors.

Test your submission before the deadline.

The EBA validation tools allow you to verify the package structure and completeness locally before transmitting to your NCA. Using them systematically reduces the risk of rejection.

DORA is not a one-off compliance exercise: it is an ICT supplier governance system based on structured, verifiable, and transmittable data. The 6.5% dry run figure is not an industry result — it is a benchmark to beat.